Last Updated March 31, 2023
This Data Processing Addendum ("Addendum") is entered into and is supplemental to, and made pursuant to, the Vercel Enterprise Services Order Form and Enterprise Terms and Conditions or other agreement executed between Vercel and Customer for Vercel's provision of Services (the "Agreement") as of the effective date of such Agreement ("Effective Date") and is by and between Vercel Inc., a Delaware corporation ("Vercel"), and the Customer that executed the Agreement. This Addendum applies to Vercel's Processing of Personal Data under the Agreement.
Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates to the extent such Affiliates are included and covered under the Agreement with Vercel. For the purposes of this Addendum only, and except where indicated otherwise, the term "Customer" shall include Customer and Affiliates.
This Addendum shall become legally binding upon Customer entering into the Agreement.
Any terms used in this Addendum and not defined will have the meanings given to them in the applicable Agreement.
Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Customer Data.
The parties acknowledge that Customer must be able to assess Vercel's compliance with its obligations under Applicable Data Protection Laws and this Addendum, insofar as Vercel is acting as a processor on behalf of Customer.
Vercel will provide reasonable cooperation to Customer, to the extent Customer does not otherwise have access to the relevant information and such information is available to Vercel, in connection with any data protection impact assessment (at Customer's expense only if such reasonable cooperation will require Vercel to assign significant resources to that effort) or consultations with regulatory authorities as required by Applicable Data Protection Laws.
Vercel will upon Customer's request (and at Customer's expense) provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Vercel receives a request from a Data Subject in relation to the Processing of their Customer Data, Vercel will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.
Vercel will process Personal Data as necessary to provide the Services under the Agreement. Vercel does not sell Customer Data (or end user information within such Customer Data) and does not share such end users' information with third parties for compensation or for those third parties' own business interests.
The period for which Personal Data will be retained and the criteria used to determine that period is as follows:
Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding Vercel's technical and organizational security measures set forth below.
Vercel maintains Customer Data in an encrypted format at rest using Advanced Encryption Standard (AES-256) and in transit (TLS 1.2 or higher).
Vercel's Customer agreements contain strict confidentiality obligations. Additionally, Vercel requires Subprocessors to sign confidentiality provisions that are substantially similar to those contained in Vercel's Customer agreements. All employees (and contractors) are bound by Vercel's internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
The Services operate on Amazon Web Services ("AWS"), Microsoft Azure ("Azure"), and Google Cloud Platform ("GCP") and are protected by the security and environmental controls of Amazon and Google, respectively. The infrastructure for the Vercel Services spans multiple, fault-independent AWS availability zones in geographic regions physically separated from one another, supported by various tools and processes to maintain high availability of services.
Vercel performs regular backups of Customer Data, which is hosted in AWS, Microsoft Azure, and GCP data centers. Backups are globally replicated for resiliency against regional disasters and periodically tested by the Vercel engineering team.
Employees complete mandatory training annually, which covers privacy and data protection, confidentiality, social engineering, password policies, and information security.
Vercel performs regular backups of Customer Data, which is hosted in AWS, Microsoft Azure, and GCP data centers. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest.
Vercel has a business continuity and disaster recovery plan that incorporates input from periodic risk assessments, vulnerability scanning, and threat analysis.
Vercel maintains a risk-based assessment security program. The framework for Vercel's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Vercel's security program is intended to be appropriate to the nature of the Services and the size and complexity of Vercel's business operations.
Vercel has a separate and dedicated security team that manages Vercel's security program. This team facilitates and supports independent audits and assessments performed by third parties to provide independent feedback on the operating effectiveness of the information security program (e.g., SOC 2 Type 2, penetration testing, and vulnerability scanning).
Vercel's security governance program covers: Policies and Procedures, Asset Management, Access Management, Data Handling, Encryption, Logging & Monitoring, Password Management, Personnel Security, Resiliency, Responsible Disclosure, Risk Assessment, Vendor Risk Management, Vulnerability, SDLC, Incident Response, Business Continuity & Crisis Management, Acceptable Use and Code of Conduct. Information security policies and standards are reviewed and approved by management at least annually and are made available to all employees.
Security is managed at the highest levels of the company, with security and technology leadership meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.
Vercel personnel are required to use unique user access credentials and passwords for authorization. Vercel follows the principles of least privilege through role-based and time-based access models when provisioning system access. Vercel personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval prior to access provisioning. Employee access to Customer Data is promptly removed upon role change or termination.
Vercel uses commercially reasonable practices to identify and authenticate users who attempt to access Vercel systems.
Customer Data is encrypted when in transit between Customer and the Vercel Services.
Customer Data is stored encrypted using AES-256. Vercel uses AWS Key Management System ("KMS") to encrypt data in our infrastructure. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect keys that cannot be retrieved from the service by anyone or transmitted beyond the AWS regions where they were created. AWS log-in credentials and private keys generated by the Service are for Vercel's internal use only.
Vercel is a remote-first organization with limited physical presence globally. As needed, physical security controls for office space are inherited from our co-working office provider, which manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security.
The Services operate on AWS, Microsoft, and GCP and are protected by the security and environmental controls of Amazon, Microsoft, and Google, respectively.
Detailed information about AWS security is available at:
For AWS SOC Reports, please see:
Detailed information about Azure security is available at:
Detailed information about GCP security is available at:
Vercel monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is centralized by the security team. Log activities are investigated when necessary and escalated appropriately.
User activity metrics are available to Customers within the Services. For further information, visit https://vercel.com/docs/observability/activity-log.
Vercel applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new Services are deployed; and (b) annual penetration testing by independent third parties.
Vercel adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. Monitors are in place to notify the security team of changes made to critical infrastructure and services that do not adhere to the change management processes.
Vercel maintains a risk-based assessment security program. The framework for Vercel's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Vercel's security program is intended to be appropriate to the nature of the Services and the size and complexity of Vercel's business operations.
Vercel has a separate and dedicated Information Security team that manages Vercel's security program. This team facilitates and supports independent audits and assessments performed by third parties to provide independent feedback on the operating effectiveness of the information security program (e.g., SOC 2 Type 2, penetration testing, and vulnerability scanning).
Vercel's security governance program covers Policies and Procedures, Asset Management, Access Management, Data Handling, Encryption, Logging & Monitoring, Password Management, Personnel Security, Resiliency, Responsible Disclosure, Risk Assessment, Vendor Risk Management, Vulnerability, SDLC, Incident Response, Business Continuity & Crisis Management, Acceptable Use and Code of Conduct. Information security policies and standards are reviewed and approved by management at least annually and are made available to all employees.
Security is managed at the highest levels of the company, with security and technology leadership meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.
Vercel conducts various third-party audits to attest to various frameworks including SOC 2 Type 2 and annual application penetration testing.
AWS, Azure, and GCP have achieved: SOC 1, 2, and 3; ISO 27001, 27017, 27018, 27701, and 9001; Cloud Security Alliance Security, Trust, Assurance and Risk (CSA STAR); FedRAMP; and use FIPS 140-2 validated cryptographic modules, in addition to meeting compliance standards for many other legal, security, and privacy frameworks. Further information about these providers' security practices can be found on their respective websites.
Vercel Customers unilaterally determine what Customer Data they route through the Vercel Services and how the Services are configured. As such, Vercel operates on a shared responsibility model. Vercel provides tools within the Services that gives Customers control over exactly what data enters the platform and enables Customers with the ability to block data at the Source level. Additionally, Vercel allows Customers to delete and suppress Customer Data on demand.
Vercel has a three-fold approach for ensuring data quality. These measures include: (i) unit testing to ensure the quality of logic used to make API calls, (ii) volume testing to ensure the code is able to scale, and (iii) daily end-to-end testing to ensure that the input values match expected values. Vercel applies these measures across the board, both to ensure the quality of any Service-Generated Data that Vercel collects and to ensure that the Vercel Services are operating in accordance with the documentation.
Each Vercel Customer chooses what Customer Data they route through the Vercel Services and how the Services are configured. As such, Vercel operates on a shared responsibility model. Vercel ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data leaves Vercel to flow to a downstream destination.
Vercel has a process that allows individuals to exercise their privacy rights, as described in Vercel's Privacy Notice available at https://vercel.com/legal/privacy-policy.
Vercel Customers unilaterally determine what Customer Data they route through the Vercel Services and how the Services are configured. As such, Vercel operates on a shared responsibility model. Customers have the ability to delete Customer Data via the self-service functionality of the Services. Vercel will, within a commercially reasonable timeframe after request by Customer following the termination or expiration of the Agreement, delete all Customer Data from Vercel's systems, unless required by law.
Vercel has adopted measures for ensuring accountability, such as implementing data protection policies across the business, publishing Vercel's Information Security Policy (available at https://security.vercel.com), maintaining documentation of processing activities, and recording and reporting Security Incidents involving Personal Data. Vercel conducts regular third-party audits to ensure compliance with our privacy and security standards.
Vercel's Customers have direct relationships with their end users and are responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws.
Vercel has self-service functionality that allows Customers to delete and suppress their Customer Data.
Vercel specifies in the Addendum that it will provide assistance to such Customer as may reasonably be required to comply with Customer's obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). If Vercel receives a request from a Data Subject in relation to their Customer Data, Vercel will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.
Vercel has a process that allows individuals to exercise their privacy rights, as described in Vercel's Privacy Notice available at https://vercel.com/legal/privacy-policy.
When Vercel engages a Subprocessor under this Addendum, Vercel and the Subprocessor enter into an agreement with data protection terms substantially similar to those contained herein. Each Subprocessor agreement must ensure that Vercel is able to meet its obligations to Customer. In addition to implementing technical and organisational measures to protect personal data, Subprocessors must a) notify Vercel in the event of a Security Incident so Vercel may notify Customer; b) delete data when instructed by Vercel in accordance with Customer's instructions to Vercel; c) not engage additional Subprocessors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with Customer's instructions to Vercel.
For data transfers from the United Kingdom, the UK IDTA will be deemed entered into (and incorporated into this Addendum by reference) together with the Standard Contractual Clauses as set forth in Section 3 of this Schedule below.
For data transfers from the EEA, the UK, and Switzerland that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will apply in the following manner:
Module One (Controller to Controller) will apply where Customer is a controller of Service-Generated Data and/or Contact Data and Vercel is a controller of Service-Generated Data and/or Contact Data.
Module Two (Controller to Processor) will apply where Customer is a controller of Service-Generated Data and/or Contact Data and Vercel is a processor of Service-Generated Data and/or Contact Data.
Module Three (Processor to Processor) will apply where Customer is a processor of Service-Generated Data and/or Contact Data and Vercel is a processor of Service-Generated Data and/or Contact Data.
For each Module, where applicable:
i. In Clause 7, the option docking clause will not apply;
ii. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set forth in Section 7 (Subprocessing) of this Addendum;
iii. In Clause 11, the optional language will not apply;
iv. In Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law.
v. In Clause 18(b), disputes will be resolved before the courts of Ireland;
vi. In Annex I, Part A:
Data Exporter: Customer and authorized Affiliates of Customer.
Contact Details: Customer's account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.
Data Exporter Role: The Data Exporter's role is outlined in Section 4 of this Addendum.
Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Vercel Inc.
Contact Details: Vercel Privacy - privacy@vercel.com
Data Importer Role: The Data Importer's role is outlined in Section 4 of this Addendum.
Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
vii. In Annex I, Part B: The categories of data subjects are described in Schedule 1, Section 4.
The sensitive data transferred is described in Schedule 1, Section 6.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Schedule 1, Section 1.
The purpose of the processing is described in Schedule 1, Section 1.
The period of the processing is described in Schedule 1, Section 3.
For transfers to Subprocessors, the subject matter, nature, and duration of the processing is outlined at https://security.vercel.com.
viii. In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.
xi. Schedule 2 serves as Annex II of the Standard Contractual Clauses.
4. As to the specific modules, the parties agree that the following modules apply, as the circumstances of the transfer may apply:
5. To the extent there is any conflict between the Standard Contractual Clauses or the UK IDTA and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses or the UK IDTA, as applicable, will prevail.
The definition of "Applicable Data Protection Laws" includes the General Data Protection Regulation (EU 2016/679) ("GDPR").
When Vercel engages a Subprocessor under Section 7 (Subprocessing), it will:
GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party's indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party's violation of the GDPR.
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Start date | the Effective Date of the Agreement | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties' details | See the Agreement | Full legal name: Vercel Inc. Trading name (if different): n/a Main address (if a company registered address): 440 N Barranca Ave #4133, Covina, CA 91723 Official registration number (if any) (company number or similar identifier): Delaware, 5857312 |
Key Contact | See the Agreement | Contact details including email: privacy@vercel.com |
Signature (if required for the purposes of Section 2) | By entering into the Agreement, Exporter is deemed to have signed this Addendum. | By entering into the Agreement, Importer is deemed to have signed this Addendum. |
Addendum EU SCCs | The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: See Schedule 3, Section 3 |
Personal data received from the Importer may be combined with personal data collected by the Exporter.
"Appendix Information" means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: | List of Parties: See Table 1 |
Annex 1B: | Description of Transfer: See Schedule 1 |
Annex II: | Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Schedule 2 |
Annex III: | List of Sub processors (Modules 2 and 3 only): See https://security.vercel.com |
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: Importer |
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects' rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties' obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
References to the "Clauses" means this Addendum, incorporating the Addendum EU SCCs;
In Clause 2, delete the words:
"and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679";
Clause 6 (Description of the transfer(s)) is replaced with:
"The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.";
Clause 8.7(i) of Module 1 is replaced with:
"it is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer";
Clause 8.8(i) of Modules 2 and 3 is replaced with:
"the onward transfer is to a country benefiting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;"
References to "Regulation (EU) 2016/679", "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" and "that Regulation" are all replaced by "UK Data Protection Laws". References to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
References to Regulation (EU) 2018/1725 are removed;
References to the "European Union", "Union", "EU", "EU Member State", "Member State" and "EU or Member State" are all replaced with the "UK";
The reference to "Clause 12(c)(i)" at Clause 10(b)(i) of Module one, is replaced with "Clause 11(c)(i)";
Clause 13(a) and Part C of Annex I are not used;
The "competent supervisory authority" and "supervisory authority" are both replaced with the "Information Commissioner";
In Clause 16(e), subsection (i) is replaced with:
"the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;";
Clause 17 is replaced with:
"These Clauses are governed by the laws of England and Wales.";
Clause 18 is replaced with:
"Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts."; and
The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 "Ending the Addendum when the Approved Addendum changes", will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Alternative Part 2 Mandatory Clauses:
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |