Data Processing Addendum
Orthodoxy, Inc. · Version 1.0 · Effective May 10, 2026
This Data Processing Addendum (this "DPA") is entered into between Orthodoxy, Inc., a Delaware corporation ("Processor"), and the customer entity identified in the Order Form or Master Subscription Agreement to which this DPA is attached ("Controller"), and is incorporated by reference into the Master Subscription Agreement or other written agreement between the parties governing access to the Service (the "Agreement"). Capitalized terms not defined herein have the meanings given in the Agreement.
1. Definitions
1.1 "Applicable Data Protection Law". means all laws and regulations governing the processing of Personal Data applicable to a party in its role under this DPA, including, as applicable: (a) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); (b) the UK GDPR as defined in the UK Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("Swiss FADP"); and (d) any U.S. state privacy laws applicable to the processing described herein.
1.2 "Customer Content". has the meaning given in the Agreement and includes matter names, research session content, citations, passages, sign-off records, and any other data the Controller submits to the Service.
1.3 "Data Subject". means the natural person to whom Personal Data relates.
1.4 "Personal Data". means any information relating to an identified or identifiable natural person that is included in Customer Content or otherwise processed by the Processor on behalf of the Controller under the Agreement.
1.5 "Processing". (and "Process," "Processed") means any operation performed on Personal Data, whether automated or manual, including collection, storage, use, disclosure, combination, erasure, or destruction.
1.6 "Security Incident". means any confirmed unauthorized access to, disclosure of, or loss of Personal Data in the Processor's custody or control.
1.7 "Sub-processor". means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
1.8 "Standard Contractual Clauses" or "SCCs". means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Decision 2021/914.
1.9 "Technical and Organizational Measures" or "TOMs". means the security and operational safeguards described in Annex II.
2. Roles and Scope of Processing
2.1 Processor and Controller. The Controller acts as controller of Personal Data processed under the Agreement. The Processor acts as processor of such Personal Data, processing it only on the documented instructions of the Controller as set forth in this DPA and the Agreement. Nothing in this DPA makes the Processor a controller of Customer Content.
2.2 Processor Relationship to Data Subjects. The Controller's clients and other third parties whose Personal Data may appear in Customer Content are Data Subjects of the Controller's processing. Orthodoxy's relationship to those individuals is that of processor acting on the Controller's instructions; Orthodoxy does not independently control the processing of such individuals' data.
2.3 Processor's Controller Activities. Notwithstanding Section 2.1, the Processor acts as an independent controller of personal data it collects for its own legitimate business purposes (e.g., account contact information, billing records, support communications). That processing is governed by the Processor's Privacy Policy, not this DPA.
2.4 Subject Matter. The subject matter of the processing governed by this DPA is the processing of Personal Data necessary to provide the Service as described in the Agreement.
2.5 Duration. The Processor will Process Personal Data for the term of the Agreement plus the post-termination period required to complete deletion or return obligations under Section 7, and subject to the retention carve-out in Section 7.3.
2.6 Nature and Purpose of Processing. The Processor will Process Personal Data solely to: (a) host, transmit, and present Customer Content to Authorized Users; (b) generate AI Output in response to Authorized User queries; (c) screen AI Output through the Processor's Hallucination Defense Pipeline, which submits citation strings (case names, reporter citations, statutory references) to public legal-data APIs (e.g., CourtListener, the Caselaw Access Project, GovInfo, and eCFR) for the limited purpose of detecting fabricated, mismatched, or inaccurate citations; (d) produce Compliance Certificates and draft exports; (e) store and maintain sign-off records and verification-navigation click logs; and (f) provide related support, security, and operational functions necessary to deliver the Service. The Hallucination Defense Pipeline screens AI Output; it does not constitute verification, certification, or validation of any citation, and the Processor makes no representation as to the accuracy of the screening results (consistent with Section 6.5).
2.7 Categories of Data Subjects.
(a) Authorized Users of the Controller (attorneys, paralegals, and other personnel with access to the Service);
(b) individuals named or referenced in Customer Content, including the Controller's clients, opposing parties, witnesses, and third parties referenced in legal research.
2.8 Categories of Personal Data. Personal Data Processed under this DPA may include: (a) identifiers (names, email addresses, bar numbers, matter numbers); (b) professional information (firm name, title, practice area, case assignments); and (c) content data (matter narratives, citations, passages, research notes, sign-off records, and any other information submitted by Authorized Users as part of the Service).
3. Processor Obligations
3.1 Documented Instructions. The Processor will Process Personal Data only on the Controller's documented instructions. For purposes of this DPA, the Agreement (including any applicable Order Form and the Controller's configuration of the Service) constitutes the Controller's documented instructions. If the Processor is required by Applicable Data Protection Law to Process Personal Data in a manner inconsistent with those instructions, the Processor will inform the Controller to the extent permitted by applicable law before undertaking such processing.
3.2 Confidentiality of Personnel. The Processor will ensure that personnel authorized to Process Personal Data are subject to a binding confidentiality obligation (including a Confidential Information and Invention Assignment Agreement or equivalent), and that access is limited to those with a need to Process the data to perform the Service.
3.3 Security Measures. The Processor will implement and maintain the Technical and Organizational Measures set forth in Annex II. The Processor may update the TOMs over time provided that updates do not materially reduce the level of protection described in Annex II. The Processor will notify the Controller of any material reduction in security controls.
3.4 Sub-processors.
(a) General Authorization. The Controller provides general written authorization for the Processor to engage Sub-processors. The current list of authorized Sub-processors is set forth in Annex III and maintained at app.orthodoxyapp.com/legal/subprocessors.
(b) Notice of Changes. The Processor will provide at least thirty (30) days' advance written notice (by email to the Controller's designated privacy contact, or, absent such designation, to the billing contact on record) before adding or replacing a Sub-processor. Notice will be deemed given on the date of transmission.
(c) Objection. The Controller may object to a new Sub-processor on reasonable data protection grounds by providing written notice within the notice period. The parties will negotiate in good faith to resolve the objection. If no resolution is reached, the Controller's sole remedy is to terminate the affected portion of the Service on written notice, subject to any pre-paid fees being pro-rated and refunded.
(d) Flow-Down. The Processor will impose on each Sub-processor data protection obligations equivalent to those imposed on the Processor by this DPA, by written contract. The Processor remains liable to the Controller for a Sub-processor's failure to perform its data protection obligations.
3.5 Assistance with Data Subject Rights. The Processor will provide commercially reasonable assistance to the Controller in fulfilling the Controller's obligations to respond to Data Subject requests under Applicable Data Protection Law (including requests to access, correct, delete, or port Personal Data). Given the nature of the Service, such assistance will consist primarily of providing the Controller with technical means to export, correct, or delete data within the Service. The Processor will not respond directly to Data Subject requests concerning Customer Content without the Controller's prior written authorization, except as required by applicable law.
3.6 Security Incident Notification.
(a) The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware, of a Security Incident affecting Personal Data Processed under this DPA.
(b) Notification will be provided by email to the Controller's designated security or privacy contact and will include, to the extent then known: a description of the nature of the incident; the categories and approximate number of Data Subjects and Personal Data records affected; the likely consequences of the incident; and the measures taken or proposed to address the incident and mitigate its effects.
(c) Where complete information is not available within 72 hours, the Processor will provide an initial notification with available information and supplement it as additional information becomes available.
(d) Notification of a Security Incident does not constitute an acknowledgment of fault or liability.
3.7 DPIAs and Prior Consultations. The Processor will provide commercially reasonable cooperation and assistance to the Controller in connection with any data protection impact assessment ("DPIA") or prior consultation with a supervisory authority that the Controller is required to conduct under Applicable Data Protection Law, to the extent such assessment or consultation relates to the Processor's processing activities under this DPA.
3.8 Deletion and Return of Personal Data.
(a) Upon expiration or termination of the Agreement, the Processor will, at the Controller's election, return or securely delete Personal Data in Customer Content within sixty (60) days, except as provided in Section 7.3.
(b) The Controller may request return or deletion during the term in accordance with the Service's data export and deletion features.
(c) Upon completion of deletion, the Processor will, upon written request, provide a written certification of deletion.
3.9 Audit Rights.
(a) The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and will allow and contribute to audits, including inspections, conducted by the Controller or a qualified third-party auditor designated by the Controller, upon at least thirty (30) days' prior written notice, subject to reasonable confidentiality protections.
(b) Commencing upon the Processor's receipt of its first SOC 2 Type II report (targeted for the second year of operations as described in Annex II), the Processor's current in-scope SOC 2 Type II report will satisfy the Controller's audit rights with respect to the controls within scope of that report. The Controller may conduct a direct audit only if the SOC 2 report is unavailable or fails to address a specific concern.
(c) Audits may be conducted no more than once per calendar year absent a Security Incident or documented compliance concern. The Controller will bear the cost of any audit it commissions unless the audit reveals material non-compliance.
3.10 Indemnification and Liability. Each party's indemnification obligations and liability for breach of this DPA are subject to the limitations of liability set forth in the Agreement, provided that the parties acknowledge that Enterprise customers may negotiate enhanced data processing liability caps in the Order Form. The foregoing does not limit liability for death or personal injury caused by negligence, fraud, or any liability that cannot be limited by applicable law.
4. Controller Obligations
4.1 Lawful Basis. The Controller represents and warrants that it has a lawful basis for processing each category of Personal Data submitted to the Service and that its instructions to the Processor are consistent with Applicable Data Protection Law.
4.2 Data Subject Notices. The Controller is responsible for providing any notices to Data Subjects required under Applicable Data Protection Law regarding the processing of their Personal Data through the Service.
4.3 Sensitive Data. The Controller will not submit to the Service any Personal Data that constitutes a special category of data under Applicable Data Protection Law (including health data, biometric data, or data concerning criminal convictions) without prior written agreement from the Processor addressing the additional safeguards required for such data.
4.4 Authorized User Controls. The Controller is responsible for managing Authorized User access credentials and for revoking access upon termination of an Authorized User's relationship with the Controller.
5. International Data Transfers
5.1 U.S. Processing. All processing under this DPA occurs in the United States. The Processor does not transfer Personal Data to countries outside the United States in the ordinary course of providing the Service.
5.2 EU/EEA Transfers. To the extent the Controller is established in the EU/EEA or submits Personal Data of EU/EEA residents to the Service, the Standard Contractual Clauses (Module Two: Controller to Processor) referenced in Annex IV are incorporated into this DPA and govern the transfer of that Personal Data from the EU/EEA to the United States. Where the SCCs apply, in the event of any conflict between the SCCs and this DPA, the SCCs will prevail to the extent of the conflict. The complete text of the SCCs and the completed Appendix to the SCCs are available upon request from support@orthodoxyapp.com and will be attached as an exhibit to any DPA executed with an EU/EEA-established Customer.
5.3 UK Transfers. To the extent the Controller is established in the United Kingdom or submits Personal Data of UK residents to the Service, the UK International Data Transfer Addendum referenced in Annex V supplements this DPA and the SCCs for such transfers.
5.4 Swiss Transfers. To the extent the Controller is established in Switzerland or submits Personal Data of Swiss residents to the Service, the Swiss Data Transfer Addendum referenced in Annex VI supplements this DPA for such transfers.
5.5 Sub-processor SCCs. For transfers of EU/EEA, UK, or Swiss Personal Data to Sub-processors, the Processor will ensure equivalent transfer safeguards are in place, either via SCCs (Module Three: Processor to Sub-processor) or an alternative transfer mechanism recognized under Applicable Data Protection Law.
6. Legal-Vertical Provisions
6.1 Attorney Work Product. The Processor acknowledges that Customer Content may include materials protected by the attorney-client privilege, attorney work product doctrine, or other legal professional privilege. The Processor will: (a) access matter content only to the extent required to provide the Service; (b) enforce matter-level access controls as described in the Agreement (including the assertMatterAccess authorization check applied to all matter, session, citation, and passage resources); and (c) cooperate with legal hold instructions from the Controller, including preserving identified matter content in response to a documented litigation hold request.
6.2 Bar Disciplinary and Legal Process Compliance. The Processor will: (a) produce Customer Content to the Controller on demand; and (b) produce Customer Content to third parties, including bar disciplinary authorities, only pursuant to valid legal process (subpoena, court order, or equivalent), and will provide the Controller with prior written notice of such process to the extent permitted by applicable law and not prohibited by the legal process itself.
6.3 AI Limitations — No Independent Certification. The Processor does not represent that AI Output constitutes verified legal citations, confirmed case law, or attorney-certified work product. The AI Limitations Disclosure required by the Agreement is built into every export produced by the Service and may not be removed or suppressed by Controller configuration. The Controller acknowledges this disclosure is a non-waivable feature of the Service.
6.4 Compliance Certificate Integrity. The Processor will maintain the integrity of sign-off records and compliance certificate hashes using the cryptographic hash algorithm documented in the Agreement (currently SHA-256-v2, identified by the certificateHashAlgorithm field on each sign-off record). The Processor will not alter sign-off records once finalized; immutability is enforced both at the application layer and through a database trigger that blocks updates and deletions on signed records (with a single carve-out for the one-time hash backfill operation, which preserves all other field values). The Processor will provide verification access to the Controller through the Service, including a hash-recomputation endpoint that aborts certificate downloads if the stored hash does not match the canonical recomputation.
6.5 Hallucination Defense Layer — Screening, Not Verification. The Hallucination Defense Pipeline described in Section 2.6(c) is a screening layer that flags potentially inaccurate citations and surfaces flags to the Controller through the Service interface. The pipeline does not verify, confirm, or validate any citation, and a passing screening result is not a representation by the Processor as to the accuracy of any citation. All Service language describing pipeline results uses the terminology "screened," "flagged," "no flags detected," or "review recommended"; the words "verify," "verified," "confirmed," and "validated" are not used in connection with pipeline results in any user-facing surface, API response, or compliance certificate. The Controller and each Authorized User retain sole and exclusive responsibility for independently verifying all citations in accordance with the Agreement.
6.6 Verification-Navigation Audit Log. When an Authorized User clicks through to an external legal research service (e.g., Westlaw, LexisNexis, Fastcase/vLex, CourtListener) from within a Research Session, the Service records a click-event audit entry containing the Authorized User identifier, the citation identifier, the destination service, and the timestamp. This log is retained for the same period as the associated sign-off record (Section 7.3) and is available to the Controller for inspection through the Service. The log records that a navigation occurred; it does not record the content of the destination page or any data exchanged with the third-party service.
7. Retention and Deletion
7.1 General Deletion Obligation. Except as provided in Section 7.3, the Processor will delete Personal Data in Customer Content within sixty (60) days following the later of: (a) expiration or termination of the Agreement; or (b) the Controller's written deletion request.
7.2 Deletion of Authorized User Accounts. Deletion of an individual Authorized User's account will remove that user's credentials and preferences. It will not, however, trigger deletion of sign-off records to which that user is a signatory, because those records constitute legal documents in which the Controller has a continuing interest.
7.3 Sign-Off Records Carve-Out. Notwithstanding any other provision of this DPA or the Agreement, the Processor will retain sign-off records (including QualityCheckSignOff records, associated compliance certificate hashes, and the session and citation data referenced therein) for a minimum period of seven (7) years following the date of sign-off, or such longer period as may be required by applicable law or as may be specified in an applicable Order Form. This carve-out is disclosed in the Privacy Policy and does not constitute unauthorized retention of Personal Data under Applicable Data Protection Law, as the legal basis for retention is the Processor's legitimate interest in maintaining accurate compliance audit records and the Controller's regulatory compliance obligations.
7.4 Backups. Deletion from live systems will be completed within sixty (60) days as stated above. Deletion from encrypted backup snapshots will be completed within thirty (30) days of the backup's normal rotation cycle following the deletion event.
8. General Provisions
8.1 Order of Precedence. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to data protection obligations. In the event of a conflict between this DPA and the SCCs (Annex IV), the SCCs control to the extent of the conflict.
8.2 Updates to Applicable Law. If a change in Applicable Data Protection Law requires an amendment to this DPA, the parties will negotiate in good faith to execute an amendment within ninety (90) days of the change becoming effective.
8.3 Entire Agreement on Data Processing. This DPA, together with the Agreement and the Annexes, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior discussions and agreements relating to the processing of Personal Data under the Agreement.
8.4 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
8.5 Governing Law. This DPA is governed by the same governing law and jurisdiction provisions as the Agreement, except that the SCCs are governed by the law of the EU member state named therein as required by applicable European Commission decisions.
Annex I — Description of Processing
A. List of parties
| Controller | Processor | |
|---|---|---|
| Name | Customer entity (per Order Form) | Orthodoxy, Inc. |
| Address | Per Order Form | Provided on request |
| Contact | Per Order Form (privacy / DPO contact) | support@orthodoxyapp.com |
| Role | Controller | Processor |
B. Description of the Processing
| Categories of Data Subjects | Authorized Users; individuals named in matter content (clients, opposing parties, third parties referenced in legal research) |
| Categories of Personal Data | Identifiers (name, email, bar number); professional information (firm, title, practice area); content data (matter narratives, citations, passages, sign-off records, AI-generated research output) |
| Special Categories | None expected; Controller represents none will be submitted without prior written agreement (§ 4.3) |
| Nature of Processing | Hosting, transmission, display, AI inference, hallucination-defense screening, PDF generation, cryptographic signing of sign-off records |
| Purpose(s) of Processing | Provision of the Service: legal citation governance, attorney quality-check workflow, compliance certificate generation |
| Duration of Processing | Term of Agreement plus post-termination retention / deletion period; sign-off records retained for 7 years per § 7.3 |
| Transfers to Sub-processors | See Annex III |
C. Competent Supervisory Authority (EU/EEA customers)
To be completed based on the Customer's Member State of establishment in any DPA executed with an EU/EEA-established Customer.
Annex II — Technical and Organizational Measures
The Processor implements and maintains the following Technical and Organizational Measures as of the DPA effective date. The Processor may update these measures over time without reducing the overall level of protection.
1. Encryption
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest (database, backups, file storage) is encrypted using AES-256.
- Compliance certificate canonical data is cryptographically hashed at sign-off using SHA-256-v2 (the active algorithm as of the DPA effective date, recorded in the
certificateHashAlgorithmfield of each sign-off record). The Processor reserves the right to introduce a new hash algorithm version in the future; any new version will be tracked by a new value ofcertificateHashAlgorithmand will not retroactively alter the hash of an existing sign-off record.
2. Access Controls
- Role-based access control enforced at the application layer: every request to a matter, session, citation, or passage resource passes an authorization check (assertMatterAccess) that verifies firm membership and matter membership before returning data.
- Row-level security enforced at the database layer via Supabase RLS policies.
- Administrative access to infrastructure requires SSO with multi-factor authentication.
- Principle of least privilege applied to all internal personnel and third-party system accounts.
3. Audit Logging
- Application-layer audit log of all sign-off events, including signatory identity, timestamp, and certificate hash.
- Database-level immutability trigger on sign-off records (BEFORE UPDATE OR DELETE) that blocks all DELETE operations and blocks UPDATE operations on signed records, with a narrow carve-out for the one-time certificate hash backfill (verified by
to_jsonbsubtraction confirming all other column values are unchanged). - Verification-navigation click log capturing every external research service click-through from within a Research Session (user, citation, destination, timestamp).
- Citation correction event log capturing every attorney-initiated correction or removal of a citation, used both for compliance reporting and for accuracy analytics (when Controller has enabled analytics consent).
- Infrastructure-level access logs retained for a minimum of ninety (90) days.
4. Vulnerability Management
- Dependency scanning and automated CVE alerting on each code deployment.
- Annual penetration test by a qualified third party (or on a schedule as updated herein); results reviewed and critical findings remediated within 30 days.
5. Incident Response
- Written incident response runbook defining detection, containment, eradication, recovery, and notification procedures.
- Security Incident notification to the Controller within 72 hours of awareness, per § 3.6.
6. Subprocessor / Vendor Security
- Security review conducted before onboarding new Sub-processors with access to Personal Data.
- Sub-processors required to maintain security measures equivalent to or exceeding those described in this Annex.
7. SOC 2 Type II (Planned)
The Processor is targeting SOC 2 Type II readiness preparation beginning at approximately six (6) months of paid-customer operations, with a target audit completion in the second year of operations. The Controller acknowledges that this is an internal target, not a contractual commitment to a specific delivery date. Upon receipt of a SOC 2 Type II report, the current in-scope report will be provided to the Controller upon written request and under NDA, and will satisfy the Controller's audit rights with respect to in-scope controls per § 3.9(b).
8. Personnel
- All personnel with access to Personal Data are required to execute a Confidential Information and Invention Assignment Agreement (CIIAA) and to complete data protection training.
- Access is revoked promptly upon termination.
Annex III — Authorized Sub-processor List and External Verification Sources
The following entities are authorized as of the DPA effective date. The current list is maintained at app.orthodoxyapp.com/legal/subprocessors.
Part A — Sub-processors (process Personal Data on Orthodoxy's behalf)
| Sub-processor | Jurisdiction | Processing Activity | Transfer Safeguard |
|---|---|---|---|
| Anthropic, PBC | United States | AI model inference — generating AI Output in response to Authorized User queries (research, contradiction analysis, hallucination defense holding-fabrication stage) | Anthropic API Terms of Service; no API inputs or outputs used for model training per Anthropic published policy and per Agreement |
| Supabase Inc. | United States | Database, authentication, and file storage | DPA with Sub-processor; SOC 2 Type II |
| Vercel Inc. | United States | Application hosting, CDN, and scheduled cron execution (trial reminders) | DPA with Sub-processor; SOC 2 Type II |
| Stripe, Inc. | United States | Payment processing and billing (limited to billing contact data and subscription status; no Customer Content) | DPA with Sub-processor; PCI DSS; SOC 2 Type II |
| Resend Inc. | United States | Transactional email delivery (welcome emails, trial reminders, invite emails; limited to email addresses and notification content; no matter content) | DPA with Sub-processor |
| Upstash, Inc. | United States | Rate-limit token bucket cache (user identifiers and request timestamps only; no Customer Content) | DPA with Sub-processor |
Part B — External Verification Sources (public legal-data APIs)
The Hallucination Defense Pipeline submits citation strings (case names, reporter citations, statute identifiers) to the following public legal-data services for the limited purpose of detecting fabricated, mismatched, or inaccurate citations. These services receive only the citation string and surrounding query parameters; they do not receive matter narratives, attorney annotations, sign-off records, or other Customer Content. The Processor treats these services as recipients of public legal-data lookups, not as Sub-processors of Personal Data, because the data submitted (published case captions, public statute references) is itself public legal information.
| Service | Operator | Jurisdiction | Purpose |
|---|---|---|---|
| CourtListener | Free Law Project | United States | Case law existence and metadata verification |
| Caselaw Access Project (case.law) | Harvard Law School Library Innovation Lab | United States | Case opinion full-text retrieval for quote-fabrication screening |
| GovInfo | U.S. Government Publishing Office | United States | U.S. Code title and section verification |
| eCFR | Office of the Federal Register | United States | Code of Federal Regulations verification |
If a court or supervisory authority subsequently determines that any of these services constitutes a Sub-processor under Applicable Data Protection Law, the Processor will execute appropriate transfer safeguards or remove the service from the pipeline.
Annex IV — EU Standard Contractual Clauses (Module Two)
The Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission Decision 2021/914 of 4 June 2021 are incorporated herein by reference. The parties are the Controller (Clause 7 data exporter) and Orthodoxy, Inc. (Clause 7 data importer). Clause 9(a) Option 2 (General Written Authorization) is selected. The governing law is the EU Member State of the Controller's establishment. The supervisory authority is as set forth in Annex I, Section C. The complete text of the SCCs and the completed Appendix to the SCCs are available upon request from support@orthodoxyapp.com and will be attached as an exhibit to any DPA executed with an EU/EEA-established Customer.
Annex V — UK International Data Transfer Addendum
The UK International Data Transfer Addendum issued by the Information Commissioner's Office under s.119A of the Data Protection Act 2018 is incorporated herein by reference and supplements the SCCs in Annex IV for transfers of UK Personal Data. Tables 1 (Parties), 2 (Selected SCCs, Modules and Selected Clauses), and 3 (Appendix Information) are completed by reference to this DPA and the SCCs in Annex IV. Table 4: the Importer may not end the Addendum as set out in Section 19. The complete text of the UK IDTA is available upon request and will be attached as an exhibit to any DPA executed with a UK-established Customer.
Annex VI — Swiss Data Transfer Addendum
To the extent Personal Data of Swiss residents is transferred to the United States, the parties agree to implement the Standard Contractual Clauses referenced in Annex IV, as adapted by reference to guidance from the Swiss Federal Data Protection and Information Commissioner (FDPIC) for the purposes of the revised Swiss FADP. References to "Directive 95/46/EC" are read as references to the Swiss FADP; references to "Member State" are read to include Switzerland; the competent supervisory authority is the FDPIC.
End of Data Processing Addendum
Questions? Contact support@orthodoxyapp.com