Data Processing Agreement

Last update : 26/04/2026

This EU and UK Data Processing Agreement ("Agreement") supplements the Terms of Service (the "TOS") entered into by and between the customer signing this Agreement ("Customer") and Reverse Contact ("Company").

By executing this Agreement, Customer enters into it on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below). This Agreement incorporates the terms of the TOS, and any terms not defined herein shall have the meaning set forth in the TOS.

1. Definitions

"Authorized Sub-Processor" means a third party who has a need to know or otherwise access Customer's Personal Data to enable Company to perform its obligations under this Agreement or the TOS, and who is either listed in Exhibit B or subsequently authorized under Section 4.2 of this Agreement.

"Customer Account Data" means personal data that relates to Customer's relationship with Company, including the names or contact information of individuals authorized by Customer to access Customer's account and billing information. It also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.

"Customer Usage Data" means Service usage data collected and processed by Company in connection with the provision of the Services, including data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services and to investigate and prevent system abuse.

"Customer Leads Data" means personal data that Customer provides to Company in connection with the Services or personal data collected by the Customer within the Services, including names, email addresses, phone numbers, and other contact information of Customer's prospects.

"Data Exporter" means Customer.

"Data Importer" means Company.

"Data Protection Laws" means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data, including: (i) the California Consumer Privacy Act ("CCPA"); (ii) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (iii) the Swiss Federal Act on Data Protection; (iv) the EU GDPR as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003; in each case as updated, amended or replaced from time to time.

The terms "Data Subject", "Personal Data", "Personal Data Breach", "processing", "processor", "controller" and "supervisory authority" shall have the meanings set forth in the GDPR.

"EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated June 4, 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection.

"ex-EEA Transfer" means the transfer of Personal Data, processed in accordance with the GDPR, from the Data Exporter to the Data Importer outside the European Economic Area ("EEA"), where such transfer is not governed by an adequacy decision made by the European Commission.

"ex-UK Transfer" means the transfer of Personal Data, processed in accordance with the UK GDPR and the Data Protection Act 2018, from the Data Exporter to the Data Importer outside the United Kingdom ("UK"), where such transfer is not governed by an adequacy decision made by the Secretary of State.

"Profile Data" means Personal Data collected and processed by the Company from public web pages using the Company robot for the provision of the Services.

"Services" shall have the meaning set forth in the TOS.

"Standard Contractual Clauses" means the EU SCCs and the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office dated March 21, 2022.

2. Relationship of the Parties; Processing of Data

2.1 The parties acknowledge and agree that with regard to the processing of Personal Data, Customer may act either as a controller or processor and, except as expressly set forth in this Agreement or the TOS, Company is a processor. Customer instructs Company to process Personal Data in accordance with this Agreement, and is responsible for providing all notices and obtaining all consents, licences and legal bases required to allow Company to do so. Customer shall ensure that processing in accordance with its instructions will not cause Company to be in breach of Data Protection Laws. Customer shall not provide to Company any Personal Data in violation of the TOS or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith.

2.2 Company shall not process Personal Data (i) for purposes other than those set forth in the TOS and/or Exhibit A; (ii) in a manner inconsistent with the terms of this Agreement or any other documented instructions provided by Customer, unless required to do so by a Supervisory Authority — in which case Company shall inform Customer of that legal requirement before processing, unless prohibited by law; or (iii) in violation of Data Protection Laws. These instructions shall always be documented.

2.3 The subject matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are described in Exhibit A to this Agreement.

2.4 Following completion of the Services, at Customer's choice, Company shall delete Customer's Personal Data unless further storage is required or authorized by applicable law. The certification of deletion described in Clause 8.1(d) and Clause 8.5 of the EU SCCs shall be provided by Company to Customer only upon Customer's request.

2.5 CCPA. Except with respect to Customer Account Data and Customer Usage Data, the parties acknowledge that Company is a service provider for the purposes of the CCPA (to the extent it applies) and is receiving personal information from Customer in order to provide the Services, which constitutes a business purpose. Company shall not sell any such personal information, nor retain, use or disclose it except as necessary for the specific purpose of performing the Services or as otherwise permitted by the CCPA. Company certifies that it understands the restrictions of this Section.

3. Confidentiality

Company shall ensure that any person it authorizes to process Personal Data has agreed to protect Personal Data in accordance with Company's confidentiality obligations in the TOS. Customer agrees that Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required in connection with the performance of its obligations under this Agreement or the provision of Services to Customer.

4. Authorized Sub-Processors

4.1 Customer acknowledges and agrees that Company may engage the Authorized Sub-Processors on the List (defined below) to access and process Personal Data in connection with the Services, and may from time to time engage additional third parties for the purpose of providing the Services. By way of this Agreement, Customer provides general written authorization to Company to engage sub-processors as necessary to perform the Services.

4.2 A list of Company's current Authorized Sub-Processors (the "List") is available at https://www.reversecontact.com/subprocessors and may be updated from time to time. Company will provide a mechanism to subscribe to notifications of new Authorized Sub-Processors at least fourteen (14) days before enabling any new third party to access or participate in the processing of Personal Data. Customer may object to such an engagement by informing Company in writing within seven (7) days of receipt of such notice, provided such objection is based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to their use may prevent Company from offering the Services to Customer.

4.3 If Customer reasonably objects to an engagement and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue use of the affected Service by providing written notice to Company. Discontinuation shall not relieve Customer of any fees owed under the TOS.

4.4 If Customer does not object within seven (7) days of notice by Company, the third party will be deemed an Authorized Sub-Processor for the purposes of this Agreement.

4.5 Company will enter into a written agreement with each Authorized Sub-Processor imposing data protection obligations comparable to those imposed on Company under this Agreement. In the event an Authorized Sub-Processor fails to fulfill its data protection obligations, Company will remain liable to Customer for the performance of those obligations.

4.6 If Standard Contractual Clauses have been entered into as described in Section 6, (i) the above authorizations constitute Customer's prior written consent to sub-processing where required under the Standard Contractual Clauses, and (ii) copies of agreements with Authorized Sub-Processors provided pursuant to Clause 9(c) of the EU SCCs may have commercial information unrelated to the Standard Contractual Clauses removed beforehand, and will be provided only upon request by Customer.

4.7 Company shall agree a third-party beneficiary clause with each Authorized Sub-Processor whereby — in the event Company has factually disappeared, ceased to exist in law or become insolvent — Customer shall have the right to terminate the Authorized Sub-Processor contract and to instruct the Authorized Sub-Processor to erase or return the personal data.

5. Security of Personal Data

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks to the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data. This includes protecting data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Exhibit B sets forth additional information about Company's technical and organizational security measures.

6. Transfers of Personal Data

6.1 The parties agree that Company may transfer Personal Data processed under this Agreement outside the EEA, the UK, or Switzerland as necessary to provide the Services. Customer acknowledges that Company's primary processing operations take place in the European Union, however Company may engage Sub-Processors based in the United States as listed in Section 4.2, with appropriate contractual safeguards in place to ensure compliance with Data Protection Laws.

6.2 Ex-EEA Transfers. The parties agree that ex-EEA Transfers are made pursuant to the EU SCCs, deemed entered into and incorporated into this Agreement by reference, and completed as follows:

Module One (Controller to Controller) applies when Company is processing Personal Data as a controller pursuant to Section 9 of this Agreement.

Module Two (Controller to Processor) applies when Customer is a controller and Company is processing Personal Data as a processor pursuant to Section 2 of this Agreement.

Module Three (Processor to Sub-Processor) applies when Customer is a processor and Company is processing Personal Data as a sub-processor.

6.3 For each module, where applicable:

The optional docking clause in Clause 7 does not apply.

In Clause 9, Option 2 (general written authorization) applies, and the minimum notice period for sub-processor changes shall be as set forth in Section 4.2 of this Agreement.

In Clause 11, the optional language does not apply.

All square brackets in Clause 13 are hereby removed.

In Clause 17 (Option 1), the EU SCCs will be governed by French law.

In Clause 18(b), disputes will be resolved before the courts of France.

Exhibit B contains the information required in Annex I of the EU SCCs.

Exhibit C contains the information required in Annex II of the EU SCCs.

By entering into this Agreement, the parties are deemed to have signed the EU SCCs incorporated herein, including their Annexes.

6.4 Ex-UK Transfers. The parties agree that ex-UK Transfers are made pursuant to the EU SCCs and the International Data Transfer Addendum to the EU SCCs, deemed entered into and incorporated into this Agreement by reference, and completed as follows:

References to the GDPR will be deemed to be references to the UK GDPR and the UK Data Protection Act 2018. References to "supervisory authorities" will be deemed to be references to the UK Information Commissioner. References to "Member State(s)" or the EU will be deemed to be references to the UK.

The International Data Transfer Addendum to the EU SCCs applies when Company processes Customer's Personal Data as a processor and the transfer is covered by Chapter V of the UK GDPR.

6.5 Transfers from Switzerland. The parties agree that transfers from Switzerland are made pursuant to the EU SCCs with the following modifications:

The terms "General Data Protection Regulation" or "Regulation (EU) 2016/679" shall be interpreted to include the Federal Act on Data Protection of June 19, 1992 (the "FADP," and as revised as of September 25, 2020, the "Revised FADP") with respect to data transfers subject to the FADP.

The terms of the EU SCCs shall be interpreted to protect the data of legal entities until the effective date of the Revised FADP.

Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner ("FDPIC") of Switzerland shall have authority over data transfers governed by the FADP, and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR.

The term "EU Member State" shall not be interpreted so as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs.

6.6 Supplementary Measures. In respect of any ex-EEA Transfer or ex-UK Transfer, the following supplementary measures shall apply:

As of the date of this Agreement, the Data Importer has not received any formal legal requests from any government intelligence or security service for access to Customer's Personal Data ("Government Agency Requests").

If, after the date of this Agreement, the Data Importer receives any Government Agency Requests, Company shall attempt to redirect the law enforcement or government agency to request that data directly from Customer. If compelled to disclose Customer's Personal Data, Company shall give Customer reasonable notice of the demand and cooperate to allow Customer to seek a protective order or other appropriate remedy, unless legally prohibited from doing so. Company shall not voluntarily disclose Personal Data to any law enforcement or government agency. The parties shall discuss whether any transfers should be suspended in light of such requests.

The Data Exporter and Data Importer will meet as needed to consider whether: (i) the protection afforded by the laws of the country of the Data Importer is sufficient to provide broadly equivalent protection to that afforded in the EEA or UK; (ii) additional measures are reasonably necessary to ensure compliance with Data Protection Laws; and (iii) it remains appropriate for Personal Data to be transferred to the relevant Data Importer.

If Data Protection Laws require the Data Exporter to execute the Standard Contractual Clauses as a separate agreement, the Data Importer shall promptly execute such Standard Contractual Clauses incorporating such amendments as may reasonably be required.

If any of the means of legitimizing transfers of Personal Data outside the EEA or UK cease to be valid, or if any supervisory authority requires such transfers to be suspended, the Data Importer may by notice to the Data Exporter amend or put in place alternative arrangements as required by Data Protection Laws.

7. Rights of Data Subjects

7.1 Company shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise rights of access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent, and/or objection to automated decision-making. If Company receives a Data Subject Request in relation to Customer's data, Company will advise the Data Subject to submit their request to Customer, who will be responsible for responding. Customer is solely responsible for ensuring that Data Subject Requests are communicated to Company and that records of consent are maintained where applicable.

7.2 Company shall, at Customer's request and taking into account the nature of the processing, apply appropriate technical and organizational measures to assist Customer in complying with its obligations to respond to Data Subject Requests, provided that (i) Customer is itself unable to respond without Company's assistance and (ii) Company is able to do so in accordance with all applicable laws. Customer shall be responsible to the extent legally permitted for any costs arising from such assistance.

8. Data Protection Impact Assessments; Audits

8.1 Company shall provide Customer with reasonable cooperation and assistance where necessary for Customer to comply with its obligations under the GDPR to conduct a data protection impact assessment. Customer shall be responsible to the extent legally permitted for any costs arising from such assistance.

8.2 Company shall provide Customer with reasonable cooperation and assistance with respect to Customer's prior consultation with any Supervisory Authority where required by the GDPR. Customer shall be responsible to the extent legally permitted for any costs arising from such assistance.

8.3 Company shall maintain records sufficient to demonstrate its compliance with its obligations under this Agreement. Customer shall, with reasonable notice, have the right to review, audit and copy such records at Company's offices during regular business hours.

8.4 Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either (i) make available copies of certifications or reports demonstrating compliance with prevailing data security standards, or (ii) if such reports are not reasonably sufficient under Data Protection Laws, allow Customer's independent third-party representative to conduct an audit of Company's data security infrastructure and procedures, provided that: (a) Customer provides reasonable prior written notice; (b) such audit is performed during business hours and no more than once per calendar year; and (c) such audit is restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits.

8.5 Company shall immediately notify Customer if an instruction, in Company's opinion, infringes Data Protection Laws or Supervisory Authority requirements. The parties shall make the information referred to in this Section, including the results of any audit, available to the Supervisory Authority on request.

9. Personal Data Breaches

9.1 In the event of a Personal Data Breach, Company shall, without undue delay and no later than 48 hours after having become aware of it, inform Customer and take such steps as Company deems necessary and reasonable to remediate the breach. The notification shall at least:

Describe the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects and personal data records concerned.

Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.

Describe the likely consequences of the breach and the measures taken or proposed to address it, including measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, it may be provided in phases without undue further delay.

9.2 In the event of a Personal Data Breach, Company shall provide Customer with reasonable cooperation and assistance necessary for Customer to comply with its obligations under the GDPR with respect to notifying (i) the relevant Supervisory Authority and (ii) affected Data Subjects.

9.3 The obligations in Sections 9.1 and 9.2 shall not apply where a Personal Data Breach results from the actions or omissions of Customer. Company's obligation to report or respond to a Personal Data Breach will not be construed as an acknowledgement of any fault or liability on Company's part.

10. Company's Role as a Controller

10.1 The parties acknowledge and agree that with respect to Profile Data, Customer Account Data and Customer Usage Data, Company is an independent controller, not a joint controller with Customer. The Customer obtains Profile Data from Company for its own purposes and shall be considered a separate and independent Controller with respect to that data. Each party is individually and separately responsible for complying with its obligations as a Data Controller under applicable Data Protection Laws.

10.2 Company will process Customer Account Data and Customer Usage Data as a Controller: (i) to manage the relationship with Customer; (ii) to carry out core business operations such as accounting, audits, tax preparation and compliance; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations; and (vi) as otherwise permitted under Data Protection Laws and in accordance with this Agreement and the TOS. Any processing by Company as a controller shall be in accordance with the Company's privacy policy at https://www.reversecontact.com/privacy-policy.

11. Conflict

In the event of any conflict or inconsistency, the order of precedence will be: (1) the applicable terms in the Standard Contractual Clauses; (2) the terms of this Agreement; (3) the TOS; and (4) the Company's privacy policy. Any claims brought in connection with this Agreement will be subject to the terms and conditions, including the exclusions and limitations set forth in the TOS.

12. Non-Compliance and Termination

12.1 Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that Company is in breach of its obligations under this Agreement, Customer may instruct Company to suspend the processing of Personal Data until compliance is restored or the contract is terminated. Company shall promptly inform Customer if it is unable to comply with this Agreement for any reason.

12.2 Customer shall be entitled to terminate this Agreement insofar as it concerns the processing of Personal Data if: (1) processing has been suspended pursuant to Section 12.1 and compliance is not restored within one month; (2) Company is in substantial or persistent breach of this Agreement or its obligations under applicable Data Protection Laws; or (3) Company fails to comply with a binding decision of a competent court or Supervisory Authority.

12.3 Company shall be entitled to terminate this Agreement insofar as it concerns the processing of Personal Data where, after having informed Customer that its instructions infringe applicable legal requirements, Customer insists on compliance with those instructions.

12.4 Following termination, Company shall, at Customer's choice, delete all Personal Data processed on Customer's behalf and certify such deletion, or return all Personal Data to Customer and delete existing copies, unless applicable law requires storage. Until the data is deleted or returned, Company shall continue to ensure compliance with this Agreement.

Exhibit A — Details of Processing

Nature and Purpose of Processing

Company will process Customer's Personal Data as necessary to provide the Services under the TOS, for the purposes specified in the TOS and this Agreement, and in accordance with Customer's instructions as set forth in this Agreement.

Duration of Processing

Company will process Customer's Personal Data for as long as required (i) to provide the Services under the TOS; (ii) for Company's legitimate business needs; or (iii) by applicable law or regulation. Customer Account Data, Customer Leads Data and Customer Usage Data will be processed and stored as set forth in the Company's Privacy Policy.

Categories of Data Subjects

Customer's employees, consultants, contractors, and/or agents.

Customer's professional contacts contained in Customer Leads Data.

Categories of Personal Data

Company processes Personal Data contained in Customer Account Data, Customer Usage Data, and any Personal Data provided by Customer or collected by Company to provide the Services or as set forth in the TOS or this Agreement. This includes names, email addresses, job titles, phone numbers, and other information contained in Customer Leads Data.

Sensitive Data or Special Categories of Data

Customers are prohibited from providing sensitive personal data or special categories of data to Company, including any data which discloses the criminal history of any persons.

Exhibit B — Party Details and Description of Transfer

1. The Parties

Data Exporter

Name: The party to the Terms of Service with Reverse Contact or its Affiliate (as applicable).

Address: The Data Exporter's address as provided in the account.

Activities relevant to the data transferred: As described in Section 2 of the TOS.

Role: Controller.

By using the Services to transfer Personal Data to the Data Importer, the Data Exporter will be deemed to have signed this Exhibit B.

Data Importer

Name: Reverse Contact (VISUM SAS).

Address: 14 BD DE BRANDEBOURG, 94200 Ivry-sur-Seine, France.

Contact: dpo@reversecontact.com

Activities relevant to the data transferred: As described in Section 2 of the TOS.

Role: Processor.

The Data Importer will be deemed to have signed this Exhibit B upon the transfer of Personal Data by the Data Exporter in connection with the Services.

2. Description of the Transfer

Data Subjects — The Data Exporter may submit personal data relating to the following categories of Data Subjects: Data Exporter's employees, consultants, contractors, and/or agents.

Categories of Personal Data — Any personal data submitted by Data Exporter to Data Importer's software, services, systems, products and/or technologies, which may include name, contact information, and information about use of Reverse Contact's Services.

Special Category Personal Data — Data Exporters are prohibited from providing sensitive data or special categories of data to Data Importer.

Nature of the Processing — Company will process Customer's Personal Data as necessary to provide the Services under the TOS.

Purposes of Processing — To fulfill each party's obligations under the TOS.

Duration of Processing — During the term of the TOS.

Frequency of Transfer — On a periodic basis throughout the day and/or at the discretion of the Customer, during the term of the TOS.

Recipients of Personal Data — Company will maintain a list of Sub-Processors at https://www.reversecontact.com/subprocessors.

3. Competent Supervisory Authority

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13 of the EU SCCs.

Exhibit C — Technical and Organizational Security Measures

The following includes the information required by Annex II of the EU SCCs and Annex 2 of the International Data Transfer Addendum. For a full description of Reverse Contact's technical and organizational security measures, please refer to the Security Policy available on the Site.

Measure	Details
Pseudonymisation and encryption of personal data	Personal data is encrypted at rest using the Advanced Encryption Standard (AES), AES-256. Backups are either encrypted themselves or stored on encrypted disks.
Ongoing confidentiality, integrity, availability and resilience	Customer agreements contain strict confidentiality obligations. All downstream Sub-Processors are required to sign confidentiality provisions substantially similar to those contained in customer agreements.
Restoration of availability and access to personal data	The database is dynamically replicated. Backup databases are stored in a separate infrastructure and encrypted. Daily on-site backups are also performed.
Testing and evaluating the effectiveness of security measures	The company undergoes a yearly security assessment operated by an independent firm, including an application penetration test, an external penetration test of the external perimeter, and a cloud security review.
User identification and authorization	Strong password requirements are enforced and all passwords are verified against known breach databases. Users may sign in with Google, which provides security features including multifactor authentication.
Protection of data during transmission	Secure methods and protocols are deployed for the transmission of confidential or sensitive information over public networks. Only recommended secure cipher suites and protocols are used to encrypt all traffic in transit (TLS 1.2).
Protection of data during storage	Encryption at rest is automated using Google Cloud's transparent disk encryption, which uses AES-256 encryption to secure all volume data.
Physical security of locations	All personal data is stored in Google Cloud datacenters in Belgium (eu-west-1). Physical security measures include fences, security patrols, video cameras, thermographic cameras, biometric authentication, access cards, and metal detectors.
Event logging	All HTTP requests are logged in Google Cloud. Security log monitoring is managed by the engineering team. Log activities are investigated when necessary and escalated appropriately.
System configuration	All production changes are automated through continuous integration and deployment tools to ensure consistent configurations.
IT security governance and management	A strict policy on Google Cloud Identity and Access Management ensures that administrative access to infrastructure is limited to authorized personnel (DevOps and on-call teams).
Certification and assurance of processes and products	The company undergoes annual security assessments operated by an independent firm.
Data minimisation	Customers unilaterally determine what personally identifiable information they route through the Services. The Company operates on a shared responsibility model and gives Customers control over exactly what data enters the platform. Self-service functionality allows Customers to delete and suppress PII at their discretion.
Data quality	All software used to process Customer personal data goes through automated tests and a manual pair review before going into production. Data must fit both the database schema structure and format validations defined by the application. A QA pipeline is in place for the most critical data, with appropriate alerts in case data is altered.
Limited data retention	Customers unilaterally determine what data they route through the Services. If a Customer is unable to delete PII data via the self-service functionality, the Company deletes it upon the Customer's written request, within the timeframe specified in the Data Protection Agreement and in accordance with applicable Data Protection Law.
Accountability	Measures include implementing data protection and information security policies across the business, recording and reporting security incidents involving personal data, and formally assigning roles and responsibilities for information security and data privacy functions. Regular third-party audits are conducted to ensure compliance with privacy and security standards.
Data portability and erasure	All PII in the Services may be deleted by the Customer or at the Customer's request.
Technical and organizational measures of sub-processors	The Company enters into Data Processing Agreements with all Authorized Sub-Processors, with data protection obligations substantially similar to those contained in this Agreement.