Report State of DAM 2025 — How AI is redefining the digital content landscape

Download now
Header background
v.3.2

Data Processing Addendum v3.2

Download as PDF

This Data Processing Addendum, including its Schedules and Annexes, (“DPA”) supplements and forms an integral part of the agreement as governed by the Bynder standard terms of service available at www.bynder.com/en/legal/ (“Terms”) or any other agreement between Customer and the applicable Bynder contracting entity (“Bynder”) governing the use and access of the Product (“Agreement”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data by Bynder on behalf of the Customer in connection with the Product. Unless otherwise defined in this DPA or the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 1 of this DPA. Any other relevant terms will have the meanings given to those terms under Applicable Law.

  1. Definitions

    “AI” means Artificial Intelligence. These features will be offered in conjunction with the Product. AI features bring the capability to analyse data, make predictions, and automate tasks.
    “AI Policy” means Bynder’s Artificial Intelligence Privacy Policy. This AI Policy provides Customer guidelines on the use of AI features within the product, emphasising data handling and privacy considerations, available at www.bynder.com/en/legal/.
    “California Consumer Privacy Act” or “CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §1798.100—1798.199), as amended or superseded from time to time.
    “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
    “Customer” means the legal entity that is a party to the Agreement with Bynder.
    “Data Protection Legislation” means all laws and regulations, including but not limited to national, supranational and state-level privacy law(s), applicable to the Processing of Personal Data under the Agreement.
    “Data Subject” means the identified or identifiable person to whom Personal Data relate.
    “EEA” means the European Economic Area.
    “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    “Personal Data” means any information relating to an identified or identifiable natural person where such data is Processed by Bynder on behalf of Customer.
    “Processing” (and all verb tenses) means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    “Processor” means the entity which Processes Personal Data on behalf of the Controller.
    “Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation, as set forth in article 9 of GDPR.
    “Sub-Processor” means a Processor engaged by Bynder.
    “Standard Contractual Clauses” means, according to the Standard Contractual Clauses set forth in Schedule 5 to this DPA, (a) where the GDPR applies, the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), or (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (“UK Addendum”).
    “Supervisory Authority” means an independent public authority established or recognized under Data Protection Laws.
    "UK GDPR" means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

  1. Processing of Personal Data

    1. Scope, Roles and Details of the Processing. This DPA, including any Schedules and Annexes, applies when Personal Data is processed by Bynder pursuant to the Agreement. Regarding the Processing of Personal Data, Customer is the Controller, Bynder is the Processor and Bynder will engage Sub-Processors pursuant to the requirements set forth in Section 6 below. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 to this DPA.

    2. Customer shall, in its use of the Product, Process Personal Data in accordance with the requirements of Data Protection Legislation, including any applicable requirement to provide notice to Data Subjects of the use of Bynder as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. If Customer chooses to enable any AI features within the Agreement, Bynder's AI Policy will apply. Customer specifically acknowledges that its use of the Product will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.

    3. Bynder Processing of Personal Data. Bynder shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); and (ii) Processing initiated by Users in their use of the Product.

  1. Instructions

    1. Customer Affiliates Customer represents that it is authorised to give data processing instructions to Bynder and to otherwise act on behalf of any Customer Affiliates under this DPA.

    2. Documented Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement with Bynder for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately and in writing.

    3. Exception. If Bynder is required by law to conduct additional processing, it shall inform Customer of that legal requirement before Processing, unless such notification is prohibited by law.

    4. Instructions likely to violate Data Protection Legislation. If, in Bynder’s opinion, Customer’s instructions are either likely to violate Data Protection Legislation, Bynder is entitled to refuse to follow such instructions and shall inform Customer of the reasons for its refusal. In such cases, Customer shall provide alternative instructions in a timely manner and Bynder may cease all Processing of the impacted Personal Data (other than secure storage thereof) until it receives acceptable instructions.

  1. Bynder Personnel

    1. Confidentiality Obligations. Bynder ensures that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, and have executed written confidentiality agreements.

    2. Limited Access. Bynder ensures that Bynder’s access to Personal Data is limited to those personnel performing services in accordance with the Agreement.

    3. Data Protection Officer. Bynder has appointed a data protection officer (“DPO”). The appointed DPO may be reached at privacy@bynder.com.

  1. Security of Processing

    1. Measures Bynder has implemented and shall maintain appropriate technical and organisational measures to protect Personal Data against accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure, and access (“Security Measures”), as described in Schedule 3 of this DPA, including as appropriate:

      • the pseudonymisation and encryption of Personal Data;
      • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems;
      • subject to the Service Level Agreement, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      • the regular testing, assessment, and evaluation of the effectiveness of the Security Measures.

    2. Customer has made an independent determination as to whether these Security Measures meet the Customer's requirements.

    3. Third Party Certifications. Bynder has obtained third party certifications as set forth in Schedule 3 of this DPA. Upon Customer’s written request, but not more than once per year, and subject to the confidentiality obligations set forth in the Agreement, Bynder shall make available to Customer a copy of Bynder’s then most recent third-party certification and audit report, as applicable.

  1. Sub-Processors

    1. General Authorization. Customer agrees that Bynder may use Sub-Processors to fulfil its contractual obligations under this DPA or to provide certain services on its behalf.

    2. Sub-Processor Obligations. Bynder will enter into a written agreement with the Sub-Processor and Bynder will impose on Sub-Processors data protection obligations not less protective than those in this DPA.

    3. Sub-Processor List. Bynder currently uses the Sub-Processors listed in Schedule 2 to this DPA. A list of Sub-Processors is also available on Bynder's website at www.bynder.com/sub-processors/ (“Sub-Processors Page”). Bynder will update the Sub-Processors Page with any new Sub-Processor and notify Customer at least 30 calendar days before such Sub-Processors will begin to Process Personal Data.

    4. Objection Right. Customer may object to the use of a new Sub-Processor on a reasonable and legitimate basis. In the event Customer objects to a new Sub-Processor, Customer shall provide written notice to privacy@bynder.com within the 30 calendar day notice period set out in Section 6.3, outlining Customer’s specific concerns about the new Sub-Processor in order to give Bynder the opportunity to address such concerns. Bynder may, at its sole discretion, (i) not appoint the Sub-Processor and/or propose an alternate Sub-Processor; (ii) take the steps to address the Customer’s specific concerns and obtain Customer’s written consent to use the Sub-Processor; or (iii) make available to Customer the Bynder Product(s) without the particular aspect that would involve use of the objected-to Sub-processor. If Bynder is unable or determines in its reasonable judgement that it is commercially unreasonable to do any of the options in Section 6.4 (i)-(iii), Customer may terminate the Agreement in accordance with section 19.3 of the Terms.

    5. Liability. Bynder will remain responsible for the performance of a Sub-Processor to the same extent Bynder would be responsible if performing the services of each Sub-Processor directly under the terms of this DPA.

  1. Rights of Data Subject

    Bynder will, to the extent legally permitted, notify Customer without undue delay if Bynder receives a request from a Data Subject to exercise the Data Subject’s rights set forth in Data Protection Legislation, especially Chapter III of GDPR (“Data Subject Request”). Taking into account the nature of the Processing, Bynder will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to Data Subject Requests under Data Protection Legislation. To the extent Customer is unable to address a Data Subject Request, Bynder will upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request. To the extent legally permitted, Customer will be responsible for any costs arising from Bynder’s provision of such assistance.

  1. Assistance

    Taking into account the nature of Processing and the information available to Bynder, Bynder will provide reasonable assistance and cooperation to Customer in respect of its relevant obligations under Articles 32 to 36 GDPR. To the extent legally permitted, Customer will be responsible for any costs arising from Bynder’s provision of such assistance.

  1. Personal Data Breach Notification

    Bynder will notify Customer without undue delay, but always within 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Bynder or its Sub-Processors of which Bynder becomes aware (“Personal Data Breach”). Notification of Personal Data Breaches, if any, will be delivered by email at the email address specified for notices in the applicable Order Form, if no email address is specified, to one or more of Customer’s Product administrators. Bynder's obligation to notify Customer of a Personal Data Breach is not an acknowledgement by Bynder of any fault or liability with regard to the Personal Data Breach.

  1. Return and Deletion of Personal Data

    1. Upon Customer’s request to privacy@bynder.com Bynder will return or delete Personal Data in accordance with the timeframes specified in the Agreement, unless European Union law or the laws of a EU member state requires that Bynder retains the Personal Data. Bynder may delete Personal Data six months after termination or expiration of the Agreement. Bynder shall dispose Personal Data in accordance with the latest method(s) of data sanitising, as detailed in NIST 800-88 (“Guidelines for Media Sanitization”).

    2. Notwithstanding anything to the contrary in this DPA, Bynder may retain Personal Data if and for as long as required by law.

    3. Personal Data stored in Bynder’s auto-backup or archival systems will be deleted automatically after 180 days after back-up, or otherwise as soon as technically possible. Upon written request, Bynder shall provide a certificate to Customer certifying that Customer Data has been destroyed.

    4. If Customer provides Personal Data on a hard drive or other forms of removable media, such removable media must be encrypted or password protected. In collaboration with Customer, Bynder shall either return the removable media to Customer, or securely destroy such removable media by using a certified third party. A certificate of destruction can be made available to Customer upon request.

  1. Customer Audits

    1. Summary Report of Internal Audit. In addition to Section 5.3, Bynder will on a regular basis audit the security of the systems that it uses to Process Personal Data. Upon Customer’s written requests, Bynder will make available to Customer a summary of the results of this audit ("Summary Report") to demonstrate compliance with the obligations under this DPA.

    2. Customer Audit. If Customer substantiates that the Summary Report cannot satisfactorily demonstrate Bynder’s compliance and that it has a justifiable suspicion that Bynder is in breach of this DPA, Customer may conduct an audit on Bynder’s premises, not more than once per year, and subject to the confidentiality obligations set forth in the Agreement and following conditions:

      • Customer must provide at least 30 days’ prior written notice to privacy@bynder.com. Such notice must indicate the reasons for the audit request, and will be effective upon Bynder’s confirmation of receipt;
      • Audits will be conducted within a mutually agreed scope, duration, and timing; performed by Customer, or a third party that is pre-approved by Bynder, such approval not to be unreasonably withheld; and conducted within Bynder’s normal business hours and with best efforts taken to avoid disruption of Bynder’s business operations;

    3. Cost. The cost of an audit on Bynder’s premises will be borne by Customer, unless a Material Breach (as defined in the Agreement) of this DPA is found, in which case Bynder will bear the costs.

    4. Nothing in this Section 11 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority's or Data Subject's rights under the Standard Contractual Clauses.

  1. Transfers of Personal Data to Third Countries

    1. Regions. Customer may specify the location where Customer Data, including Personal Data, will be Processed in the Agreement (“Region”). Except as necessary to provide the Product and services initiated by Customer, or as necessary to comply with the law, Bynder will not transfer Personal Data from Customer’s selected Region. A transfer to a third country shall take place only if the conditions of Chapter V. GDPR are complied with.

    2. Application of Standard Contractual Clauses. Bynder will enter into Standard Contractual Clauses with each affiliate and/or Sub-Processor where the Processing of Personal Data is transferred outside the EEA, either directly or via onward transfer, to any third country not recognized by the European Commission as providing an adequate level of protection for Personal Data. The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.

    3. Revision of Standard Contractual Clauses Parties agree that, in the event the Standard Contractual Clauses are revised or replaced by a competent authority, they shall execute any updated or replacement Standard Contractual Clauses in order to ensure continued compliance with Data Protection Legislation. It shall be the Customer's obligation to inform Bynder about the location of their end users to facilitate proper data processing and compliance with applicable Data Protection Legislation.

    4. Order of precedence. If the Standard Contractual Clauses apply, nothing in this Section 12 varies or modifies the Standard Contractual Clauses.

  1. Limitation of liability

    Each party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

  1. Entire Agreement, Hierarchy

    Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will take precedence to the extent of such conflict.

  1. Term and termination

    This DPA shall enter into force at the same time as the Agreement and shall automatically terminate upon any termination or expiration of the Agreement.

  1. List of Schedules

    Schedule 1: Details of the Processing of Personal Data
    Schedule 2: Sub-Processors and Bynder Entities
    Schedule 3: Security Measures
    Schedule 4: Details of the Processing
    Schedule 5: Cross Border Transfers
    Schedule 6: CCPA Addendum
    Annex A: Technical and Organisational Measures

Schedule 1: Details of the Processing of Personal Data

Nature and Purpose of Processing
Bynder will Process Personal Data as necessary to provide the Product pursuant to the Agreement and as further instructed by Customer in its use of the Product.

Duration of Processing
Subject to Section 10 of this DPA, Bynder will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Categories of Data Subjects
Customer may store Personal Data in the Product, the extent of which is determined and controlled by Customer in its sole discretion.

The sole Personal Data required for the use of the Product relates to the following categories of Data Subjects:

  • Employees of Customer
  • Customer’s Users

Types of Personal Data
Customer may store Personal Data in the Product, the extent of which is determined and controlled by Customer in its sole discretion. The sole categories of Personal Data required for the use of the Product are:

  • First and last name
  • Email address
  • IPaddresses

Special Categories of Personal Data
The Product is not intended for Customer to store or otherwise process Special Categories of Personal Data.

Notwithstanding the foregoing, biometric data is processed when using certain AI features within the Product, as further detailed in Bynder’s AI Policy. Customer is able to limit the purpose and scope of processing by disabling individual AI features. The security measures described in Schedule 3 of this DPA, including access restrictions, are applicable with regards to the processing of biometric data.

Schedule 2: Sub-Processors and Bynder Entities

Bynder works with certain third parties, as listed below, to provide specific functionalities within the Product(s). In order to provide the relevant functionality these Sub-Processors access Customer Data. Their use is limited to the indicated activities:

Entity nameSub-Processor activityEntity country
Amazon Web Services EMEA SARLCloud Service Provider
for Amazon Rekognition		Luxembourg
Pricon BVPricon is a call centre that assists Bynder with the provision of phone support outside office hoursNetherlands
Snowflake Computing Netherlands BVSnowflake provides storage for Bynder’s Analytics module.Netherlands
Google Cloud EMEA LimitedGoogle’s Looker provides an interface for Bynder’s Analytics module.Ireland
Zendesk Inc.Zendesk provides a cloud-based system for tracking and solving Customer support tickets.United States
Appcues, Inc.Appcues enables Bynder to provide in-app notifications and/or training.United States

Bynder engages the following Sub-Processors to support the Video Brand Studio module

Entity nameSub-Processor activityEntity country
Google Cloud EMEA LimitedCloud Service Provider
Google also provides a performance and diagnostics tool to monitor and measure the health of Google resources and applications		Ireland

Bynder engages the following Sub-Processors to support Content Workflow:
#In case Customer purchases Content Workflow, Data Hosting for Content Workflow shall be US ONLY.

Entity nameSub-Processor activityEntity country
Intercom R&D UnlimitedCustomer support and in-app notificationsIreland

Bynder entities
The following entities are part of the corporate structure of Bynder. Depending on the geographic location of the Customer, Bynder may also engage one or more of the following entities as Sub-Processors

Entity nameEntity typeEntity country
Intercom R&D UnlimitedCustomer support and in-app notificationsIreland
Bynder B.V.Parent companyNetherlands
Bynder LLCSubsidiaryUnited States
Bynder Ltd.SubsidiaryUnited Kingdom
Bynder Software FZ-LLCSubsidiaryDubai
Bynder Software SLSubsidiarySpain
Bynder Pty LTD.SubsidiaryAustralia

Content Deliver Networks (“CDN”)
Bynder may use CDN to assist with the delivery of the Product(s). CDNs do not have access to Customer Data itself, but are systems commonly used to provide fast delivery of content based on the geographic location of the individual accessing the content and the origin of the content provider:

CDN ProviderCDN Loca on
Amazon Web Services EMEA SARLGlobal

Schedule 3: Security Measures

1. Technical measures

1. Access control. Bynder shall prevent unauthorised access to data processing systems. Personnel shall only have access to Customer data when it’s necessary for them to perform their job. Customer data shall not be read, copied, modified or deleted without authorization.
2. Entry control. Bynder shall prevent that data processing systems can be accessed by unauthorised parties.
3. Logging control. Bynder shall ensure that all events in the data processing systems can subsequently be checked.
4. Transmission control. Bynder shall ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transmission.
5. Data at rest. Bynder shall ensure the appropriate encryption of data at rest.
6. Data in transit. Bynder shall ensure that data over the public internet is encrypted in transit according to industry best practices.
7. Separation control. Bynder shall ensure that data collected for various purposes are processed separately.
8. Reliability control. Bynder shall ensure that all functions of the data processing system are available and occurring malfunctions are notified.
9. Integrity control. Bynder shall ensure that stored Personal Data cannot get damaged by malfunctions of the system or that damaged data can be replaced by the original and correct data.
10. Availability control. Bynder shall ensure that Personal Data is protected against unintentional destruction or loss and therefore available for the Customer.

2. Organisational measures

1. Admission Control. Bynder shall prevent unauthorised persons from gaining access to Bynder premises.
2. Security and awareness training. Bynder shall maintain a security awareness program that includes the appropriate training of personnel on Bynder’s security policies.
3. Personnel screening. Criminal background checks shall be performed for all employees before hiring. Additionally, Bynder will ensure that all employees have executed written confidentiality agreements.
4. Information security management process. Bynder shall maintain an ISO 27001:2013 certified information security management system.
5. Business continuity management process. Bynder shall maintain a business continuity management system, certified against the ISO 22301:2019, that defines the processes and procedures in the event of a disaster, including the testing and reviewing of the disaster recovery plans.
6. Regular evaluation of Security Measures. Bynder shall ensure a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure a level of security appropriate to the risk of processing.

3. Third Party Certifications

Bynder currently holds and maintains the following certifications:

  • ISO 27001:2013
  • ISO 27018:2019
  • ISO 22301:2019

Schedule 4 - Details of Data Transferred as part of the Processing

I. LIST OF PARTIES

Data exporter(s):

Name: The entity identified as Customer in the DPA.

Address: The address specified in the DPA or in the Agreement.

Contact person's name, position and contact details: The contact details specified in the DPA or in the Agreement.

Activities relevant to the data transferred under these Clauses: Use of the Bynder Product(s).

Signature and date: By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses set forth under Schedule 5, including their Annexes, as of the Effective Date of the Agreement.

Role (Controller/Processor): Controller

Data importer(s):

Name: The entity identified as Bynder in the DPA .

Address: The address specified in the DPA or in the Agreement.

Contact person's name, position and contact details: The contact details specified in the DPA or in the Agreement.

Activities relevant to the data transferred under these Clauses: Use of the Bynder Product(s).

Signature and date: By entering into the Agreement, data exporter is deemed to have signed these Standard Contractual Clauses set forth under Schedule 5, including their Annexes, as of the Effective Date of the Agreement.

Role (Controller/Processor): Processor

II. DESCRIPTION OF TRANSFER

Nature of the processing

Bynder will Process Personal Data as necessary to provide the Product pursuant to the Agreement and as further instructed by Customer in its use of the Product.

Categories of Data Subjects whose Personal Data is transferred

Customer may store Personal Data in the Product, the extent of which is determined and controlled by Customer in its sole discretion.

The sole Personal Data required for the use of the Product relates to the following categories of Data Subjects:

  • Employees of Customer
  • Customer’s Users

Categories of Personal Data transferred

Customer may store Personal Data in the Product, the extent of which is determined and controlled by Customer in its sole discretion.

  • First and last name
  • Email address
  • IP addresses

Special Categories of Personal Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The Product is not intended for Customer to store or otherwise process Special Categories of Personal Data.

Notwithstanding the foregoing, biometric data is processed when using certain AI features within the Product, as further detailed in Bynder’s AI Policy. Customer is able to limit the purpose and scope of processing by disabling individual AI features. The security measures described in Schedule 3 of this DPA, including access restrictions, are applicable with regards to the processing of biometric data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The frequency of the transfer is a continuous basis for the duration of the Agreement, unless otherwise agreed upon in writing.

Purpose(s) of the data transfer and further processing.

Bynder will Process Personal Data as necessary to provide the Product pursuant to the Agreement and as further instructed by Customer in its use of the Product.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

Bynder will delete Personal Data 90 days after termination or expiration of the Agreement, unless European Union law or the laws of an EU member state requires that Bynder retains the Personal Data for a longer period. Personal Data stored in Bynder’s auto-backup or archival systems will be deleted automatically after 180 days after back-up, or otherwise as soon as technically possible.

For transfers to (sub-) processors, also specify subject ma er, nature and dura on of the processing.

Specified on Bynder's website at www.bynder.com/sub-processors/ (“Sub-Processors Page”). Sub-Processors will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Sschedule 5 – Cross Border Transfers

PART 1 – EEA Cross Border Transfers

1. The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer

2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data Controller of the Personal Data and Bynder is the data Processor of the Personal Data.

3. Specifications. The following clauses of the Standard Contractual Clauses, have either been amended in accordance with the applicable Privacy Regulation, or require additional specifications as set forth below

Clause 7(Docking Clause) shall not apply
Clause 9Section 6 of the DPA specifies the procedure for appointing Sub-Processors and the timeframe for providing prior notice of any changes related to the Sub-Processors list, set forth in Schedule 2 of this DPA.
Clause 17These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for thirdparty beneficiary rights. The Parties agree that this shall be the same governing law stated in the Agreement, as long as it is the law of one of the EU Member States allowing for third-party beneficiary rights, otherwise, the governing law will be the law of the Netherlands.
Clause 18(b)Disputes and Complaints will be resolved before the courts of the EU Member State, listed in Clause 17.
Annex I.AShall be completed according to Schedule 4, I. List of Parties, Data exporter(s) of the DPA.
Annex I.BShall be completed according to Schedule 4, I. List of Parties, Data importer(s) of the DPA.
Annex I.CIn accordance with Clause 13, the data exporter’s competent Supervisory Authority will be determined in accordance with the GDPR
Annex IIThe Technical and Organisational Measures, as mentioned in the Data Processing Agreement (DPA) under Annex A, are incorporated as Annex II in the Standard Contractual Clauses.

4. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA, the provisions of the Standard Contractual Clauses will prevail.

PART 2 – UK Cross Border Transfers

I. Part one: Tables

Table 1: The Parties: as stipulated in Schedule 4, I. List of Parties of this DPA.

Table 2: Selected SCCs, Modules and Selected Clauses: as stipulated in Schedule 5, Part 1 – EEA Cross Border Transfers, of this DPA.

Table 3: Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the EU SCCs, and which for this Part 2 is set out in Schedule 5, Part 1 – EEA Cross Border Transfers, of this DPA

Table 4: Ending this Addendum when the Approved Addendum changes. The Parties that may end this Addendum as set out in Section 19: ☒ Importer ☐ Exporter ☐ neither Party

II. Part two: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, shall apply.

Specifications. The following clauses of the Standard Contractual Clauses, have either been amended in accordance with the applicable Privacy Regulation, or require additional specifications as set forth below:

Part I, clause 16 Shall not apply. For the avoidance of doubt, these Clauses are governed by the laws of England and Wales. Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.
Part I, clause 17The Parties are deemed to have accepted the format of this UK cross Border Transfer schedule, as of the Effective Date of the Agreement.

Schedule 6 - CCPA Addendum

This CCPA Addendum (“CCPA Addendum“) forms part of the Data Protection Addendum (“DPA“), to the extent applicable for the provision for the Product, between Customer and the applicable Bynder contracting entity (“Bynder”). In the event of a conflict between the terms and conditions of the DPA and those of this CCPA Addendum, this Addendum shall prevail. Capitalized terms used but not defined in this Addendum shall have the meanings given in the Agreement.

1. Definitions

Business”, “Collects”, “Consumer”, “Business Purpose”, “Sell”, “Service Provider”, and “Share” shall have the meanings given to them in §1798.140 of the CCPA.

Business Purpose” has the meaning given in Section 5 of this CCPA Addendum.

California Consumer Privacy Act” or “CCPA” means Title 1.81.5 California Consumer Privacy Act of 2018 (California Civil Code §§1798.100—1798.199), as amended or superseded from time to time, including amendments brought by the California Privacy Rights Act (or “CPRA”) of 2020 (2020 Cal. Legis. Serv. Proposition 24, codified at Cal. Civ. Code §§1798.100 et seq.) .

Personal Information” means personal information as defined by §1798.140 of the CCPA submitted to Bynder for processing pursuant to the Agreement.

2. Scope. This CCPA Addendum only applies where, and to the extent that, Bynder processes Personal Information that is subject to the CCPA on behalf of Customer as a Service Provider in the course of providing the Product pursuant to the Agreement.

3. Business Purpose. Bynder shall only collect and process Personal Information as a Service Provider upon lawful documented instructions from Customer, including those in the Agreement, this CCPA Addendum, and Customer’s configuration of the Product or as otherwise necessary to provide the Product specified in the Agreement (the “Business Purpose”). Bynder will not process the Personal Information for any purpose other than for the Business Purpose, except where and to the extent permitted by the CCPA

4. Bynder obligations
    4.1. Customer is a Business and appoints Bynder as its Service Provider to Collect and process the Personal Information for the Business Purpose. Bynder is responsible for its compliance with its obligations under this CCPA Addendum and for compliance with its obligations as a Service Provider under the CCPA. Customer is responsible for compliance with its own obligations as a Business under CCPA and shall ensure that it has provided notice and has obtained (or shall obtain) all consents and rights necessary under the CCPA for Bynder to collect and process the Personal Information for the Business Purpose.
    4.2. Bynder shall not: (a) Sell the Personal Information; (b) retain, use, or disclose the Personal Information for any purpose other than for the Business Purpose; (c) retain, use, or disclose the Personal Information outside of the direct business relationship between Bynder and Customer (except where Bynder has engaged a subprocessor to assist in the provision of services); (d) Share or process the Personal Information for targeted and/or cross context behavioral advertising; (e) combine Personal Information with any other data if and to the extent this would be inconsistent with the limitations on Service Providers under the CCPA. Bynder certifies that it understands and agrees to comply with the restrictions set out in this section 4.2. Bynder shall notify Customer if it determines that it cannot meet its obligations under the CCPA.
    4.3. If the CCPA permits, Bynder may aggregate, de-identify, or anonymize Personal Information so it no longer meets the Personal Information definition, and may use such aggregated, de-identified, or anonymized data for its own research and development purposes

5. Assistance with Customer’s CCPA obligations
    5.1. Bynder will reasonably cooperate and assist Customer with meeting Customer’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of Bynder's processing and the information available to Bynder.
    5.2. Bynder must notify Customer without undue delay if it receives any complaint, notice, or communication that directly or indirectly relates to either party's compliance with the CCPA. Specifically, Bynder must notify Customer without undue delay, if it receives a verifiable consumer request under the CCPA.

6. Audits. Bynder permits Customer to monitor its compliance with this CCPA Addendum subject to Section 11 in the DPA “Customer Audits”

7. Notification. Bynder agrees to notify Customer if Bynder makes a reasonable determination that it can no longer meet its obligations under this CCPA Addendum or CCPA requirements.

8. Selling.Bynder certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information.

Annex A

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Data importer will implement and maintain the technical and organizational measures to adequately protect the data exporter’s Personal Data as further described in the DPA. Data exporter understands and agrees that these technical and organizational measures are subject to technical progress and development and Bynder is therefore expressly allowed to implement adequate alternative measures as long as the general security level described in the DPA is maintained.

For transfers to (Sub-) Processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a Processor to a Sub-Processor, to the data exporter.

Bynder selects its Sub-Processors very carefully, all of which undergo stringent security assessments and intakes. Bynder has imposed on them data protection obligations that correspond to the data protection provisions in the contractual relationship between Customer and Bynder. Taking into account the state of the art, costs of implementation, and nature of the processing, our Sub-Processors shall maintain appropriate technical and organisational measures to protect Personal Data against accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure, and access (“Security Measures”), including, as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) the regular maintenance, testing, assessment, evaluation, and updating of the effectiveness of the Security Measures.

Download the PDF for the Schedules.

Updated: November 7 2024