Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the agreement between CircleCo, Inc (“Circle”) and the customer that agrees (or the customer on whose behalf an Administrator agrees) (the "Customer") to the Creator Terms of Service in relation to the transfer and processing of Covered Data in connection with the performance of the Services.

DEFINITIONS
1. Capitalized terms used but not defined within this DPA will have the meaning set forth in the Circle Terms of Service. The following capitalized terms used in this DPA will be defined as follows:
  1. “Agreement” means the agreement between Circle and Customer comprising the Circle Terms of Service.
  2. “Applicable Data Protection Laws” means all applicable laws, rules, regulations, and governmental requirements relating to the privacy, confidentiality, or security of Personal Data, as they may be amended or otherwise updated from time to time, including (without limitation): the GDPR, Swiss Data Protection Laws and the US Data Protection Laws.
  3. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., as amended, including its implementing regulations and the California Privacy Rights Act of 2020.
  4. “Contract Administration and Marketing Data” means the Personal Data collected by Circle directly from Administrators, as further described in Part 2 of Schedule 1.
  5. “Controller Purposes” means the purposes identified in Part 2 of Schedule 1.
  6. “Covered Data” means Personal Data that is: (a) provided by or on behalf of Customer to Circle in connection with the Services; or (b) obtained, developed, produced or otherwise Processed by Circle, or its agents or subcontractors, for the purposes of providing the Services, in each case as further described in Part 1 of Schedule 1.
  7. “Data Subject” means a natural person whose Personal Data is Processed.
  8. “Deidentified Data” means data created using Covered Data that cannot reasonably be linked to such Covered Data, directly or indirectly.
  9. “EEA” means the European Economic Area including the European Union (“EU”).
  10. “Effective Date” means the effective date of the Agreement.
  11. “GDPR” means Regulation (EU) 2016/679 (the “EU GDPR”) or, where applicable, the “UK GDPR”, as defined in section 3 of the Data Protection Act 2018 or, where applicable, the equivalent provision under Swiss data protection law.
  12. “Member State” means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein.
  13. “Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under Applicable Data Protection Laws.
  14. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Process”, “Processes” and “Processed” will be interpreted accordingly.
  15. “Prohibited Personal Data” means: (a) Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and any other special categories of Personal Data identified in Article 9 of the GDPR or Personal Data that is otherwise sensitive Personal Data under Applicable Data Protection Laws; (b) biometric identifiers or templates; (c) financial information (including, without limitation, billing information and cardholder or sensitive authentication data, as those terms are defined under the Payment Card Industry Data Security Standard); (d) personally identifiable financial information, as defined by and subject to the Gramm-Leach-Bliley Financial Modernization Act of 1999; (e) national identification numbers (including, without limitation, Social Security Numbers, Social Insurance Numbers, driver’s license or passport numbers or other governmentally-issued identification numbers); (f) information relating to individuals under the age of 13; (g) education records, as defined under the Family Educational Rights and Privacy Act of 1974; (h) protected health information as defined by, and subject to, the Health Insurance Portability and Accountability Act.
  16. “Security Incident” means an actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Covered Data.
  17. “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
  18. “Sub-processor” means an entity appointed by Circle to Process Covered Data on its behalf.
  19. “Swiss Data Protection Laws” means the Swiss Federal Act Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force for time to time.
  20. “UK” means the United Kingdom.
  21. “US Data Protection Laws” means all applicable federal and state laws rules, regulations, and governmental requirements relating to data protection, the Processing of Personal Data, privacy and/or data protection in force from time to time in the United States, including (without limitation): the CCPA, the Virginia Consumer Data Protection Act, Code of Virginia Title 59.1 Chapter 52 § 59.1-571 et seq., the Colorado Privacy Act, Colorado Revised Statute Title 6 Article 1 Part 13 § 6-1-1301 et seq., the Utah Consumer Privacy Act, Utah Code § 13-6-101 et seq., Connecticut Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring (as such law is chaptered and enrolled).
  22. “Usage and Feedback Data” means the Personal Data collected by Circle directly from Administrators and Authorized Users, as further described in Part 2 of Schedule 1.
2. The terms “Controller”, “Data Subject”, “Personal Data”, “Processor” and “Processing” will have the meanings given to them in Applicable Data Protection Laws.
INTERACTION WITH THE AGREEMENT
1. This DPA is incorporated into and forms an integral part of the Agreement. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any Processing of Covered Data.
ROLE OF THE PARTIES
1. The Parties acknowledge and agree that:
  1. save as set out in Sections 3.1.2. and 3.1.3., Circle acts as a Processor or service provider in the performance of its obligations under the Agreement and this DPA and Customer acts as a Controller or business;
  2. Circle acts as a Controller or business with respect to its Processing of Contract Administration and Marketing Data for the Controller Purposes; and
  3. for the purposes of the GDPR and Swiss Data Protection Laws, Circle acts as a Controller with respect to its Processing of Usage and Feedback Data for the Controller Purposes.
DETAILS OF DATA PROCESSING
1. The details of the Processing of Personal Data under the Agreement and this DPA (including subject matter, nature and purpose of the Processing, categories of Personal Data and Data Subjects) are described in the Agreement and in Schedule 1 to this DPA.
2. Circle shall comply with its obligations under Applicable Data Protection Laws. Save as set out in Sections 3.1.2. and 3.1.3., Circle will only Process Covered Data on behalf of and under the instructions of Controller and in accordance with Applicable Data Protection Laws. The Agreement and this DPA shall constitute Customer's instructions for the Processing of Covered Data. Customer may issue further written instructions in accordance with this DPA.
3. Without limiting the foregoing, save as set out in Sections 3.1.2. and 3.1.3., Circle shall not:
  1. sell Covered Data or otherwise making Covered Data available to any third party for monetary or other valuable consideration;
  2. share Covered Data with any third party for cross-context behavioral advertising;
  3. retain, use, or disclose Covered Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Applicable Data Protection Laws;
  4. retain, use, or disclose Covered Data outside of the direct business relationship between the Parties; and
  5. except as otherwise permitted by Applicable Data Protection Laws, combine Covered Data with Personal Data that Circle receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject.
4. Circle will:
  1. provide Customer with information to enable Customer to conduct and document any data protection assessments required under Applicable Data Protection Laws; and
  2. promptly inform Customer if, in its opinion, an instruction from Customer or Customer’s Controller infringes the Applicable Data Protection Laws.
COMPLIANCE
1. Customer shall comply with its obligations as a Controller, business or equivalent term under the Applicable Data Protection Laws, and shall:
  1. provide such information to Data Subjects regarding the Processing of their Covered Data in connection with the Customer's use of the Services as required under Applicable Data Protection Laws;
  2. to the extent required for the lawful Processing of Covered Data under Applicable Data Protection Laws, obtain valid consents from Data Subjects for such Processing in the form required under Applicable Data Protection Laws;
  3. implement appropriate technical and organizational measures to give effect to Data Subject rights under Applicable Data Protection Laws, and shall comply with requests from Data Subjects to exercise their rights under Applicable Data Protection Laws within the timeframe and subject to any exemptions prescribed in the Applicable Data Protection Laws; and
  4. ensure that Covered Data does not include any Prohibited Personal Data.
CONFIDENTIALITY AND DISCLOSURE
1. Circle shall:
  1. limit access to Covered Data to personnel who have a business need to have access to such Covered Data; and
  2. ensure that such personnel are subject to obligations at least as protective of the Covered Data as the terms of this DPA and the Agreement, including duties of confidentiality with respect to any Covered Data to which they have access.
SUB-PROCESSORS
1. Circle may Process Covered Data anywhere that Circle or its Sub-processors maintain facilities, subject to the remainder of this Section 7.
2. Customer grants Circle general authorisation to engage any of the Sub-processors listed in Schedule 4, as amended in accordance with Section 7.4 (the “Authorized Sub-processors”), to Process Covered Data.
3. Circle shall:
  1. enter into a written agreement with each Authorized Sub-processor imposing data protection obligations that, in substance, are no less protective of Covered Data than Circle's obligations under this DPA; and
  2. remain liable for each Authorized Sub-processor’s compliance with the obligations under this DPA.
4. Circle will provide Customer with at least thirty (30) days’ notice of any proposed changes to the Authorized Sub-processors. Customer shall notify Circle if it objects to the proposed change to the Authorized Sub-processors (including, where applicable, when exercising its right to object under clause 9(a) of the SCCs) by providing Circle with written notice of the objection within thirty (30) days after Circle has provided notice to Customer of such proposed change (an “Objection”).
5. In the event Customer submits an Objection,Circle and Customer shall work together in good faith to find a mutually acceptable resolution to address such Objection. If Circle and Customer are unable to reach a mutually acceptable resolution within a reasonable timeframe, which shall not exceed thirty (30) days from the date of the Objection, Customer may terminate the portion of the Agreement relating to the Services affected by such change by providing written notice to Circle.
DATA SUBJECT RIGHTS REQUESTS
1. Circle will promptly notify Customer of any request received by Circle or any Authorized Sub-processor from a Data Subject to assert their rights in relation to Covered Data under Applicable Data Protection Laws (a “Data Subject Request”).
2. Other than in respect of the Processing referred to in Sections 3.1.2. and 3.1.3., as between the Parties, Customer will have sole discretion in responding to the Data Subject Request, and Circle shall not respond to the Data Subject Request, save that Circle may advise the Data Subject that their request has been forwarded to Customer.
3. Circle will provide Customer with reasonable assistance as necessary for Customer to fulfill its obligation under Applicable Data Protection Laws to respond to Data Subject Requests.
SECURITY
1. Circle will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Covered Data, including, without limitation, protection against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of or to Covered Data.
2. When assessing the appropriate level of security, Circle shall take into account the nature, scope, context and purpose of the Processing as well as the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.
3. Circle will implement and maintain as a minimum standard the measures set out in Schedule 2.
INFORMATION AND AUDITS
1. Circle shall notify Customer promptly if Circle determines that it can no longer meet its obligations under Applicable Data Protection Laws.
2. Customer may take reasonable and appropriate steps to:
  1. ensure that Circle uses Covered Data in a manner consistent with Customer's obligations under Applicable Data Protection Laws; and
  2. upon reasonable notice, stop and remediate unauthorized use of Covered Data.
3. Customer may, not more than once a year, audit Circle's compliance with this DPA. The Parties agree that all such audits will be conducted:
  1. upon reasonable written notice to Circle;
  2. only during Circle's normal business hours; and
  3. in a manner that does not materially disrupt Circle's business or operations.
4. With respect to any audits conducted in accordance with Section 10.3:
  1. Customer may engage a third-party auditor to conduct the audit on its behalf;
  2. Circle shall not be required to facilitate any such audit unless and until the parties have agreed in writing on the scope and timing of such audit.
5. Customer shall promptly notify Circle of any non-compliance discovered during an audit.
6. The results of the audit shall be Circle's Confidential Information.
7. Circle may, in response to any audit request submitted by Customer to Circle, provide the following:
  1. data protection compliance certifications issued by a commonly accepted certification issuer which has been audited by a data security expert, or by a publicly certified auditing company; or
  2. such other documentation reasonably evidencing the implementation of the technical and organizational data security measures in accordance with industry standards.
8. If an audit requested by Customer is addressed in the documents or certification provided by Circle in accordance with Section 10.7, and:
  1. the certification or documentation is dated within twelve (12) months of Customer's audit request; and
  2. Circle confirms that there are no known material changes in the controls audited,
  3. Customer agrees to accept that certification or documentation in lieu of conducting a physical audit of the controls covered by the relevant certification or documentation.
SECURITY INCIDENTS
1. Circle shall notify Customer in writing without undue delay after becoming aware of any Security Incident.
2. Circle shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall send Customer timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation.
3. Circle shall provide reasonable assistance with Customer's investigation of any Security Incidents and any of Customer's obligations in relation to the Security Incident under Applicable Data Protection Laws, including any notification to Data Subjects or supervisory authorities.
4. Circle's notification of or response to a Security Incident under this Section 11 shall not be construed as an acknowledgement by Circle of any fault or liability with respect to the Security Incident.
TERM, DELETION, AND RETURN
1. This DPA shall commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Circle's deletion of all Covered Data as described in this DPA.
2. Circle shall:
  1. if requested to do so by Customer within thirty (30) days of expiry of the Agreement (the “Retention Period”), provide a copy of all Covered Data in such commonly used format as requested by Customer, or provide a self-service functionality allowing Customer to download such Covered Data; and
  2. on expiry of the Retention Period, delete all copies of Covered Data Processed by Circle or any Authorized Sub-processors, other than any Contract Administration and Marketing Data and Usage and Feedback Data Processed for the Controller Purposes.
STANDARD CONTRACTUAL CLAUSES
1. The Standard Contractual Clauses shall, as further set out in Schedule 3, apply to the transfer of any Covered Data from Customer to Circle, and form part of this DPA, to the extent that:
  1. the GDPR or Swiss Data Protection Law applies to the Customer when making that transfer; or
  2. the Applicable Data Protection Laws that apply to the Customer when making that transfer (the “Exporter Data Protection Laws”) prohibit the transfer of Covered Data to the Circle under this DPA in the absence of a transfer mechanism implementing adequate safeguards in respect of the Processing of that Covered Data, and any one or more of the following applies:
    - the relevant authority with jurisdiction over the Customer's transfer of Covered Data under this DPA has not formally adopted standard data protection clauses or another transfer mechanism under the Exporter Data Protection Laws; or
    - such authority has issued guidance that entering into standard contractual clauses approved by the European Commission would satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
    - established market practice in relation to transfers subject to the Exporter Data Protection Laws is to enter into standard contractual clauses approved by the European Commission to satisfy any requirement under the Exporter Data Protection Laws to implement adequate safeguards in respect of that transfer; or
    - the transfer is an “onward transfer” (as defined in the applicable module of the SCCs).
2. The Parties agree that execution of the Agreement shall have the same effect as signing the SCCs.
DEIDENTIFIED DATA
1. If Circle receives Deidentified Data from or on behalf of Customer, Circle shall:
  1. take reasonable measures to ensure the information cannot be associated with a Data Subject;
  2. publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and
  3. contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.
LIABILITY
1. When acting as a Controller or business of any Personal Data pursuant to this DPA or the Agreement, each party shall only be liable for its own breach of Applicable Data Protection Laws or of this DPA and shall not be jointly and/or severally liable with the other party for the other party’s breach.
2. In all other cases, Circle’s total aggregate liability towards Customer or any third party shall be subject to the cap on liability set forth in the Agreement.
3. The Parties agree that any limitations on either Party's liability under the Agreement shall not apply to any claims, losses or damages arising in respect of a breach of the SCCs.
GENERAL
1. The Parties hereby certify that they understand the requirements in this DPA and will comply with them.
2. The Parties agree to negotiate in good faith any amendments to this DPA as may be required in connection with changes in Applicable Data Protection Laws.

Schedule 1: Details of Processing

Part 1: Covered Data

A. LIST OF PARTIES

	Customer	Circle
Role	Data Exporter (controller)	Data Importer (Processor)
Contact person	The Administrator	Karthik Ganesh, Chief of Staff, legal@circle.so
Activities relevant to the transfer	The receipt of the Services under the Agreement.	The performance of the Services under the Agreement.

B. DESCRIPTION OF PROCESSING

Categories of Data Subjects	Administrators Authorized Users
Categories of Personal Data	Name and email address Profile and account information User Content uploaded by the Administrator or Authorized User Comments, questions, feedback, and support requests
Special categories of Personal Data	None
Frequency of the transfer	Continuous
Nature of the Processing	Collection, recording, organization, structuring, storage, erasure, and destruction
Purposes of the data transfer and further Processing	Provision of the Services, namely: facilitating the creation of, and sharing of content within, online communities set up by the Customer Provision of IT support
Retention period	The duration of the Agreement
Subprocessors	As set out in Schedule 4

C. DESCRIPTION OF PROCESSING

The competent supervisory authority is: the Data Protection Commissioner (Ireland).

Part 2: Contract Administration and Marketing Data

Categories of Data Subjects	Administrators Authorized Users
Categories of Personal Data	Administrators Name and email address Marketing preferences Where the Administrator is also the Customer: Account and profile information Payment and transaction information Products and services purchased Social media login authentication token Authorized Users Information about the device used to access the Services Information about the User's access to and use of the Services.
Purposes of processing	Communication with Administrators (including sending service-related and promotional communications) Administration of the agreement with the Customer (including authentication and granting access to the Services, processing renewals, billing and processing payments, detection of fraudulent use) Promoting and marketing the Services.

Categories of Data Subjects

Administrators
Authorized Users

Categories of Personal Data

Administrators

Name and email address
Marketing preferences

Where the Administrator is also the Customer:

Account and profile information
Payment and transaction information
Products and services purchased
Social media login authentication token

Authorized Users

Information about the device used to access the Services
Information about the User's access to and use of the Services.

Purposes of processing

Communication with Administrators (including sending service-related and promotional communications)
Administration of the agreement with the Customer (including authentication and granting access to the Services, processing renewals, billing and processing payments, detection of fraudulent use)
Promoting and marketing the Services.

Usage and Feedback Data

Categories of Data Subjects	Administrators Authorized Users
Categories of Personal Data	Name and email address Information about the device used to access the Services Information about the User's access to and use of the Services.
Purposes of processing	Monitoring the performance of the Services, identifying errors and improvements to the Services and informing product development.

Schedule 2: Technical and Organizational Measures

Introduction
1. Circle employs a combination of policies, procedures, guidelines and technical and physical controls to protect the personal data it processes from accidental loss and unauthorized access, disclosure or destruction.
Governance and Policies
1. Circle assigns personnel with responsibility for the determination, review and implementation of security policies and measures.
2. Circle:
  1. has documented the security measures it has implemented in a security policy and/or other relevant guidelines and documents;
  2. reviews its security measures and policies on a regular basis to ensure they continue to be appropriate for the data being protected.
3. Circle establishes and follows secure configurations for systems and software, and ensures that security measures are considered during project initiation and the development of new IT systems.
Breach response
1. Circle has a breach response plan that has been developed to address data breach events. The plan is tested and updated at least annually.
Intrusion, anti-virus and anti-malware defenses
1. Circle's IT systems used to process personal data have appropriate data security software installed on them, including as follows:
  1. Inbound and outbound traffic passes through firewalls that are monitored and protected by intrusion detection / prevention systems that allow traffic flowing through the firewalls to be logged.
  2. IT systems have appropriate antivirus, anti-spyware and anti-malware software installed. Such software is updated at least daily and performs ongoing scans for threats and malicious programs.
  3. Circle performs penetration tests on its IT systems at least annually.
  4. Circle performs regular, and at least monthly vulnerability scans.
  5. Circle collects, maintains, reviews and audits event logs.
  6. Circle deploys data loss prevention tools at network and host level.
  7. Circle monitors all traffic leaving the organization and unauthorized use of encryption.
Access controls
1. Circle limits access to personal data by implementing appropriate access controls, including:
  1. limiting administrative access privileges and use of administrative accounts;
  2. changing all default passwords before deploying operating
  3. requiring authentication and authorization to gain access to IT systems (i.e. require users to enter a user id and password before they are permitted access to IT systems);
  4. only permitting user access to personal data which the user needs to access for his/her job role or the purpose for which they are given access to Circle's IT systems (i.e. Circle implements measures to ensure least privilege access to IT systems);
  5. having in place appropriate procedures for controlling the allocation and revocation of personal data access rights. For example, having in place appropriate procedures for revoking employee access to IT systems when they leave their job or change role;
  6. enforcing password policies that require users to use strong passwords, such as passwords with over eight characters, combination of upper and lower case letters, numbers and special characters;
  7. enforcing regular password renewal;
  8. use of multi-factor authentication;
  9. automatic timeout and locking of user terminals if left idle;
  10. access to IT system is blocked after multiple failed attempts to enter correct authentication and/or authorization details;
  11. monitoring and logging access to IT systems; and
  12. monitoring and logging amendments to data or files on IT systems.
Availability and Back-up personal data
1. Circle has a documented disaster recovery plan that ensures that key systems and data can be restored in a timely manner in the event of a physical or technical incident. The plan is regularly tested and updated at least annually.
2. Circle regularly backs-up information on IT systems and keeps back-ups in separate locations. Back-ups of information are tested at least annually.
Segmentation of personal data
1. Circle:
  1. separates and limits access between network components and, where appropriate, implements measures to provide for separate processing (storage, amendment, deletion, transmission) of personal data collected and used for different purposes; and
  2. does not use live data for testing its systems.
Disposal of IT equipment
1. Circle:
  1. has in place processes to securely remove all personal data before disposing of IT systems; and
  2. uses appropriate technology to purge equipment of data and/or destroy hard disks.
Encryption
1. Circle uses encryption technology to protect personal data at rest and in transit, including:
  1. applying AES-256 encryption to data at rest and TLS 1.2 or higher to data in transit; and
  2. encryption of portable devices used to process personal data.
  3. Encryption keys are stored separately from the encrypted information, and are subject to appropriate security measures.
Transmission or transport of personal data
1. Appropriate controls are implemented by Circle to secure personal data during transmission or transit, including:
  1. use of VPNs;
  2. encryption in transit using TLS 1.2 or higher;
  3. logging personal data when transmitted electronically;
  4. logging personal data when transported physically; and
  5. ensuring physical security for personal data when transported on portable electronic devices or in paper form.
Device hardening
1. Circle removes unused software and services from devices used to process personal data.
2. Circle ensures that default passwords that are provided by hardware and software producers are not used.
3. Circle ensures that all operating systems are hardened in accordance with configuration recommendations published by the Center for Internet Security.
Asset and Software management
1. Circle maintains an inventory of IT assets and the data stored on them, together with a list of owners of the relevant IT assets.
2. Circle:
  1. documents and implements rules for acceptable use of IT assets.
  2. requires network level authentication and uses client certificates to validate and authenticate systems;
  3. deploys application whitelisting;
  4. deploys automated patch management tools and software update tools for operating systems and software;
  5. proactively monitors software vulnerabilities and promptly implements any out of cycle patches; and
  6. permits the use of only the latest versions of fully supported web browsers and email clients.
3. Circle stores all API keys securely, including as follows:
  1. Circle stores API keys directly in its environment variables;
  2. Circle does not store API keys on client side;
  3. Circle does not publish API key credentials in online code repositories (whether private or not); and
  4. Circle uses API key management tools to retrieve and manage credentials for large development projects.
Staff training and awareness
1. Circle's agreements with staff and contractors and employee handbooks set out its personnel's responsibilities in relation to information security.
2. Circle carries out:
  1. regular staff training on data security and privacy issues relevant to their job role and ensures that new starters receive appropriate training before they start their role (as part of the onboarding procedures); and
  2. appropriate screening and background checks on individuals that have access to sensitive personal data.
3. Circle ensures that information security responsibilities that are applicable immediately before termination or change of employment and those which apply after termination / change of employment are communicated and implemented.
Selection of service providers and commission of services
1. Circle assesses service providers’ ability to meet their security requirements before engaging them.
2. Circle has written contracts in place with service providers which require them to implement appropriate security measures to protect the personal data they have access to and limit the use of personal data in accordance with Circle's instructions.
3. Circle conducts annual audits of vendors (including subprocessors) that have access to data either through physical inspection by appropriately qualified security auditors or by reviewing vendors' security accreditation (such as ISO 27001 or SOC II) reports.
4. Circle's breach response protocol and agreements with vendors provide for the audit of vendors (and subprocessors) following receipt of any notice of a security incident from that vendor.
Assistance with Data Subject Rights Requests
1. Circle has implemented appropriate policies and measures to identify and address data subject rights requests, including:
  1. the data processed on behalf of each Customer is stored separately from data processed by Circle;
  2. Circle maintains accurate records to enable it to identify quickly all personal data processed on behalf of a Customer; and
  3. back-ups of personal data processed by Circle are overwritten on a regular basis to ensure deletion and rectification requests are fully actioned.

Schedule 3: Standard Contractual Clauses

EU SCCS

With respect to any transfers referred to in Section 13, the Standard Contractual Clauses shall be completed as follows:
1. Module Two (controller to processor) of the SCCs will apply.
2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
3. Option 2 of Clause 9(a) (General written authorization) shall apply, and the time period to be specified is determined in Section 7.4 of the DPA.
4. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
5. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option 1 will apply and the governing law will be Irish law.
6. In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of Ireland.
7. For the Purpose of Annex I of the Standard Contractual Clauses, Part 1 of Schedule 1 of the DPA contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority.
8. For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 2 of the DPA contains the technical and organizational measures.
UK Addendum
1. This paragraph 2 (UK Addendum) shall apply to any transfer of Covered Data from Customer (as data exporter) to Circle (as data importer), to the extent that:
  1. the UK Data Protection Laws apply to Customer when making that transfer; or
  2. the transfer is an “onward transfer” as defined in the Approved Addendum.
2. As used in this paragraph 2:
  
  “Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Approved Addendum.
  
  “UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
3. The Approved Addendum will form part of this DPA with respect to any transfers referred to in paragraph 2.1, and execution of this DPA shall have the same effect as signing the Approved Addendum.
4. The Approved Addendum shall be deemed completed as follows:
  1. the “Addendum EU SCCs” shall refer to the SCCs as they are incorporated into this Agreement in accordance with Section 13 and this Schedule 3;
  2. Table 1 of the Approved Addendum shall be completed with the details in section A of Part 1 of Schedule 1;
  3. the “Appendix Information” shall refer to the information set out in Part 1 of Schedule 1 and Schedule 2
  4. for the purposes of Table 4 of the Approved Addendum, Customer (as data exporter) may end this DPA, to the extent the Approved Addendum applies, in accordance with Section 19 of the Approved Addendum; and
  5. Section 16 of the Approved Addendum does not apply.
Swiss addendum
1. This Swiss Addendum will apply to any Processing of Covered Data that is subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the EU GDPR.
2. Interpretation of this Addendum
  1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses, those terms will have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
    - “Addendum” means this addendum to the Clauses;
    - “Clauses” means the Standard Contractual Clauses as incorporated into this DPA in accordance with Section 13 and as further specified in this Schedule 3; and
    - “FDPIC” means the Federal Data Protection and Information Commissioner.
  2. This Addendum shall be read and interpreted in a manner that is consistent with Swiss Data Protection Laws, and so that it fulfills the Parties' obligation to provide appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
  3. This Addendum will not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
  4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Swiss Addendum has been entered into.
  5. In relation to any Processing of Personal Data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends and supplements the Clauses to the extent necessary so they operate:
    - for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer; and
    - to provide appropriate safeguards for the transfers in accordance with Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
3. Hierarchy
  
  In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to Data Subjects will prevail.
4. Changes to the Clauses for transfers exclusively subject to Swiss Data Protection Laws
  
  To the extent that the data exporter's Processing of Personal Data is exclusively subject to Swiss Data Protection Laws, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” (as defined in the Clauses, as amended by the remainder of this paragraph 3.3(a)) the following amendments are made to the Clauses:
  1. References to the “Clauses” or the “SCCs” mean this Swiss Addendum as it amends the SCCs.
  2. Clause 6 Description of the transfer(s) is replaced with:
  3. “The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in Part 1 of Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer.”
  4. References to “Regulation (EU) 2016/679” or “that Regulation” or “GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
  5. References to Regulation (EU) 2018/1725 are removed.
  6. References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
  7. Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the FDPIC;
  8. Clause 17 is replaced to state
    
    “These Clauses are governed by the laws of Switzerland”.
  9. Clause 18 is replaced to state:
    
    “Any dispute arising from these Clauses relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.”
5. Supplementary provisions for transfers of Personal data subject to both the GDPR and Swiss Data Protection Laws
  1. To the extent that the data exporter's Processing of Personal Data is subject to both Swiss Data Protection Laws and the GDPR, or the transfer of Personal Data from a data exporter to a data importer under the Clauses is an “onward transfer” under both the Clauses and the Clauses as amended by paragraph 3.3(c) of this Addendum:
    - for the purposes of Clause 13(a) and Part C of Annex I: the FDPIC shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent Swiss Data Protection Laws apply to the data exporter's Processing when making that transfer, or such transfer is an “onward transfer” as defined in the Clauses (as amended by paragraph 3.3 of this Addendum; and
    - subject to the provisions of paragraph 2 of this Schedule 3 (UK Addendum), the supervisory authority identified in Schedule 1 shall act as competent supervisory authority with respect to any transfers of Personal Data to the extent the GDPR applies to the data exporter's processing, or such transfer is an “onward transfer” as defined in the Clauses.
  2. the terms “European Union”, “Union”, “EU”, and “EU Member State” shall not be interpreted in a way that excludes the ability ofData Subjects in Switzerland bringing a claim in their place of habitual residence in accordance with Clause 18(c) of the Clauses.
Transfers under the laws of other jurisdictions
1. With respect to any transfers of Personal Data referred to in Section 13.1(b) (each a “Global Transfer”), the SCCs shall not be interpreted in a way that conflicts with rights and obligations provided for in the Exporter Data Protection Laws.
2. For the purposes of any Global Transfers, the SCCs shall be deemed to be amended to the extent necessary so that they operate:
  1. for transfers made by the applicable data exporter to the data importer, to the extent the Exporter Data Protection Laws apply to that data exporter's Processing when making that transfer; and
  2. to provide appropriate safeguards for the transfers in accordance with the Exporter Data Protection Laws.
3. The amendments referred to in paragraph 4.2 include (without limitation) the following:
  1. references to the “GDPR” and to specific Articles of the GDPR are replaced with the equivalent provisions under the Exporter Data Protection Laws;
  2. reference to the “Union”, “EU” and “EU Member State” are all replaced with reference to the jurisdiction in which the Exporter Data Protection Laws were issued (the “Exporter Jurisdiction”);
  3. the “competent supervisory authority” shall be the applicable supervisory in the Exporter Jurisdiction; and
  4. Clauses 17 and 18 of the SCCs shall refer to the laws and courts of the Exporter Jurisdiction respectively.
4. Where, at any time during the Circle's Processing of Covered Data under this DPA, a transfer mechanism other than the SCCs is approved under the Exporter Data Protection Laws with respect to transfers of Covered Data by Customer to Circle, the Parties shall promptly enter into a supplementary agreement that:
  1. incorporates any standard data protection clauses or another transfer mechanism formally adopted by the relevant authority in the Exporter Jurisdiction;
  2. incorporates the details of Processing set out in Part 1 of Schedule 1;
  3. shall, with respect to the transfer of Personal Data subject to the Exporter Data Protection Laws, take precedence over this DPA in the event of any conflict.
5. Where required under the Exporter Data Protection Laws, the relevant data exporter shall file a copy of the agreement entered into in accordance with paragraph 4.4 with the relevant national authority.

Schedule 4: Sub-Processors

Sub-processor	Purpose	Description	Location	Transfer Mechanism
Amazon Web Services, Inc. (AWS)	Cloud hosting	Provides compute, storage, and infrastructure used to host Circle’s application and store customer data securely.	USA	Standard Contractual Clauses (SCCs)
Braintrust, Inc.	AI evaluation	Evaluates and monitors AI feature performance using sample inputs and outputs.	USA	Standard Contractual Clauses (SCCs)
Buildkite Pty Ltd.	CI / CD pipelines	Runs CI/CD pipelines to build, test, and deploy Circle’s application.	USA	Standard Contractual Clauses (SCCs)
Clay Labs, Inc.	Data enrichment and GTM workflows	Enriches contact and account data and supports go-to-market workflows.	USA	Standard Contractual Clauses (SCCs)
Cloudflare, Inc.	Observability, monitoring, and security	Provides CDN, performance optimisation, and security protection (including DDoS mitigation and traffic routing).	USA	Standard Contractual Clauses (SCCs)
dbt Labs, Inc. (dbt Cloud)	Data transformation and analytics engineering	Runs data transformation jobs on Circle’s analytics data.	USA	Standard Contractual Clauses (SCCs)
Fathom Analytics, Inc. (Fathom)	Call transcripts	Records meetings and generates call transcripts, summaries, and action items.	USA	Standard Contractual Clauses (SCCs)
Forethought Technologies, Inc.	AI support automation	Provides AI-powered support tools that process support tickets and help content.	USA	Standard Contractual Clauses (SCCs)
Google Cloud (Google LLC)	Cloud hosting	Provides secure hosting services supporting part of Circle’s infrastructure.	USA	Standard Contractual Clauses (SCCs)
HubSpot, Inc.	CRM & marketing	Processes customer admin and prospect contact information for onboarding, lifecycle communication, and marketing operations.	USA	Standard Contractual Clauses (SCCs)
Last9, Inc.	Observability and monitoring	Provides observability for Circle’s infrastructure and applications (logs, metrics, traces).	USA	Standard Contractual Clauses (SCCs)
LiveKit, Inc.	Audio and video infrastructure	Provides live video support (WebRTC, HLS) for sessions, events, and interactive video features.	USA	Standard Contractual Clauses (SCCs)
Mailgun Technologies, Inc.	Email delivery service	Sends marketing emails on behalf of Circle customers to Circle members through Email Hub (e.g., notifications, verification emails).	USA	Standard Contractual Clauses (SCCs)
New Relic, Inc.	Observability and monitoring	Provides application and infrastructure monitoring (APM, logs, metrics).	USA	Standard Contractual Clauses (SCCs)
OpenAI, LLC	LLMs and other AI features	Processes prompts and user-submitted content when AI-enabled features are activated within Circle.	USA	Standard Contractual Clauses (SCCs)
RevenueCat, Inc.	Finance and payments	Processes customer and member billing data, subscription events, related revenue analytics, and payment method tokens.	USA	Standard Contractual Clauses (SCCs)
SendGrid (Twilio SendGrid, Inc.)	Email delivery service	Sends transactional and operational emails to Circle customers and members (e.g., notifications, verification emails).	USA	Standard Contractual Clauses (SCCs)
Stripe, Inc.	Finance and payments	Processes customer and member billing data, subscription payments, and payment method tokens.	USA	Standard Contractual Clauses (SCCs)
Zapier, Inc.	Workflows	Processes workflow-triggered data to automate internal operations and integrations (AI orchestration).	USA	Standard Contractual Clauses (SCCs)
Zendesk, Inc.	Customer support	Processes customer contact information and support ticket content to provide troubleshooting and support.	USA	Standard Contractual Clauses (SCCs)
100MS	Audio and video infrastructure	Provides live video support (WebRTC, HLS) for sessions, events, and interactive video features.	USA	Standard Contractual Clauses (SCCs)