Preamble

This Data Processing Agreement (this "Agreement" or "DPA"), together with all Annexes attached hereto, forms part of the agreement between UXIFY (CY) LIMITED ("Uxify" or "Processor") and the Customer identified in the applicable Order Form, Terms of Service, or other agreement executed between the parties ("Controller") for the provision of Uxify's real user monitoring, UX analytics, and website optimisation platform (the "Service").

This DPA reflects the parties' agreement with respect to the Processing of Personal Data by Uxify on behalf of the Controller in connection with the Service, and is effective as of the date the parties execute the applicable agreement or the Controller first uses the Service, whichever is earlier.

The terms of this DPA are incorporated into and supplement the Terms of Service. In the event of any conflict between this DPA and the Terms of Service with respect to data protection obligations, this DPA shall prevail.

1.  Definitions

In this Agreement, the following terms shall have the meanings set out below. Capitalised terms not defined herein have the meanings given in the Applicable Data Protection Law.

"Applicable Data Protection Law"  means all laws and regulations applicable to the Processing of Personal Data under this Agreement, including without limitation: (i) the EU General Data Protection Regulation 2016/679 (the "GDPR"); (ii) the UK General Data Protection Regulation as defined by the UK Data Protection Act 2018 (the "UK GDPR"); (iii) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act 2020 (together, the "CCPA/CPRA"); and (iv) any other national or regional data protection laws applicable to either party, in each case as amended, replaced, or supplemented from time to time.

"Controller"  means the entity that determines the purposes and means of the Processing of Personal Data, being the Customer in the context of this Agreement.

"Data Breach"  means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by the Processor.

"Data Subject"  means an identified or identifiable natural person whose Personal Data is Processed.

"EEA"  means the European Economic Area.

"Personal Data"  means any information relating to an identified or identifiable natural person collected or processed through the Service on behalf of the Controller, including but not limited to browsing behaviour, session data, device identifiers, IP addresses, and interaction data as further described in Annex I.

"Processing"  means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction (and "Process", "Processes" and "Processed" shall be construed accordingly).

"Processor"  means the entity that Processes Personal Data on behalf of the Controller, being UXIFY (CY) LIMITED in the context of this Agreement.

"Restricted Transfer"  means a transfer of Personal Data to a third country or international organisation not recognised as providing adequate protection under Applicable Data Protection Law.

"Service"  means the real user monitoring, UX analytics, competitive intelligence, Navigation AI, and conversion optimisation platform provided by Uxify under the Terms of Service.

"Services Agreement"  means the Terms of Service, Order Form, or other agreement between the parties governing the Controller's use of the Service.

"Standard Contractual Clauses" or "SCCs"  means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission Decision of 4 June 2021 (EU) 2021/914, as set out in Annex IV.

"Sub-processor"  means any third party engaged by the Processor to Process Personal Data on behalf of the Controller in connection with the Service.

"UK Addendum"  means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office (ICO) under section 119A of the Data Protection Act 2018.

2.  Details of processing

2.1  Subject matter

The Processor shall Process Personal Data on behalf of the Controller for the purpose of providing the Service as described in the Services Agreement and in Annex I to this Agreement.

2.2  Duration

The Processor shall Process Personal Data for the duration of the Services Agreement, unless otherwise agreed in writing or required by Applicable Data Protection Law. Upon termination or expiry of the Services Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data in accordance with Clause 9 of this Agreement.

2.3  Nature and purpose

The Processor Processes Personal Data solely for the following purposes:

• providing, maintaining, and improving the Service;

• enabling real user monitoring (RUM), session analytics, user journey analysis, funnel analysis, and behavioural analytics for the Controller;

• enabling Navigation AI features and conversion optimisation functions;

• generating performance, engagement, and business metric reports for the Controller;

• enabling competitive intelligence and benchmarking features;

• ensuring the security, stability, and integrity of the Service;

• complying with legal obligations applicable to the Processor.

The Processor shall not Process Personal Data for any purpose beyond those set out above without the prior written consent of the Controller, except where required to do so by Applicable Data Protection Law.

2.4  Types of personal data and categories of data subjects

The types of Personal Data Processed and categories of Data Subjects are set out in Annex I to this Agreement.

3.  Obligations of the processor

3.1  General

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Applicable Data Protection Law; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law on grounds of public interest;

• immediately inform the Controller if, in the Processor's opinion, an instruction infringes Applicable Data Protection Law;

• ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

• take all appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Clause 3.3 and Annex II;

• respect the conditions referred to in Clauses 3.4 and 3.5 for engaging another Processor;

• assist the Controller to ensure compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, data breach notification, data protection impact assessment, and prior consultation), taking into account the nature of Processing and information available to the Processor;

• at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Processing services, and delete existing copies unless Applicable Data Protection Law requires storage of Personal Data;

• make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Clause and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor.

3.2  Confidentiality

The Processor shall ensure that access to Personal Data is limited to those employees, agents, and contractors who need access in order to provide the Service, and that all such persons are subject to written obligations of confidentiality no less protective than those set out in this Agreement. The obligations of confidentiality shall survive termination of this Agreement.

3.3  Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against Data Breaches. Such measures are described in Annex II and shall include, at a minimum:

• pseudonymisation and encryption of Personal Data where appropriate;

• ensuring ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;

• restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

• a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

3.4  Sub-processing

3.4.1  The Controller provides general authorisation to the Processor to engage Sub-processors, subject to the conditions set out in this Clause 3.4. The Processor's current list of approved Sub-processors is set out in Annex III.

3.4.2  The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance (where reasonably practicable) by updating Annex III or by providing written notice to the Controller. The Controller may object in writing to the engagement of a new or replacement Sub-processor within fourteen (14) days of receipt of notice, provided that such objection is based on reasonable grounds relating to data protection. If the parties cannot resolve such objection, the Controller may terminate the applicable Services Agreement on reasonable written notice without penalty as its sole and exclusive remedy.

3.4.3  Where the Processor engages a Sub-processor, the Processor shall impose data protection obligations on that Sub-processor by way of a written contract that provides at least the same level of protection for Personal Data as this Agreement and that meets the requirements of Article 28 of the GDPR. The Processor shall remain fully liable to the Controller for the performance of Sub-processor obligations.

3.5  Data subject rights

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subjects' rights under Applicable Data Protection Law, including but not limited to:

• right of access (Article 15 GDPR);

• right to rectification (Article 16 GDPR);

• right to erasure (Article 17 GDPR);

• right to restriction of processing (Article 18 GDPR);

• right to data portability (Article 20 GDPR);

• right to object (Article 21 GDPR).

The Processor shall promptly notify the Controller, and in any event within five (5) business days, if it receives a request from a Data Subject exercising their rights under Applicable Data Protection Law, and shall not respond to any such request except on the documented instructions of the Controller or as required by Applicable Data Protection Law.

3.6  Data breach notification

The Processor shall notify the Controller without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Data Breach affecting Personal Data Processed under this Agreement. Such notification shall include, to the extent then known:

• a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and records concerned;

• the name and contact details of the data protection officer or other contact point at the Processor from whom more information can be obtained;

• a description of the likely consequences of the Data Breach;

• a description of the measures taken or proposed to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where the Processor cannot provide all information in the initial notification, it shall provide the information in phases without undue further delay. The Processor shall provide all reasonable assistance to the Controller in complying with any applicable obligation to notify Data Breaches to Supervisory Authorities or affected Data Subjects.

3.7  Data protection impact assessment and prior consultation

The Processor shall provide the Controller with reasonable assistance in carrying out data protection impact assessments ("DPIAs") and prior consultations with Supervisory Authorities where required under Applicable Data Protection Law, taking into account the nature of the Processing and the information available to the Processor.

3.8  Deletion and return of personal data

Upon termination or expiry of the Services Agreement, or upon the written request of the Controller at any time, the Processor shall, at the Controller's election:

• securely delete or destroy all Personal Data (including copies and backups) within sixty (60) days; or

• return all Personal Data to the Controller in a commonly used machine-readable format within thirty (30) days.

The Processor shall provide the Controller with written certification of deletion upon request. Nothing in this Clause shall require the Processor to delete Personal Data to the extent that Applicable Data Protection Law requires the Processor to retain it, in which case the Processor shall inform the Controller of any such requirement and shall isolate and protect such Personal Data from any further Processing except as required by law.

3.9  Audit rights

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Agreement. The Processor shall permit the Controller (or a mandated third-party auditor bound by confidentiality obligations) to conduct audits, including inspections, on reasonable notice of no less than thirty (30) calendar days, during normal business hours, and no more than once per calendar year except where a Supervisory Authority requires more frequent audits or where the Controller reasonably suspects a material breach of this Agreement.

As an alternative to an on-site audit, the Processor may provide the Controller with relevant third-party audit reports, certifications (e.g., ISO 27001, SOC 2), or other documentation demonstrating compliance, which the Controller may accept in its reasonable discretion.

The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this Agreement, in which case the Processor shall bear its own reasonable costs.

4.  Obligations of the controller

The Controller represents, warrants, and agrees that:

• it has a valid legal basis under Applicable Data Protection Law for Processing Personal Data through the Service, including obtaining valid consents from Data Subjects where required;

• it has provided and will continue to provide all necessary notices and disclosures to Data Subjects as required by Applicable Data Protection Law, including information about the use of Uxify as a data processor;

• all Personal Data provided to or collected through the Service has been collected lawfully and in compliance with Applicable Data Protection Law;

• its instructions to the Processor shall at all times comply with Applicable Data Protection Law;

• it is solely responsible for configuring the Service, including any cookie consent mechanisms, data minimisation settings, and IP anonymisation features made available by the Processor;

• it shall not instruct the Processor to Process Special Category Data or data relating to minors without prior written agreement and implementation of appropriate additional safeguards;

• it shall promptly inform the Processor of any changes to its legal basis for Processing or any regulatory restrictions applicable to Personal Data Processed through the Service;

• it shall cooperate with the Processor in good faith to give effect to both parties' obligations under Applicable Data Protection Law.

5.  International data transfers

5.1  Transfers within the EEA

Where Personal Data is Processed within the EEA, no additional transfer mechanism is required beyond compliance with the GDPR.

5.2  Restricted transfers

Where the Processor or any Sub-processor processes Personal Data outside the EEA (or outside the UK for UK GDPR purposes) and such transfer constitutes a Restricted Transfer, the parties agree that:

• the SCCs set out in Annex IV shall apply and are incorporated into this Agreement by reference, with Module Two (Controller to Processor) applying as between the Controller and the Processor;

• for transfers subject to UK GDPR, the UK Addendum (as issued by the UK ICO) shall also apply and is incorporated by reference;

• where a Sub-processor is located in a third country, the Processor shall ensure that an appropriate transfer mechanism is in place before transferring Personal Data to such Sub-processor, including back-to-back SCCs where applicable.

5.3  Adequacy decisions

To the extent that a Restricted Transfer is covered by an adequacy decision issued by the European Commission or the UK Government, the parties may rely on such adequacy decision in lieu of the SCCs or UK Addendum for that specific transfer.

5.4  Supplementary measures

Where required by Applicable Data Protection Law or by the judgment of either party following a transfer impact assessment, the parties shall implement appropriate supplementary technical and organisational measures to ensure an essentially equivalent level of protection to that guaranteed within the EEA or UK, as applicable. The Processor shall cooperate with the Controller in conducting any necessary transfer impact assessment.

6.  CCPA/CPRA provisions

6.1  Service provider designation

To the extent Applicable Data Protection Law includes the CCPA/CPRA, the Processor is a "Service Provider" as defined under the CCPA/CPRA and shall Process Personal Information (as defined under the CCPA/CPRA) only:

• for the business purpose of providing the Service as set out in this Agreement and the Services Agreement;

• as otherwise permitted by the CCPA/CPRA for Service Providers.

6.2  Prohibited uses

The Processor shall not:

• Sell or Share (as those terms are defined under the CCPA/CPRA) Personal Information Processed under this Agreement;

• retain, use, or disclose Personal Information for any commercial purpose other than providing the Service;

• retain, use, or disclose Personal Information outside the direct business relationship with the Controller;

• combine Personal Information received under this Agreement with Personal Information received from or collected in connection with another business, except as permitted by the CCPA/CPRA.

6.3  Consumer rights assistance

The Processor shall assist the Controller in responding to verifiable consumer requests to exercise rights under the CCPA/CPRA, including rights of access, deletion, correction, and opt-out of Sale or Sharing, in accordance with Clause 3.5 of this Agreement.

6.4  Certification

The Processor certifies that it understands the restrictions in this Clause 6 and will comply with them.

7.  Liability

7.1  Each party shall be liable to Data Subjects and, where applicable, to Supervisory Authorities for damage caused by Processing that infringes Applicable Data Protection Law, in accordance with the allocation of responsibility set out therein.

7.2  As between the parties, each party's liability under this Agreement shall be subject to the limitations and exclusions set out in the Services Agreement. The parties agree that any limitation of liability in the Services Agreement shall apply to this DPA and the SCCs to the maximum extent permitted by Applicable Data Protection Law.

7.3  To the extent any limitation of liability is inconsistent with the obligations imposed on processors under the GDPR (including Articles 82 and 83), the applicable GDPR provisions shall prevail to the extent required by law.

8.  Term and termination

8.1  This Agreement shall commence on the effective date of the Services Agreement and shall continue for so long as the Processor Processes Personal Data on behalf of the Controller.

8.2  This Agreement shall automatically terminate upon termination or expiry of the Services Agreement, subject to any obligations that by their nature survive termination (including Clauses 3.2, 3.8, 5, and 7).

8.3  Either party may terminate this Agreement with immediate effect by written notice if the other party commits a material breach of this Agreement that is incapable of remedy, or that is not remedied within thirty (30) days of receipt of written notice specifying the breach and requiring remedy.

9.  Governing law and jurisdiction

9.1  This Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Cyprus, without regard to its conflict of law provisions.

9.2  The parties irrevocably submit to the exclusive jurisdiction of the courts of the Republic of Cyprus to settle any dispute arising out of or in connection with this Agreement.

9.3  The foregoing is without prejudice to the mandatory provisions of Applicable Data Protection Law and the jurisdiction of competent Supervisory Authorities.

9.4  For the purposes of the SCCs, the governing law and choice of forum clauses within the SCCs shall apply in addition to, and shall not be affected by, this Clause 9.

10.  General provisions

10.1  Entire Agreement.  This Agreement (together with the Services Agreement and the Annexes) constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior agreements, understandings, negotiations, and representations with respect thereto.

10.2  Amendments.  This Agreement may only be modified by a written instrument signed by authorised representatives of both parties, except that Annex III (Sub-processor list) may be updated unilaterally by the Processor subject to the notification requirements in Clause 3.4.

10.3  Severability.  If any provision of this Agreement is held invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable.

10.4  Waiver.  No failure or delay by a party to exercise any right or remedy under this Agreement shall constitute a waiver of that right or remedy.

10.5  Notices.  Notices under this Agreement shall be in writing and sent by email or registered post to the addresses specified in the Services Agreement or as otherwise notified in writing by either party.

10.6  Counterparts.  This Agreement may be executed in counterparts and by electronic signature, each of which shall be deemed an original and together shall constitute one agreement.

10.7  Precedence.  In the event of any conflict or inconsistency between the documents forming the agreement between the parties, the order of precedence shall be: (i) this DPA; (ii) the SCCs (if applicable); (iii) the Services Agreement; (iv) any order forms or statements of work.

ANNEX I

DETAILS OF PROCESSING ACTIVITIES

A.  List of parties

B.  Description of transfer and processing

Categories of data subjects

Categories of personal data

Special category data

The Processor does not intentionally collect or process Special Category Data (as defined in Article 9 GDPR) or Personal Data relating to criminal convictions or offences. The Controller is responsible for ensuring that the Service is configured to exclude any Special Category Data from collection. If Special Category Data is incidentally transmitted, the Controller shall notify the Processor immediately and the parties shall agree on appropriate remediation steps.

Purposes of processing

Retention periods

Frequency of transfers

Continuous, as Personal Data is generated by visitors to the Controller's digital properties in real time.

Nature of processing

Collection, recording, organisation, structuring, storage, retrieval, analysis, aggregation, visualisation, and transmission to the Controller.

ANNEX II

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Uxify implements and maintains the following technical and organisational measures to protect Personal Data:

A.  Access controls

• Role-based access control (RBAC) limiting access to Personal Data to authorised personnel on a need-to-know basis.

• Multi-factor authentication (MFA) required for access to production systems containing Personal Data.

• Privileged access management (PAM) with just-in-time access provisioning for administrative tasks.

• Regular review and revocation of access rights upon role changes or employment termination.

• Audit logging of all access to Personal Data and systems.

B.  Data encryption

• All Personal Data transmitted over public networks is encrypted using TLS 1.2 or higher.

• Personal Data stored at rest is encrypted using AES-256 or equivalent standards.

• Database encryption at the storage layer.

• Encryption keys managed using dedicated key management systems with access controls.

C.  Pseudonymisation and anonymisation

• IP addresses are truncated/anonymised during ingest where configured by the Controller.

• Session identifiers are pseudonymous and do not directly identify natural persons.

• Aggregated data used for reporting is anonymised to the extent technically feasible.

D.  Network and infrastructure security

• Firewalls and intrusion detection/prevention systems protecting production environments.

• Network segmentation separating production, staging, and development environments.

• Regular vulnerability scanning and penetration testing conducted at least annually by qualified third parties.

• Patch management programme ensuring timely application of security updates.

• DDoS mitigation measures.

E.  Physical security

• Personal Data is processed in data centres with industry-standard physical security controls including biometric access, CCTV surveillance, and 24/7 on-site security.

• Uxify utilises cloud infrastructure providers (see Annex III) that maintain SOC 2 Type II and ISO 27001 certifications for their data centres.

F.  Incident response and business continuity

• Documented incident response plan with defined roles, responsibilities, and escalation procedures.

• Regular backups with tested restore procedures.

• Business continuity and disaster recovery plans tested at least annually.

• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined and documented.

G.  Personnel security

• Background checks conducted on employees with access to Personal Data (subject to applicable employment law).

• Mandatory data protection and security training for all employees upon onboarding and annually thereafter.

• Confidentiality agreements with all employees and contractors.

• Disciplinary procedures for security policy violations.

H.  Data minimisation and retentions

• Data minimisation principles applied in the design of the Service.

• Automated deletion processes aligned with retention periods specified in Annex I.

• Configurable data collection settings enabling Controllers to minimise collection at source.

I.  Security governance

• Appointed Data Protection Officer responsible for overseeing compliance with data protection obligations.

• Regular internal security audits and risk assessments.

• Vendor security assessment programme for Sub-processors.

• Security policies reviewed and updated at least annually.

• Uxify works towards and maintains relevant security certifications and is committed to providing Controllers with current certification status upon request.

ANNEX III

LIST OF APPROVED SUB-PROCESSORS

The following Sub-processors are approved to Process Personal Data in connection with the Service. Uxify shall maintain and update this list in accordance with Clause 3.4 of the Agreement. The most current version of this list will be made available to Controllers upon written request and at uxify.com/legal.

Note: The Controller should verify this list against the current version available at uxify.com/legal as part of its due diligence.

The above list is illustrative and subject to change. Uxify shall notify the Controller of any additions or replacements in accordance with Clause 3.4.2 of this Agreement.

For each Sub-processor, Uxify has entered or will enter into a written data processing agreement imposing obligations at least equivalent to those imposed on Uxify under this DPA.

ANNEX IV

STANDARD CONTRACTUAL CLAUSES

MODULE TWO: CONTROLLER TO PROCESSOR

The Standard Contractual Clauses set out in this Annex IV are the standard contractual clauses adopted by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

The parties agree that Module Two (Transfer controller to processor) of the SCCs applies to any Restricted Transfer from the Controller (as data exporter) to the Processor (as data importer) under this Agreement. The SCCs are incorporated into this Agreement by reference and supplemented as follows:

Completion of the SCCs (Module Two)

UK international data transfer addendum

For transfers subject to UK GDPR, the parties agree to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018 ("UK Addendum"), as follows:

Key obligations under Module Two

The parties acknowledge and agree to the following key obligations under Module Two of the SCCs, which are incorporated by reference:

Clause 8 - Data protection safeguards

• The data importer (Uxify) shall process personal data only on documented instructions from the data exporter (Customer).

• The data importer shall inform the data exporter immediately if it is unable to comply with the SCCs.

• The data importer shall process personal data in accordance with the Annex II technical and organisational measures.

Clause 9 - Use of Sub-processors

• The data importer has the data exporter's general authorisation to engage sub-processors listed in Annex III.

• The data importer shall notify the data exporter of any intended changes to sub-processors at least 30 days in advance.

• The data importer shall impose equivalent data protection obligations on all sub-processors by contract.

Clause 10 - Data subject rights

• The data importer shall promptly notify the data exporter of any request received directly from a data subject and shall not respond to such request without the data exporter's authorisation.

Clause 15 - Obligations in case of access by public authorities

• The data importer shall notify the data exporter of any legally binding request for disclosure of personal data by a public authority, unless prohibited by law.

• The data importer shall review the legality of any such request and challenge it if permitted by law.

Clause 16 - Non-compliance and suspension

• The data importer shall inform the data exporter if it is unable to comply with the SCCs for whatever reason.

• The data exporter shall be entitled to suspend personal data transfers if non-compliance presents a substantial risk to data subjects.

The full text of the Standard Contractual Clauses (EU Commission Implementing Decision (EU) 2021/914) is available at:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914

The Controller acknowledges that it has had the opportunity to review and is bound by the full text of the SCCs as published by the European Commission.