Strive Customer Data Processing Addendum

The terms of this Data Processing Addendum (the “Terms”) govern how Strive may process personal data. The Terms form part of the Strive Customer Terms and Conditions between Strive and Client.

1. Definitions

1.1. Capitalised terms used but not defined in these Terms have the meaning given to them in the Strive Customer Terms and Conditions and all rules of interpretation as set out in the Strive Customer Terms and Conditions shall apply in these Terms.

1.2. The following additional definitions shall apply in these Terms:

“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under the Data Protection Legislation from time to time, including the UK International Data Transfer Agreement, or the UK IDTA along with the EU Standard Contractual Clauses (as applicable), or any other mechanisms as set out in Article 46 of the EU GDPR and the UK GDPR (as applicable);

“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation: (i) the UK GDPR; (ii) the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); (iii) the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; (iv) all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and (v) the guidance and codes of practice issued by the ICO or other relevant regulatory authority and which are applicable to a Party;

“End-User” Individuals whom you are contracting for to receive the Services from Strive;

“EU GDPR” means the General Data Protection Regulation 2016/679;

“EU Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of Personal Data to third countries not otherwise recognized as offering an adequate level of protection for Personal Data by the European Commission (as amended and updated from time to time);

“Personal Data Breach” means the definition as defined under the Data Protection Legislation;

“Restricted Transfer” means a transfer of Personal Data between any Party to this Agreement in circumstances where in the absence of the obligations created by this Agreement the export of the Personal Data would be in breach of the applicable Data Protection Legislation.

“Personal Data” means the Personal Data (as defined under the Data Protection Legislation and as specified within this definition) shared with Strive pursuant to the provisions of these Terms, including but not limited to:

Subject matter of Processing: provision of the personal data of you and/or your End-Users under these Terms.

Duration of Processing: the duration of these Terms.

Nature of Processing: collecting, displaying, using, transferring, analysing, contacting, publishing and/or presenting the Personal Data as part of the delivery of the Services.

Business Purposes: Provision of the Personal Data by for the enablement of the Services pursuant to these Terms.

Personal Data Categories (including Special Category Data):

Data Subject Types: You and/or End-Users;

“Third Country” means a country or territory that is not part of the United Kingdom or the EEA;

“UK GDPR” means the EU GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, together with the UK DPA 2018; and

“UK IDTA” or “UK International Data Transfer Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) UK DPA 2018, Version B1.0, in force as of 21 March 2022.

2. Data Processing

2.1. Our collection, use, disclosure, retention, and protection of your Personal Data is governed by our Privacy Notice https://strive.ae/privacy-policy. As described in our Privacy Notice, Strive may collect other Personal Data from you for the provision of the Services, some of which may constitute special category Personal Data. In the case of Strive processing your special category Personal Data, we shall only do so with your explicit consent, which shall be obtained separately. You may revoke this consent at any time by contacting [email protected] but please note that in doing so you may no longer be able to receive the provision of the Services.

2.2. To the extent that these Terms involves the processing of Personal Data to which you are a data controller, the following obligations shall apply:

2.2.1. Each Party shall be separate independent controllers and shall independently determine the purposes and means for collection, use, disclosure, or other processing of the Personal Data. For the avoidance of doubt, the parties shall not jointly determine the purposes and means for collection, use, disclosure, or other processing of Personal Data.

2.2.2. You warrant and represent that you have the right to share the Personal Data with Strive for the provision of the Services to the End Users and that the Personal Data has been collected or otherwise obtained in compliance with the Data Protection Legislation, and may be lawfully processed, disclosed and transferred as described in or in connection with these Terms.

2.2.3. You warrant and represent that should you be relying on the consent of data subjects to share their Personal Data with Strive as part of the Personal Data, you shall manage and maintain appropriately the data subject’s consent and shall promptly communicate any withdrawals of consent to Strive as applicable, in compliance with the Data Protection Legislation.

2.2.4. Both Parties shall implement appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.

2.2.5. Both Parties will work together in good faith to ensure the information prescribed by the Data Protection Legislation is made available to relevant data subjects.

2.2.6. If either Party receives any complaint, notice or communication from a supervisory authority which relates to the other party’s:

2.2.6.1. processing of Personal Data; or

2.2.6.2. potential failure to comply with the Data Protection Legislation in respect of the Personal Data, that party shall direct the supervisory authority to the other Party.

2.2.7. If a data subject makes a written request to a Party to exercise any of their rights in relation to the Personal Data that concerns processing of the other Party, that party, shall direct the data subject to the other Party.

2.2.8. If either party becomes aware of a Personal Data Breach that requires notification to a supervisory authority, it shall notify the other Party without undue delay, and each Party shall co-operate with the other, to the extent reasonably requested, in relation to any notifications to supervisory authorities and/or to affected data subjects.

2.2.9. The Parties agree that the Personal Data will not be transferred outside of the United Kingdom or the European Economic Area under Terms unless:

2.2.9.1. it is to a Third Country that the United Kingdom and/or the EU has recognised as providing adequate protection under Chapter V of the EU GDPR or the UK GDPR as applicable; or

2.2.9.2. Appropriate Safeguards are in place, e.g. the Parties have executed an agreement with the importing third party incorporating the EU Standard Contractual Clauses and the UK International Data Transfer Addendum where necessary, importing Parties are registered with the Data Privacy Framework; or

2.2.9.3. The transfer otherwise complies with the Data Protection Legislation.

2.2.10. In accordance with Clause 2.2.9.3 the Parties agree that, where the transfer of Personal Data between the Parties is a Restricted Transfer, the following shall apply to the transfer and these Terms:

2.2.10.1. Where the EU GDPR applies, and the transfer of Personal Data is from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission:

2.2.10.1.1. The parties agree that the EU Standard Contractual Clauses shall apply to Restricted Transfers from the EEA. The EU Standard Contractual Clauses shall be deemed entered into (and incorporated into these Terms by reference) and completed as follows: (i) Module One (Controller to Controller) shall apply where both Parties are Data Controllers; (ii) In Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will apply; (iii) In Clause 11 of the EU Standard Contractual Clauses, the optional language shall not apply; (iv) In Clause 17 of the EU Standard Contractual Clauses, Option 1 applies and the EU Standard Contractual Clauses shall be governed by Irish law; (v) In Clause 18(b) of the EU Standard Contractual Clauses, disputes shall be resolved by the courts of Ireland; (vi) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in the definition of Personal Data; (vii) Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information and requirements of Clause 2.2.4 of these Terms. The frequency of the transfer shall be continuous, as necessary to deliver the Services, and retention shall be determined by each independent Data Controller, except where such Party is required by applicable laws to retain Personal Data in accordance with its record retention schedules and policies, or as otherwise specified in the definition of Personal Data.

2.2.10.2. Where the UK GDPR applies, and the transfer of Personal Data is from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;

2.2.10.2.1. The parties agree that, with respect to Restricted Transfers subject to the UK GDPR, the EU Standard Contractual Clauses are hereby incorporated into these Terms by reference as follows: incorporating the selections in Clause 2.2.10.1.1 and shall be deemed amended by the provisions of Part 2 (Mandatory Clauses) of the UK IDTA and the Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in the definition of Personal Data and Clause 2.2.4 of these Terms, and shall be amended as follows:

2.2.10.2.1.1. For the purpose of Module 1 of the EU Standard Contractual Clauses where both Parties are Data Controllers (data importer and exporter): Appendixes 1 and 2 of the EU Standard Contractual Clauses shall be deemed to incorporate respectively the data subjects, categories of personal data and processing operations set out in the definition of Personal Data and the organisational and technical measures described in Clause 2.2.4.

2.2.10.2.1.2. The parties agree that the governing law and choice of forum and jurisdiction shall be that of England and Wales.

2.2.10.2.1.3. The Parties agree that Annex I.A will be populated as follows: Data Exporter and Data Importer Contact details: as detailed in these Terms (each Party being both Data exporter and Data Importer).

2.2.10.2.1.4. The Parties agree that Annex I.B of the IDTA shall be completed as described in the definition of Personal Data in these Terms.

2.2.10.2.1.5. The Parties agree that Annex I.C of the IDTA shall be completed as follows: the competent supervisory authority is the ICO supervisory authority.

2.2.10.2.1.6. The Parties agree that Annex II of the IDTA shall be completed as described and agreed between the parties in these Terms.

Published 8th January 2025