Oyster Strategic Partner Data Processing Addendum

Revised September 23, 2024

Oyster Strategic Partner Data Processing Addendum

This Oyster Strategic Partner Data Processing Addendum (“SP-DPA”) forms part of the Strategic Partner Agreement between Oyster HR, Inc., (“Oyster”) and the Strategic Partner (as defined herein). Oyster and the Strategic Partner are collectively referred to as the “Parties,” or individually as a “Party.”

This SP-DPA is intended to clarify and reflect the Parties’ agreement and understanding regarding the collection and processing of Personal Data and to comply with the requirements of current legal frameworks and Applicable Data Protection Laws and to ensure that the Strategic Partner understands and acknowledges its obligations with regard to the collection and processing of End Customer or Team Member Data (as defined herein).

1. Definitions

All capitalized terms used but not otherwise defined in this SP-DPA have the meaning defined in the Platform Terms and the Agreement. The following definitions and rules of interpretation below apply to this SP-DPA:

(1) Agreement means the Strategic Partner Agreement between Oyster and the Strategic Partner that sets forth the commercial terms of the relationship between the Parties.

(2) Applicable Data Protection Laws means all data protection laws and regulations applicable to a Party's processing of personal data under the Agreement, including but not limited to the following: EU GDPR, UK GDPR, US California CCPA/CPRA, Brazil LGPD, Dubai PDPA, South Africa POPIA, Thailand PDPA, US Colorado CPA, US Connecticut DPA, and the US Virginia CDPA. See Schedule 6 of this SP-DPA for more information.

(3) Controller means the entity that determines the purpose and means of the Processing of Personal Data. For purposes of this SP-DPA, the term Controller includes its meaning under Applicable Data Protection Laws and its reasonable equivalent(s), including but not limited to a “Business” as defined by the California Consumer Privacy Act.

(4) Data Subject means the individual to whom Personal Data relates.

(5) Data Types means the types of Personal Data addressed by this SP-DPA. For purposes of this SP-DPA, the following data types have the following meanings:

(a) End Customer Data means Personal Data that relates to End Customer’s use of the Oyster Platform and Services. End Customer Data may include: (a) account information, such as the names, email addresses, and phone numbers of individuals authorized by End Customer to access the End Customer’s account on the Oyster Platform and/or use the Services (e.g., End Customer administrators); and (b) information regarding an End Customer’s usage of the Oyster Platform, such as payment transactions and connection data (e.g., IP address, location, and logs). For more information on Oyster’s collection and processing of End Customer Data (referred to as Customers), please see our Website Privacy Notice, available at https://legal.oysterhr.com/privacy/privacy-notice;

(b) End Customer Third-Party Data means Personal Data processed on End Customer’s systems by Team Members as part of End Customer’s use of Oyster’s Services (e.g., names, phone numbers, or contact information of Customer’s clients).

(c) EOR Team Member Data means the Personal Data of EOR Team Members engaged through the Oyster Platform on behalf of an End Customer. EOR Team Member Data includes Personal Data commonly collected for employment purposes, including but not necessarily limited to contact information, identity documents, payroll, and benefits information. For more information on Oyster’s collection and processing of EOR Team Member Data, please see our EOR Team Member Privacy Notice, available at https://legal.oysterhr.com/privacy/sctm-privacy.

(d) Payroll Team Member Data means the Personal Data of Payroll Team Members engaged through the Oyster Platform on behalf of an End Customer. Payroll Team Member Data includes Personal Data commonly collected for payroll purposes, including but not necessarily limited to contact information, payroll, and benefits information. For more information on Oyster’s collection and processing of Payroll Team Member Data, please see our Payroll Team Member Privacy Notice, available at https://legal.oysterhr.com/privacy/gptm-privacy.

(e) Strategic Partner Data means Personal Data that relates to Strategic Partner’s contractual relationship with Oyster. Strategic Partner Data may include: (a) account information, such as the names, email addresses, and phone numbers of individuals authorized by Strategic Partner to access the Strategic Partner’s (or any associated End User’s) account on the Oyster Platform and/or use the Services (e.g., Strategic Partner administrators); and (b) information regarding a Strategic Partner’s usage of the Oyster Platform, such as payment transactions and connection data (e.g., IP address, location, and logs). For more information on Oyster’s collection and processing of Strategic Partner Data, please see our Website Privacy Notice, available at https://legal.oysterhr.com/privacy/privacy-notice.

(f) Oyster Intelligence Personal Data means the Personal Data of EOR Team Members, Payroll Team Members, and other individuals employed by Oyster Customers that may be provided to Oyster as part of Oyster Intelligence Services. Oyster Intelligence Personal Data includes but is not necessarily limited to Personal Data collected for analytics and benchmarking purposes that may be needed to provide the Oyster Intelligence Services (as defined in the Oyster Intelligence Services Terms of Use). For more information on Oyster’s collection and processing of Oyster Intelligence Personal Data, please see our Website Visitor Privacy Notice, available at https://legal.oysterhr.com/privacy/privacy-notice.

(6) End Customer means the final user of Oyster’s services.

(7) Personal Data means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For purposes of this SP-DPA, the term Personal Data includes its meaning under Applicable Data Protection Laws and its reasonable equivalent(s), including but not limited to “personal information” as defined by the California Consumer Privacy Act.

(8) Personal Data Security Incident means the actual (or reasonably suspected) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Oyster.

(9) Process (and Processing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.

(10) Processor means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller.

(11) Standard Contractual Clauses (“SCCs”) means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as may be amended, superseded, or replaced.

(12) Strategic Partner means the entity that has entered into the Agreement with Oyster for the distribution, sale, or enhancement of Oyster’s offerings. Strategic Partner may also be referred to in the Agreement as an Authorized Agent, Mutual Referral Partner, Reseller, Managed Servicer, or an API, Data and Licensing Partner, with each Strategic Partner type having its meaning as defined in the Agreement.

(13) Team Member(s) means an individual engaged by or on behalf of End Customers through the Oyster Platform, including but not necessarily limited to:

(a) Employer-of-Record (EOR) Team Members: Oyster employees (or employees of an Oyster Third-Party EOR) who provide services to End Customers through the Oyster Platform.

(b) Payroll Team Members: Employees of End Customers to whom payments are made, or directed to be made, by the End Customer through the Oyster Platform.

(14) Third-Party EOR means a local employer of record (other than an Oyster Subsidiary) through which Oyster EOR Team Members may be employed.

(15) UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/fororganisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2. Scope, Team Member Authorization, and Relationship of the Parties

2.1 Scope of Processing

The Parties agree that as part of the Agreement and End Customer’s use of Oyster Services, the performance of the Services may include the collection and Processing of the Data Types set forth above. Such Processing may include:

(1) Oyster’s Processing of Strategic Partner Data (applies where a Strategic Partner has set up any type of account on the Oyster Platform or where Strategic Partner accesses the Oyster Platform on behalf of an End Customer);

(2) Oyster’s Processing of EOR Team Member Data for employment purposes (applies where Oyster provides Employer-of-Record services to an End Customer directly or through a Strategic Partner);

(3) Oyster’s Processing of Payroll Team Member Data for payroll purposes (applies where Oyster providers Global Payroll services to an End Customer directly or through a Strategic Partner);

(4) Oyster’s Processing of End Customer Data (applies where an End Customer has set up any type of account on the Oyster Platform);

(5) Oyster’s Processing of Oyster Intelligence Personal Data for purposes of providing the Oyster Intelligence Services; and

(6) An End Customer’s use of Team Member consultancy services for the Processing of End Customer Third-Party Data (applies whenever an End Customer uses a Team Member’s services to process Customer Third-Party Data).

2.2 EOR Team Member Processing Authority

Notwithstanding anything to the contrary, the Parties agree that EOR Team Members assigned to End Customer are hereby granted the limited authority to act on behalf of the End Customer for the sole and exclusive purpose of Processing End Customer Third-Party Data.

2.3 Relationship of the Parties

Due to the nature of the Parties relationship and the different methods through which Strategic Partner may distribute, sell, or enhance Oyster’s offerings, the Parties’ data processing relationship relative to certain Data Types may change depending on whether Oyster has direct interaction with (and receives processing instructions from) the End Customer.

2.3a - When Oyster receives data and/or processing instructions from the End Customer

(1) EOR Team Member Data: The Parties agree that with respect to EOR Team Member Data, for all purposes under Applicable Data Protection Laws:

(a) Oyster is an independent Controller;

(b) End Customers are an independent Controllers; and

Nothing in this SP-DPA is intended to construe either Party as the Processor of the other Party or as joint data controllers with the other with respect to EOR Team Member Data.

(2) End Customer Data: The Parties agree that with respect to End Customer Data, for all purposes under Applicable Data Protection Laws:

(a) Oyster is an independent Controller;

(b) End Customers are independent Controllers; and

Nothing in this SP-DPA is intended to construe either Party as the Processor of the other Party or as joint data controllers with the other with respect to End Customer Data.

(3) Payroll Team Member Data and Oyster Intelligence Personal Data: The Parties agree that with respect to Payroll Team Member Data and Oyster Intelligence Personal Data:

(a) End Customer is a Controller;

(b) Oyster is a Processor acting on behalf of the End Customer; and

2.3b - When Oyster receives data and/or processing instructions from the Strategic Partner

(1) EOR Team Member Data: The Parties agree that with respect to EOR Team Member Data, for all purposes under Applicable Data Protection Laws:

(1) Oyster is an independent Controller;

(2) End Customers are an independent Controllers; and

(3) Strategic Partner is a Data Processor acting on behalf of each End Customer.

Nothing in this SP-DPA is intended to construe Oyster or the End Customer as a Processor or as joint data controllers with the other with respect to EOR Team Member Data.

(2) End Customer Data: The Parties agree that with respect to End Customer Data, for all purposes under Applicable Data Protection Laws:

(1) Oyster is an independent Controller;

(2) End Customers are independent Controllers; and

(3) Strategic Partner is a Data Processor acting on behalf of each End Customer.

Nothing in this SP-DPA is intended to construe Oyster or the End Customer as a Processor or as joint data controllers with the other with respect to End Customer Data.

(3) Payroll Team Member Data and Oyster Intelligence Personal Data: The Parties agree that with respect to Payroll Team Member Data and Oyster Intelligence Personal Data:

(1) End Customer is a Controller;

(2) Strategic Partner is a Processor acting on behalf of each End Customer; and

(3) Oyster is a Sub-Processor acting at the direction of the Strategic Partner.

2.3c - In all cases.

(4) Strategic Partner Data: The Parties agree that with respect to Strategic Partner Data, for all purposes under Applicable Data Protection Laws, Oyster and Strategic Partner are independent Controllers. Nothing in this SP-DPA is intended to construe either Party as the Processor of the other Party or as joint data controllers with the other with respect to Strategic Partner Data.

(5) End Customer Third-Party Data: The Parties acknowledge that with respect to End Customer Third-Party Data, for all purposes under Applicable Data Protection Laws, End Customer may act either as a Controller or a Processor.

(6) EOR Team Member Processing Activities: The Parties acknowledge and agree that because EOR Team Member Processing of End Customer Third-Party Data will take place exclusively on End Customer-controlled systems, at the direction of the End Customer, and on behalf of the End Customer (pursuant to the authorization provided in Paragraph 2.2, above), Oyster has no role in the Processing of such data. For avoidance of doubt, the Parties acknowledge and agree that Oyster is not acting as a Processor under Applicable Data Protection Laws with respect to End Customer Third-Party Data.

2.4 Purpose Limitations and Instructions for Processing

The parties agree as follows:

(1) EOR Team Member Data: Oyster will collect and process Team Member Data as a Controller in accordance with Applicable Data Protection Laws, Oyster’s Privacy Notice for Team Members and Staff (available at https://legal.oysterhr.com/privacy/sctm-privacy), and the Agreement for the purposes detailed in Schedule 1 of this SP-DPA.

(2) End Customer Data: Oyster will process End Customer Data as a Controller in accordance with Applicable Data Protection Laws, Oyster’s Website Privacy Notice (available at https://legal.oysterhr.com/privacy/privacy-notice), and the Agreement, including this SP-DPA.

(3) Payroll Team Member Data and Oyster Intelligence Personal Data: Oyster will process Payroll Team Member Data and Oyster Intelligence Personal Data as a Processor (or Sub-Processor) in accordance with Applicable Data Protection Laws, Oyster’s Payroll Team Member Privacy Notice (available at https://legal.oysterhr.com/privacy/gptm-privacy), Oyster’s Website Privacy Notice (available at https://legal.oysterhr.com/privacy/privacy-notice), and the Agreement, including this SP-DPA.

(4) End Customer Third-Party Data: EOR Team Members engaged by Oyster will process End Customer Third-Party Data under the authority granted in Section 2.2 of this SP-DPA on behalf of the End Customer and in accordance with the End Customer’s instructions.

However, where applicable and with respect to End Customer Third-Party Data, Oyster will:

(a) comply with its obligations under Applicable Data Protection Laws and will not knowingly act in a manner that will, or is likely to, result in End Customer violating End Customer’s obligations under Applicable Data Protection Laws;

(b) keep and maintain (and cause its employees and subcontractors to keep and maintain) such data in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use, or disclosure;

(c) not use, sell, rent, transfer, distribute, or otherwise disclose or make available any such data for Oyster’s own purposes or for the benefit of anyone other than End Customer, without End Customer’s prior written consent;

(d) not disclose any such data to any third party without End Customer’s prior written consent; or

(e) not combine any such data with personal data that Oyster receives from, or on behalf of, other persons or collects other than in connection with the provision of the Services under this Agreement.

2.5 Third-Party Processors

Strategic Partner acknowledges and agrees that when acting as a Controller, Oyster may engage third-party processors in connection with the provision of the Services. Oyster acknowledges and agrees that Strategic Partner, when as a Controller, may engage third-party processors in connection with the receipt of the Services. Each Parties must have a written agreement with any such processor, and any such agreement must include substantially similar data protection obligations as set out in this SP-DPA. Each party is liable for the acts and omissions of its respective processors to the same extent such Party would be liable under the terms of this SP-DPA, except as otherwise set forth in the Agreement.

For the avoidance of doubt, where Oyster acts as a Controller–for example, when processing EOR Team Member data–such third-party data processors are not sub-processors.

2.6 Sub-Processors

Strategic Partner acknowledges and agrees that Oyster may engage sub-processors to Process Personal Data in connection with the provision of the Services. Oyster has currently appointed, as sub-processors, the Oyster Affiliates and third parties listed in Schedule 4 to this SP-DPA. A list of sub-processors is also available online at: https://legal.oysterhr.com/privacy/subprocessors. Oyster will notify Strategic Partner of any changes to sub-processors by updating Schedule 4 to this SP-DPA and will give the opportunity to object to the engagement of a new sub-processor on reasonable grounds relating to the protection of Personal Data within 30 days after updating Schedule 4 to this SP-DPA. If Strategic Partner Notifies Oyster of such an objection, the Parties will discuss the Strategic Partner’s concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Oyster will, at its sole discretion, either not appoint the new sub-processor or permit the Strategic Partner to suspend or terminate the affected Service in accordance with the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred before suspension or termination).

Where Oyster engages sub-processors, it will impose data protection terms on the sub-processor that provide at least the same level of protection for Personal Data as those in this SP-DPA, to the extent applicable to the nature of the services provided by such sub-processor. Oyster remains responsible for each sub-processor’s compliance with the obligations of this SP-DPA and for any acts or omissions of such sub-processor that cause us to breach any of Oyster’s obligations under this SP-DPA.

2.7 Processing Information

Schedule 1 of this SP-DPA details the duration of processing, the nature and purpose of processing, the type of Personal Data and the categories of Data Subjects processed by Oyster under this SP-DPA.

2.8 Data Subject Access Requests

(1) EOR Team Member Data and End Customer Data: With respect to EOR Team Member Data and End Customer Data, as independent Controllers, Oyster and End Customer are each independently obligated to respond to requests from Data Subjects that wish to exercise their rights under Applicable Data Protection Laws. Oyster will respond to any such requests directed to it and, where Oyster deems appropriate:

(a) Where Oyster has a direct relationship with the End Customer, Oyster will inform the End Customer of such requests; and

(b) Where Oyster has no direct relationship with the End Customer, Oyster will notify Strategic Partner of such requests.

(a) Where Oyster has a direct relationship with the End Customer, Oyster will promptly inform the End Customer and will advise the Data Subject to submit their request to the End Customer.

(b) Where Oyster has no direct relationship with the End Customer, Oyster will promptly inform the Strategic Partner and will advise the Data Subject to submit their request to the Strategic Partner.

The End Customer and Strategic Partner are solely responsible for responding substantively to any such Data Subject Access Requests or communications involving Payroll Team Member Data and Oyster Intelligence Personal Data. If an End Customer or Strategic Partner is unable to independently address such a Data Subject Request, Oyster will provide reasonable assistance in doing so.

(3) End Customer Third-Party Data: As set forth in Sections 2.3(4), (5) and 2.4(4) of this SP-DPA, Oyster has no access to or control over any End Customer Third-Party Data. If, however, Oyster becomes aware of a data subject access request related to End Customer Third-Party Data, Oyster will:

(a) Where Oyster has a direct relationship with the End Customer: (i) notify the End Customer promptly but not later than forty-eight (48) after receiving such a request; (ii) provide the End Customer with reasonable cooperation and assistance in relation to any request made by the data subject to have access to that person’s personal data; and (iii) not disclose the personal data to any data subject or to a third party other than at the request of the End Customer or as provided for in its DPA with the End Customer.

(b) Where Oyster has no direct relationship with the End Customer: (i) notify the Strategic Partner promptly but not later than forty-eight (48) after receiving such a request; (ii) provide the Strategic Partner with reasonable cooperation and assistance in relation to any request made by the data subject to have access to that person’s personal data; and (iii) not disclose the personal data to any data subject or to a third party other than at the request of the Strategic Partner or as provided for in this SP-DPA.

(4) Strategic Partner Data: With respect to Strategic Partner Data, as independent Controllers, oyster and Strategic Partner are each independently obligated to respond to requests from Data Subjects that wish to exercise their rights under Applicable Data Protection Laws. Unless otherwise prohibited under Applicable Data Protection Laws, the Parties may cooperate in their responses to such requests. Each Party, however, must independently determine its obligations under Applicable Data Protection Laws and may respond as it deems appropriate, in its sole discretion.

3. Term, Termination, and Ongoing Obligations

3.1 Term and Termination

The term of the SP-DPA is co-terminus with the term of the Agreement. The termination of this SP-DPA, therefore, depends on the provisions concerning the duration and the termination of the Agreement. Termination of the Agreement also terminates this SP-DPA.

3.2 Premature Termination

The premature termination of this SP-DPA, upon written notice to the other Party, is permissible in the event of such other Party’s serious breach of statutory or contractual data protection obligations under Applicable Data Protection Laws.

The Parties acknowledge that the termination of the SP-DPA, at any time or for any reason, does not exempt them from their obligations under Applicable Data Protection Laws relating to the collection, processing, or use of Personal Data.

3.3 Deletion of Personal Data on Termination

Oyster agrees that with respect to End Customer Data and Strategic Partner Data that Oyster may collect as part of its provision of Services under the Agreement, Oyster will delete all such data in accordance with its applicable data retention policies. If an End Customer or Strategic Partner requests that such data be deleted at an earlier time, Oyster will use commercially reasonable efforts to comply with the request, subject to any legal obligation that Oyster may have to retain any such End Customer Data.

3.4 Ongoing Compliance

Oyster will ensure that (a) it has and will continue to comply with Applicable Data Protection Laws in its provision of the Services; and (b) Team Members are provided with adequate notice of Oyster’s processing activities for which Oyster acts as a controller.

Strategic Partner will ensure that (a) it has and will continue to comply with Applicable Data Protection Laws when acting under the Agreement; and (b) it has, and will continue to have, the right to transfer, or provide access to, Team Member Data, End Customer Data, Oyster Intelligence Personal Data, and End Customer Third-Party Data to Oyster, where applicable.

4. Security of Personal Data

4.1 Technical and Organizational Measures

Each Party must take suitable technical and organizational measures appropriate to the risk to ensure for protection of the security, confidentiality, and integrity of Personal Data it Processes under this SP-DPA. Each Party guarantees to the other Party that it has carried out the technical and organizational measures specified in Schedule 3 to this SP-DPA. The technical and organizational measures are subject to the current state of technology and technical progress. In this regard, a Party is permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to Personal Data transferred hereunder than the stipulated measures in Schedule 3.

4.2 Employee Access

Oyster agrees to ensure that only such of its employees who may be required by it to provide the Services to End Customers, to perform under the Agreement, or to assist Oyster in meeting its obligations under this SP-DPA will have access to Personal Data. Oyster will further ensure that such employees are contractually obligated to comply with Oyster’s information security policies.

4.3 Security of End Customer Third-Party Data

As set forth in Sections 2.3(4) and 2.4(4) of this SP-DPA, Oyster has no access to or control over any End Customer Third-Party Data. Oyster will, however, ensure that EOR Team Members assigned to Customer are contractually obligated to comply with End Customer’s policies, including all information security policies, through the execution of a Remote Work Schedule that includes such an obligation and will:

(a) Where Oyster has a direct relationship with the End Customer, inform the End Customer in writing of any such non-compliance of which it becomes aware and further act in accordance with its obligations under the DPA between Oyster and the End Customer.

(b) Where Oyster does not have a direct relationship with the End Customer, inform the Strategic Partner in writing of any such non-compliance of which it becomes aware. Additionally, Oyster will, at Strategic Partner’s request, (a) provide copies of Oyster’s information security policies (subject to execution of a non-disclosure agreement), (b) take all reasonable measures to cause any EOR Team Members placed with an End Customer to assist the End Customer with investigations related to information-security or data-protection matters; and (c) reasonably assist End Customer with any such investigations where commercially reasonable.

5. Personal Data Security Incidents

5.1 EOR Team Member Data, Payroll Team Member Data, Oyster Intelligence Personal Data, and End Customer Data

Upon confirmation that a Personal Data Security Incident has occurred related to any Personal Data covered by this SP-DPA:

5.1a - EOR Team Member Data, Payroll Team Member Data, Oyster Intelligence Personal Data, and End Customer Data where Oyster has a direct relationship with the End Customer

Oyster will investigate the incident in accordance with its Incident Response Policy and will notify the End Customer in accordance with the DPA between Oyster and the End Customer. To protect the security and confidentiality of the End Customer and their Team Members, Oyster will not notify the Strategic Partner.

5.1b - EOR Team Member Data, Payroll Team Member Data, Oyster Intelligence Personal Data, and End Customer Data where Oyster does not have a direct relationship with the End Customer

Oyster will investigate the incident in accordance with its Incident Response Policy and:

(1) Where Oyster is a Controller, to the extent permitted (or required) by applicable law, notify Strategic Partner and any affected EOR Team Members without undue delay, such notice to be delivered to Customer in accordance with Section 9.1 of this SP-DPA;

(2) Where Oyster is a Processor, to the extent permitted (or required) by applicable law, notify Strategic Partner without undue delay, such notice to be delivered to Strategic Partner in accordance with Section 9.1 of this SP-DPA in no more than 1 business day;

(3) Promptly provide Strategic Partner with all relevant information in its possession as reasonably required under Applicable Data Protection Law, to comply with any reporting obligations of a relevant regulatory authority concerning such incident.

5.1c - Strategic Partner Data

Oyster will investigate the incident in accordance with its Incident Response Policy and to the extent permitted (or required) by applicable law, notify Strategic Partner without undue delay, such notice to be delivered to Customer in accordance with Section 9.1 of this SP-DPA, and Promptly provide Strategic Partner with all relevant information in its possession as reasonably required under Applicable Data Protection Law, to comply with any reporting obligations of a relevant regulatory authority concerning such incident.

5.1d - In All Cases

To the extent such Personal Data Security Incident is caused by Oyster’s violations of its obligations under this SP-DPA, Oyster will take such reasonable remedial steps to address the incident and prevent any further incidents.

5.2 Notification to Supervisory Authority

If Strategic Partner determines that a Personal Data Security Incident must be notified to any supervisory authority and/or data subjects and/or the public or portions of the public pursuant to the Applicable Data Protection Law, Strategic Partner will, to the extent commercially feasible, notify Oyster before the communication is made (and where not commercially feasible, as soon as is commercially feasible after such communication is made) and supply Oyster with copies of any written documentation to be filed with the supervisory authority and of any notification Strategic Partner proposes to make (whether to any supervisory authority, data subjects, the public or portions of the public) which directly or indirectly references Oyster, its security measures and/or role in the Personal Data Security Incident, whether or not by name. Subject to Strategic Partner’s compliance with any mandatory notification deadlines under Applicable Data Protection Law, Strategic Partner will consult with Oyster in good faith and take account of any clarifications or corrections Oyster reasonably requests to such notifications and that are consistent with Applicable Data Protection Law.

6. International (Cross-Border) Data Transfers

6.1 Transfers from the EEA, UK, or Switzerland

The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal information, which means that data can be transferred from the EU (and from Norway, Liechtenstein, and Iceland) to those countries. The UK and Switzerland have adopted similar adequacy mechanisms. The European Commission, UK, and Swiss adequacy decisions can be found here:

To the extent any personal data is transferred from the EEA, UK, or Switzerland to any country that has not been deemed adequate, the Parties agree that the Standard Contractual Clauses, incorporated by reference to this SP-DPA, will apply in respect of the processing of such personal data. In relation to the Standard Contractual Clauses, Oyster will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Strategic Partner will comply with the obligations of the ‘data exporter’. Appendices of the EEA SCCs are to be deemed completed as set forth in Schedule 2 of this SP-DPA in relation to transfer of personal data outside the EEA. The UK Addendum is to be deemed completed as set forth in Schedule 5.

If Oyster obtains certification under the EU-U.S. and/or Swiss-U.S. Data Privacy Framework(s) and/or the UK Extension to the EU-U.S. DPF at any time after the effective date of this SP-DPA, Oyster’s adherence to the DPF Principles will immediately supersede the application of the SCCs unless and until such time as adherence to the DPF Principles is found by a court of competent jurisdiction to be inadequate.

6.2 Oyster In-Group Processing

Information stored on the Oyster Platform is stored in Ireland. Strategic Partner acknowledges, however, that due to the nature of Oyster’s Services, and because Oyster is a globally distributed organization with Oyster Staff seated in more than 30 countries, Personal Data may be stored or processed on a limited basis in any country in which an Oyster Staff Member is located, including but not necessarily limited to the following countries:

- Armenia
- Austria
- Brazil
- Canada
- Chile
- Costa Rica
- Czech Republic
- France
- Ghana
- Greece
- Honduras

- Hungary
- India
- Ireland
- Italy
- Kenya
- Latvia
- Lithuania
- Mexico
- Netherlands
- Nigeria
- Norway

- Philippines
- Portugal
- Romania
- Serbia
- Singapore
- Spain
- Switzerland
- United Arab Emirates
- United Kingdom
- United States

6.3 Conflicts and Invalidity

If any provision of this SP-DPA contradicts, directly or indirectly, the Standard Contractual Clauses, then the Standard Contractual Clauses will prevail to the extent of the conflict. If the Standard Contractual Clauses are deemed invalid by a governmental entity with jurisdiction over transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such transferred Personal Data, the Parties agree to work in good faith to find an alternative and/or modified approach with respect to such transferred personal data which is in compliance with applicable laws.

7. Liability and Penalties

This SP-DPA is without prejudice to the rights and obligations of the Parties under the Agreement. The Agreement will continue to have full force and effect, including any limitation and exclusions on liability contained therein, which apply to this SP-DPA as if fully set forth herein. In the event of any conflict between the terms of this SP-DPA and the terms of the Agreement, the terms of this SP-DPA prevail so far as the subject matter concerns the processing of personal data.

Notwithstanding anything to the contrary in this SP-DPA or in the Agreement, neither Party will be responsible for any fines issued or levied under Applicable Data Protection Laws (including Article 83 of the GDPR) against the other Party by a regulatory authority or governmental body in connection with such other Party’s violation of such law.

8. Strategic Partner Obligations, Representations, and Warranties

As part of the Agreement, Authorized Agents, Resellers, Managed Servicers, and API, Data, and Licensing Partners will be accessing, reselling, or otherwise providing access to Oyster’s Platform and Services to or on behalf of End Customers. As a result, such Strategic Partners will be providing Oyster with the Personal Data of non-parties, and/or Oyster will be processing Personal Data for and on behalf of End Customers, in some cases without a direct agreement between Oyster and the End Customer. To ensure that the rights of Data Subjects are properly protected, and to ensure that End Customers are provided with applicable information, Strategic Partner acknowledges and agrees to the following:

(1) Where End Customer uses an EOR Team Member’s services to process End Customer Third-Party Data and the End Customer has not entered into a separate DPA with Oyster, Strategic Partner is solely responsible for ensuring that End Customer acknowledges and agrees in writing that:

(a) such EOR Team Members are granted the limited authority described in paragraph Section 2.2 of this SP-DPA;

(b) as set forth in Section 2.3(c)(6) of this SP-DPA, Oyster is not acting as a Processor of such data under Applicable Data Protection Laws with respect to End Customer Third-Party Data; and

(c) In accordance with Section 2.4(4) of this SP-DPA, End Customer, acting as a Controller for End Customer Third-Party Data, will ensure that its instructions to EOR Team Members comply with Applicable Data Protection Laws and that such instructions will not cause EOR Team Members to violate Applicable Data Protection Laws. End Customer must also acknowledge that because Oyster has no direct role in processing End Customer Third-Party Data, Oyster has no obligation (and no means by which) to notify End Customer if any instructions violate Applicable Data Protection Laws.

(d) Oyster’s disclaimer regarding any role in the security of End Customer Third-Party data stored on End Customer’s system, in accordance with Section 4.3 of this SP-DPA.

(2) For all engagements where Oyster will collect or process Personal Data and the End Customer has not entered into a separate DPA with Oyster, Strategic Partner is solely responsible for ensuring that End Customer acknowledges and agrees to the following:

(a) The Scope of Oyster’s Processing activities, as set forth in Section 2.1 of this SP-DPA;

(b) The Parties’ relationship with respect to their respective processing activities, as set forth in Section 2.3 of this SP-DPA;

(d) Oyster’s right to engage third-party processors or sub-processors in accordance with Sections 2.5 and 2.6 of this SP-DPA and confirmation that where Oyster acts as a Controller (for example, when processing EOR Team Member data) third-party data processors are not sub-processors;

(e) The details of processing under the SP-DPA, as set forth in Section 2.7 and Schedule 1 of the SP-DPA.

(f) The Term of the SP-DPA, along with the relevant implications of any termination, including Oyster’s deletion and retention obligations and each parties’ compliance obligations, in accordance with Section 3 of this SP-DPA.

(g) How Oyster will security End Customer-related data, in accordance with Section 4 of this SP-DPA;

(h) How Oyster will address Personal Data Security Incidents related to End Customer’s data, and Strategic Partner’s role in that process, in accordance with Section 5 of this SP-DPA;

(i) The cross-border transfer of data as part of Oyster’s services, including but not limited to application of the SCCs, the UK Addendum, and Oyster’s In-Group Processing as set forth in Section 6 of this SP-DPA;

(j) Oyster’s limitation of liability with respect to fines caused by End Customer’s violation of Applicable Data Protection Laws as set forth in Section 7 of this SP-DPA; and

(k) How Oyster may update and provide notice of updates to this SP-DPA and Strategic Partner’s role in providing such updates to End Customer.

(3) Where a Strategic Partner provides Personal Data to Oyster on behalf of an End Customer, Strategic Partner represents and warrants that it has the right and authority to do so under all Applicable Data Protection Laws.

Strategic Partner agrees to fully indemnify Oyster for any direct, indirect, incidental, consequential or special damages (including lost profits) sustained or incurred by Oyster as a result of Strategic Partner’s failure to obtain the written acknowledgments or the violation of any representation or warranty set forth above. For avoidance of doubt, pursuant to Section 9.1 of the Agreement, the Limitation of Liability included in the Agreement does not apply to this Section 8 of the SP-DPA.

To assist Strategic Partner in meeting these requirements, a proposed End Customer Data Processing Supplement (EC-DPS) is attached hereto as Schedule 7. Strategic Partner may elect not to use the form EC-DPS, provided that the requirements set forth above are met through another written agreement with the End Customer. Regardless of the form used, Strategic Partner must provide Oyster with an executed copy of any such document for each End Customer engaged through Strategic Partner.

9. General

9.1 Notifications

All notices given by Oyster to Strategic Partners under or in connection with this SP-DPA will be sent as set forth in the Agreement, and any notice given by Strategic Partner to Oyster will be sent to privacy@oysterhr.com.

9.2 Updates

Oyster may update the terms of this SP-DPA where the changes (a) are required to comply with Applicable Data Protection Law, applicable regulation, a court order, or guidance issued by a regulator or agency; or (b) do not have a material adverse impact on Strategic Partner’s rights under the SP-DPA. Oyster will provide thirty (30) days’ notice prior to making any material change to the provisions of this SP-DPA. If Strategic Partner objects, Strategic Partner may request that the terms of the then-current SP-DPA continue to control for the remaining term of the Agreement. Oyster may accept or reject Strategic Partner’s request in its sole discretion. If Oyster agrees to Strategic Partner’s request, the Parties must enter a written addendum to that effect. If Oyster rejects Strategic Partner’s request, the Parties may negotiate other terms, or Strategic Partner has the right to terminate the Agreement within thirty (30) days of receiving written notice of Strategic Partner’s rejection.

9.3 Governing Law and Jurisdiction

This SP-DPA is governed by and construed in accordance with the law and the jurisdiction of the country or territory that governs the Agreement, except as otherwise specified in this SP-DPA, including its Schedules, or as required by Applicable Data Protection Law.

9.4 Jurisdiction Specific Terms

To the extent Oyster processes personal data protected by Applicable Data Protection Laws in a jurisdiction listed in Schedule 6, then the terms specified in Schedule 6 (“Jurisdiction Specific Terms”) apply, and in case of any conflict between the Jurisdiction Specific Terms and any term of this SP-DPA, the applicable Jurisdiction Specific Terms will take precedence.

Schedule 1: Details of Processing

A. Nature and Purpose of Processing. Oyster Processes Personal Data applicable to this SP-DPA on the basis of Contractual Necessity (CN), Legitimate Interest (LI), Legal Obligation (LO), and Vital Interests (VI). The purpose of the Personal Data processing for the following categories of data subjects includes:

1. EOR Team Members. Oyster will process EOR Team Member Data as a controller to perform the functions of a global employment enablement platform provider. The purpose of such processing may include, but is not necessarily limited to:

i. To Provide Our Services, including Account Setup and Creation (Updating the Oyster Platform, Sending Welcome Emails, Collecting Employment-Related Information), Creating and Signing Employment-Related Agreements, Communicating with Employer of Record Partners, Setting up and Processing Payroll, Conducting Right to Work Checks, Conducting Medical and Health and Safety Checks, Enrolling in Benefits, Pension Processing, Processing Time and Travel, Contract Management, and Compliance Checks. (CN)

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

vii. For the Protection of an Individual’s Life (VI)

2. End Customer Administrators and Authorized Users and Strategic Partner Administrators and Authorized Users. Oyster will process End Customer Data and Strategic Partner Data as a controller to perform the functions of a global employment enablement platform provider, which may include, but are not limited to:

i. To Provide Our Services, including Account Setup and Creation (CN)

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

3. Payroll Team Members. Oyster will process Payroll Team Member Data as a Processor in accordance with Strategic Partner’s or End Customer’s instructions (as applicable) and as necessary to provide the functions of a global payroll platform. The purpose of such processing may include, but is not necessarily limited to:

i. To Provide Our Services, including Account Setup and Creation (Updating the Oyster Platform, Sending Welcome Emails, Collecting Employment-Related Information), Setting up and Processing Payroll, Enrolling in Benefits, Pension Processing, Processing Time and Travel, Contract Management, and Compliance Checks. (CN)

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

4. End Customer Employees other than Payroll Team Members. Oyster will process the data of End Customer Employees (Oyster Intelligence Personal Data) as a Processor in accordance with End Customer or Strategic Partner instructions and as necessary to provide the functions of the Oyster Intelligence Services. The purpose of such processing may include, but is not necessarily limited to:

i. To Provide Our Services, including analytics and benchmarking services and any other Services that may be identified as part of the Oyster Intelligence Services. (CN)

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

5. End Customer’s Customers, Clients, and End Users. As described in Paragraph 2.3(4) of this SP-DPA, because EOR Team Member Processing of End Customer Third-Party Data will take place exclusively on End-Customer-controlled systems, at the direction of the End Customer, and on behalf of the End Customer, Oyster has no role in the Processing of such data.

B. Duration of Processing. Oyster will process Personal Data for as long as needed to provide the Services. On termination of the Agreement, Oyster may retain personal data: (a) for the purposes outlined in Section A of this Schedule 1; or (b) as required by law. Unless otherwise disclosed and in accordance with Applicable Data Protection Law, Oyster will promptly delete or anonymize Personal Data when no longer required for the purposes set forth herein.

C. Types of Personal Data. Oyster collects and processes Personal Data contained in EOR Team Member Data, End Customer Data, Payroll Team Member Data, Strategic Partner Data, Oyster Intelligence Personal Data, and End Customer Third-Party Data as described in Paragraph 1(6) of this SP-DPA. For more information on the specific Personal Data collected from each of these data subject types, please refer to the following Privacy Notices:

1. Oyster Website Privacy Notice - available at: https://legal.oysterhr.com/privacy/privacy-notice

2. Oyster EOR Team Member and Staff Privacy Notice - available at: https://legal.oysterhr.com/privacy/sctm-privacy

3. Oyster Payroll Team Member Privacy Notice - available at https://legal.oysterhr.com/privacy/gptm-privacy

D. Categories of Data Subjects

1. EOR Team Member Data may concern the following categories of data subjects:

i. EOR Team Members, as defined in Paragraph 1(12)(a).

2. End Customer Data may concern the following categories of data subjects:

i. End Customer’s employees and agents

ii. End Customer’s authorized users

3. Payroll Team Member Data may concern the following categories of data subjects:

i. Payroll Team Members, as defined in Paragraph 1(12)(b).

4. End Customer Third-Party Data may concern the following categories of data subjects:

i. Customer’s customers, clients, and end users

5. Strategic Partner Data

i. Strategic Partner’s employees and agents

ii. Strategic Partner’s authorized users

6. Oyster Intelligence Personal Data may concern the following categories of data subjects:

i. EOR Team Members

ii. Payroll Team Members

iii. End Customer employees other than Payroll Team Members, as defined in Paragraph 1(12)(e)

Schedule 2: Standard Contractual Clauses Decision (EU) 2021/914

Terms Applicable to the EEA SCCs:

1. Clause 7 – the optional docking clause does not apply;

2. Clause 9(a) - Clause 9 does not apply to Module 1; Option 2 applies to Module 2 and module 3, and a list of current sub-processors is included in Schedule 4 of the DPA and is available online at https://legal.oysterhr.com/privacy/subprocessors.

3. Clause 11(a) – the optional language is not included;

4. Clause 17 – Option 1 applies to Modules 1, 2, and 3, and the Clauses will be governed by the laws of the Republic of Ireland;

5. Clause 18 – disputes will be resolved before the courts of the Republic of Ireland;

1. Module One (Controller to Controller) of the EEA SCCs applies where Strategic Partner and Oyster are independent Controllers. Module One applies to Strategic Partner Data.

2. Module Three (Processor to Processor) of the EEA SCCs applies where Strategic Partner is a Processor and Oyster is a Processor or a Sub-Processor. Module Three applies to Payroll Team Member Data where Strategic Partner is a Processor.

3. Module Four (Processor to Controller) of the EEA SCCs applies where Strategic Partner is a Processor and Oyster is a Controller. Module Four applies to EOR Team Member Data and End Customer Data where Strategic Partner is a Processor.

Schedule 2, SCC Annex I: Personal Data

1. List of Parties

Data Exporter:

Name	The “Strategic Partner,” as defined in the Agreement
Address	The address of the Strategic Partner in the Agreement
Contact Name, Position, and Contact Information	Strategic Partner’s contact name, position, and email address associated with the Agreement.
Activities relevant to the data transferred	Transfer of Personal Data to Oyster for the Services
Signature and Date	By entering into the Agreement, Data Exporter is deemed to have signed these SCCs, including their annexes, as of the date the Parties entered the Agreement or this SP-DPA, whichever is later.
Role (Controller/Processor)	The Data Exporter’s role is as set forth in Section 2.3 (Relationship of the Parties) of this SP-DPA.

Data Importer:

Name	Oyster HR, Inc.
Address	As detailed in the Agreement
Contact Name, Position, and Contact Information	Oyster’s Privacy Team, privacy@oysterhr.com
Activities relevant to the data transferred	Provision of Services under the Agreement
Signature and Date	By entering into the Agreement, Data Importer is deemed to have signed these SCCs, including their annexes, as of the date the Parties entered the Agreement or this SP-DPA, whichever is later.
Role (Controller/Processor)	The Data Importer’s role is as set forth in Section 2.3 (Relationship of the Parties) of this SP-DPA.

2. Description of the Transfer

Categories of Data Subjects whose Personal Data is Transferred	As described in Schedule 1 of this SP-DPA
Categories of Personal Data Transferred	As described in Schedule 1 of this SP-DPA
Sensitive Data Transferred (if applicable) and applied restrictions or safeguards	Not Applicable
Frequency of the transfer	Continuous for the duration of the Services
Nature of the Processing	The collection, storage, use, disclosure by transmission, dissemination, erasure, and destruction of data as required to provide the Services or perform under the Agreement.
Purpose(s) of the transfer and further Processing	As described in Schedule 1 of this SP-DPA
Period for which Personal Data will be retained or, if not possible, criteria used to determine that period.	On termination of expiry of the Services, Oyster will delete all Personal Data it has processed in connection with the Services unless Oyster is required to retain such data for legal or regulatory purposes.
For transfer to (sub-) processors, also specify the subject matter, nature, and duration.	See Schedule 4 of this SP-DPA

3. Competent Supervisory Authority

Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs

Where the EU GDPR applies, the competent authority will be determined in accordance with Clause 13 of the SCCs.

Schedule 2, SCC Annex II: Technical and Organizational Measures

A description of the technical and organizational security measures implemented by the data importer is set forth in Schedule 3 of this SP-DPA. The data importer may update its security document from time to time provided there is no degradation to the security and/or privacy of the Services.

Schedule 3: Oyster’s Technical and Organizational Security Measures

Organization of Information Security	Security Ownership	Oyster has an Information Governance Council that is responsible for coordinating and leading the security program, including dedicated corporate, application, and data security personnel. Oyster’s security program is overseen by company leadership.
	Data Protection Ownership	Oyster has appointed a Data Protection Officer responsible for ensuring data protection compliance. Oyster’s data protection program is overseen by the senior leadership team.
	Security Roles and Responsibilities	Oyster has a dedicated team of information security professionals. All employees and relevant contractors have confidentiality obligations within contracts of employment.
	Risk Program Management	Oyster takes a risk-based approach to information security, conducting risk assessments for key company assets.
Asset Management	Asset Inventory	Oyster maintains an asset inventory of IT equipment and information processing systems. Use of assets is governed by Oyster’s Acceptable Use Policy.
Human Resource Security	Confidentiality, Education, and Awareness Program	Oyster provides custom information security and data protection awareness training to all employees and relevant contractors on a periodic basis. Confidentiality clauses are included in all employee and contractor agreements.
Physical and Environmental Security	Physical Access to Facilities	Oyster’s production environment is hosted by ISO 27001 and SOC 2 certified data centers, and as such have stringent controls and extremely limited access.
Physical and Environmental Security	Physical Offices	Oyster has no physical offices.
Operational Security	Anti-Malware	Oyster maintains anti-malware controls for endpoints.
	Data Loss Prevention	Oyster uses mechanisms and dedicated DLP solutions to detect, control, and minimize where personal data is stored and processed. All business and personal data is backed up.
	Encryption	SSL Encryption is used throughout the Oyster Platform. All data is encrypted in transit and at rest.
	Network Security	Oyster has no corporate network. All users are provided with VPN access for secure, remote access.
Access Control	Access Policy	Oyster maintains an access control policy that requires role-based access for all systems.
	Principle of Least Privilege	The minimum level of privilege is provided to allow authorized personnel to carry out their duties to avoid excessive privileges.
	Identity & Access Management	Oyster uses OKTA to centralize, limit, and swiftly manage access for employees and contractors.
Incident Management	Incident Detection, Reporting, and Response	Oyster has a defined, repeatable way to respond to incidents according to best practice and uses a dedicated incident management system. Technical and operational measures have been put in place for timely incident detection and reporting.
Third-Party Risk Management	Suppliers	Suppliers are reviewed by the security and legal teams, with appropriate measures such as contractual requirements and technical monitoring.
Third-Party Risk Management	Data Sub-Processors	See Schedule 4, below

Schedule 4: Oyster’s Sub-Processor List

Third-Party Sub-Processors

The following third-party sub-processors are used to provide Oyster’s Global Payroll Services. All processing is of a continuous duration.

Sub-Processor	Processing Activity	Privacy Policy
Amazon Web Services, Inc.	Virtual Data Center Services	https://aws.amazon.com/privacy/ *Oyster’s data is stored in Ireland
Baker Tilly Kirk	Payroll Processing for Ireland Payroll Team Members	https://www.bakertillykirk.ie/privacy-statement/
Baker Tilly SAS	Payroll Processing for France Payroll Team Members	https://www.bakertilly.fr/politique-de-protection-des-donnees/
BELL Consulting S.R.O	Payroll Processing for Czech Republic Payroll Team Members	https://www.bellcons.cz/underwood/download/files/souhlas-zou_v1-1_bellcons-cz.pdf
BillyPay BV	Payroll Processing for Belgium Payroll Team Members	https://www.bakertilly.be/en/privacy-statement
Box, Inc.	Bulk Uploading of Payroll Team Member Data for Onboarding	https://www.box.com/legal/privacypolicy
Bright Software Group Ltd.	Payroll Processing for UK Payroll Team Members	https://brightsg.com/en-gb/privacy-notice
Conceito-Consultoria de Gestao, S.A.	Payroll Processing for Portugal Payroll Team Members	https://www.conceito.pt/politicadeprivacidade
Crystal Clear Pte Ltd	Payroll Processing for Singapore Payroll Team Members	https://www.histellar.com/sg/legal/privacy-policy
De Hooge Waerder Beverwijk B.V.	Payroll Processing for Netherlands Payroll Team Members	https://dehoogewaerder.nl/over-ons/privacy-verklaring
ECOVIS Hellas LTD	Payroll Processing for Greece Payroll Team Members	https://www.ecovis.com/global/privacy-notice/
Europartner Brasil Sao Paulo A. E C. EMP. SOC. UNIP. LTDA	Payroll Processing for Brazil Payroll Team Members	https://www.europartner.com.br/privacy-policies/
Google, LLC (G-Suite)	Data Collection, File Storage, and Communication	https://policies.google.com/privacy
HLB M2 Advisory & Business Services sp. Z o.o.	Payroll Processing for Poland Payroll Team Members	https://hlb-poland.global/privacy-policy/
Jet HR, Ltd.	Payroll Processing for Italy Payroll Team Members	https://www.jethr.com/privacy-policy
Leinonen Bulgaria EOOD	Payroll Processing for Bulgaria Payroll Team Members	https://leinonen.eu/privacy-policy/
Leinonen Hungary KFT	Payroll Processing for Hungary Payroll Team Members	https://leinonen.eu/privacy-policy/
Leinonen Suomi Oy	Payroll Processing for Finland Payroll Team Members	https://leinonen.eu/privacy-policy/
Mochizuki Accounting Office	Payroll Processing for Japan Payroll Team Members	https://www.mochizuki-associates.com/
Nexdigm Private Limited	Payroll Processing for India Payroll Team Members	https://www.nexdigm.com/privacy-policy/
Nexia SAB&T	Payroll Processing for South Africa Payroll Team Members	https://www.nexia-sabt.co.za/wp-content/uploads/2020/10/Nexia-SABT-Privacy-Notice.pdf
Payworks, Inc.	Payroll Processing for Canada Payroll Team Members	https://www.payworks.ca/legal/privacy-policy
Rosendahl Treuhand + Steuerberatung	Payroll Processing for Switzerland Payroll Team Members	https://swissgerman.tax/datenschutz/
RPI Roehm Internatioan GmbH	Payroll Processing for Germany Payroll Team Members	https://www.rpi-roehm.com/datenschutz/
Sage Despachos	Payroll Processing for Spanish Payroll Team Members	https://www.sage.com/en-us/legal/privacy-and-cookies/
Slack Technologies, LLC	Internal Communications	https://slack.com/trust/privacy/privacy-policy
Snowflake, Inc.	Data Analysis	https://snowflake.com/privacy-policy/
Unija Smart Accounting d.o.o. Sarajevo	Payroll Processing for Bosnia and Herzegovina Payroll Team Members	https://unija.com/sr/privacy-policy/
Unija Smart Accounting d.o.o. Beograd	Payroll Processing for Serbia Payroll Team Members	https://unija.com/sr/privacy-policy/
Zendesk, Inc.	Helpdesk Ticketing	https://www.zendesk.com/company/customers-partners/privacy-policy/

Schedule 5: UK International Data Transfer Addendum

Standard Data Protection International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018

VERSION B1.0, in force 21 March 2022

PART 1: TABLES

Table 1: Parties

Start Date: As set forth in the Agreement that incorporates these SCCs by reference or as set forth in the SP-DPA, whichever is later.

The Parties	Exporter	Importer
Parties’ Details	Full Legal Name: The company defined as “Strategic Partner” that is a party to the Agreement.	Full Legal Name: Oyster HR, Inc.
	Trading Name (if different):	Trading Name (if different):
	Main Address: The address of the Strategic Partner as provided in the Agreement or order form.	Main Address: The Oyster HR entity address specified in the Agreement or order form.
	Official Registration Number (if any):	Official Registration Number (if any):
Key Contact	Full name (optional):	Full name (optional):
	Job Title (optional):	Job Title (optional):
	Contact Details (including email): Strategic Partner’s contact name, position, and email address associated with the Agreement.	Contact Details (including email): Oyster Trust Team, privacy@oysterhr.com
Signature (if required for the purpose of Section 2)	By entering into the order form or the Agreement, the Parties are deemed to have signed this UK International Data Transfer Addendum.	By entering into the order form or the Agreement, the Parties are deemed to have signed this UK International Data Transfer Addendum.

Table 2: Selected SCCs, Modules, and Selected Clauses

Addendum EU SCCs: The version of the Approved EU SCCs that this Addendum is appended to, detailed below, including the Appendix Information:

Date: as provided in Table 1, above:

Module	Module in Operation	Clause 7 (Docking Clause)	Clause 11 (Option)	Clause 9a (Prior Authorization or General Authorization)	Clause 9a (Time Period)
1	Yes	Does not apply	Optional language does not apply
2	No	N/A	N/A	N/A	N/A
3	Yes	Does not apply	Optional language does not apply	Option 2 applies – general authorization	At least thirty days’ prior to such change, where commercially feasible. In any event, no less than 10 days.
4	Yes	Does not apply	Optional language does not apply

Table 3: Appendix Information

“Appendix Information” means the information that must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: as set forth in Annex I.A of Schedule 2 of this SP-DPA.
Annex 1B: Description of Transfer: as set forth in Annex I.B of Schedule 2 of this SP-DPA.
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: as set forth in Annex II of Schedule 2 of this SP-DPA.
Annex III: List of Sub processors (Module 3 only): as set forth in Schedule 4 of this SP-DPA.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum Changes

Which of the Parties may end this Addendum as set out in Section 19:
Importer and Exporter

PART 2: MANDATORY CLAUSES

Mandatory Clauses:

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

Schedule 6: Jurisdiction-Specific Terms

Australia:

The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles (APPs) and the Australian Privacy Act (1988).
The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
The definition of “Sensitive Personal Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

Brazil:

The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.
The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to the data subjects.

California:

The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law. Any Data Subject Rights apply to Consumer rights. Regarding Data Subject Access Requests, the Parties acknowledge that Oyster can only verify a request from a Team Member or a Customer administrator or authorized users. Oyster cannot verify a request from a Customer’s customer, client, end user, or any other third party.
The definition of “Controller” includes “Business” as defined under Applicable Data Protection Law.
The definition of “Processor” includes “Service Provider” as defined under Applicable Data Protection Law.
Oyster will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Oyster agrees not to sell Team Member Data, Customer Data, or Customer Third-Party Data; retain, use, or disclose such data for any commercial purpose other than providing the Services; or retain, use, or disclose such data outside of the scope of the Agreement. Oyster understands its obligations under the Applicable Data Protection Law and will comply with them.
Oyster certifies that its Processors, if any, are Service Providers under Applicable Data Protection Law, with whom Oyster has entered into a written contract that includes terms substantially similar to this SP-DPA. Oyster conducts appropriate due diligence on its Processors.
Oyster will implement and maintain the reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in this SP-DPA.

Canada:

The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Oyster’s Processors, as described in this SP-DPA, are third parties under Applicable Data Protection Law, with whom Oyster has entered into a written contract that includes terms substantially similar to this SP-DPA. Oyster has conducted appropriate due diligence on its Processors.
Oyster will implement technical and organizational measures as set forth in this SP-DPA.

European Union:

The definition of “Applicable Data Protection Law” includes the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).

Israel:

The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
The definition of “Controller” includes “Database Owner” as defined under Applicable Data Protection Law.
The definition of “Processor” includes “Holder” as defined under Applicable Data Protection Law.
Oyster will require that any personnel authorized to process Personal Data under this SP-DPA comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Oyster in accordance with this SP-DPA.
Oyster must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in this SP-DPA and complying with the terms of the Agreement.
Oyster must ensure that the Personal Data will not be transferred to a Sub-processor unless such Sub-processor has executed an agreement with Oyster pursuant to this SP-DPA.

Japan:

The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
The definition of “Controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Oyster is responsible for the handling of Personal Data in its possession.

Singapore:

The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
Oyster will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in this SP-DPA and complying with the terms of the Agreement.

United Kingdom:

The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018.
References in this SP-DPA to GDPR will be deemed to be references to the corresponding laws of the United Kingdom, e.g., UK GDPR and Data Protection Act 2018.

Schedule 7: End Customer Data Protection Supplement (Template)

The following End-Customer Data Protection Supplement sets forth the terms to which the Strategic Partner must bind each End Customer as part of their relationship, unless such End Customer will enter into a separate Data Processing Addendum directly with Oyster. Strategic Partner must provide Oyster with an executed copy of any such EC-DPS (or its equivalent). This EC-DPS is not intended to replace or otherwise address any Data Protection Agreement that may be in place (or may be required) between Strategic Partner and each End Customer. This EC-DPS is provided as a sample and is intended only to meet the contractual requirements set forth in Section 8 of the SP-DPA. Strategic Partner should consult its own counsel before entering into any agreement with the End Customer

End Customer Data Protection Supplement

This End Customer Data Processing Addendum (“EC-DPS”) forms part of the Agreement between [Strategic Partner], (“Strategic Partner,” as further defined herein) and [End Customer] (“End Customer,” as further defined herein). Strategic Partner and End Customer are collectively referred to as the “Parties,” or individually as a “Party.”

This EC-DPS sets forth the Parties’ agreement and understanding regarding the collection and processing of Personal Data by Oyster HR, Inc. (“Oyster”) and is intended to comply with the requirements of current legal frameworks and Applicable Data Protection Laws and to ensure that the End Customer understands and acknowledges Strategic Partner’s obligations and End Customer’s obligations with regard to the collection and processing of End Customer or Team Member Data (as defined herein).

1. Definitions

(1) Applicable Data Protection Laws means all data protection laws and regulations applicable to a Oyster’s or Strategic Partner’s processing of personal data under the OSP Agreement, including but not limited to the following: EU GDPR, UK GDPR, US California CCPA/CPRA, Brazil LGPD, Dubai PDPA, South Africa POPIA, Thailand PDPA, US Colorado CPA, US Connecticut DPA, and the US Virginia CDPA.

(2) Controller means the entity that determines the purpose and means of the Processing of Personal Data. For purposes of this EC-DPS, the term Controller includes its meaning under Applicable Data Protection Laws and its reasonable equivalent(s), including but not limited to a “Business” as defined by the California Consumer Privacy Act.

(3) Data Subject means the individual to whom Personal Data relates.

(4) Data Types means the types of Personal Data addressed by this EC-DPS. For purposes of this EC-DPS, the following data types have the following meanings:

(a) End Customer Data means Personal Data that relates to End Customer’s use of the Oyster Platform and Services. End Customer Data may include: (a) account information, such as the names, email addresses, and phone numbers of individuals authorized by End Customer to access the End Customer’s account on the Oyster Platform and/or use the Services (e.g., End Customer administrators); and (b) information regarding an End Customer’s usage of the Oyster Platform, such as payment transactions and connection data (e.g., IP address, location, and logs). For more information on Oyster’s collection and processing of End Customer Data (referred to as Customers), please see Oyster’s Website Privacy Notice, available at https://legal.oysterhr.com/privacy/privacy-notice;

(c) EOR Team Member Data means the Personal Data of EOR Team Members engaged through the Oyster Platform on behalf of an End Customer. EOR Team Member Data includes Personal Data commonly collected for employment purposes, including but not necessarily limited to contact information, identity documents, payroll, and benefits information. For more information on Oyster’s collection and processing of EOR Team Member Data, please see Oyster’s EOR Team Member Privacy Notice, available at https://legal.oysterhr.com/privacy/sctm-privacy.

(d) Payroll Team Member Data means the Personal Data of Payroll Team Members engaged through the Oyster Platform on behalf of an End Customer. Payroll Team Member Data includes Personal Data commonly collected for payroll purposes, including but not necessarily limited to contact information, payroll, and benefits information. For more information on Oyster’s collection and processing of Payroll Team Member Data, please see Oyster’s Payroll Team Member Privacy Notice, available at https://legal.oysterhr.com/privacy/gptm-privacy.

(e) Oyster Intelligence Personal Data means the Personal Data of EOR Team Members, Payroll Team Members, and other individuals employed by Oyster Customers that may be provided to Oyster as part of Oyster Intelligence Services. Oyster Intelligence Personal Data includes but is not necessarily limited to Personal Data collected for analytics and benchmarking purposes that may be needed to provide the Oyster Intelligence Services (as defined in the Oyster Intelligence Services Terms of Use). For more information on Oyster’s collection and processing of Oyster Intelligence Personal Data, please see our Website Visitor Privacy Notice, available at https://legal.oysterhr.com/privacy/privacy-notice.

(5) End Customer means the final user of Oyster’s services as a party to an agreement with Strategic Partner.

(6) Oyster means Oyster, HR, Inc., a Delaware public benefit corporation.

(7) Oyster Strategic Partner (OSP) Agreement means the agreement between Oyster and the Strategic Partner that sets forth the commercial terms of the relationship between Oyster and the Strategic Partner.

(8) Personal Data means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For purposes of this EC-DPS, the term Personal Data includes its meaning under Applicable Data Protection Laws and its reasonable equivalent(s), including but not limited to “personal information” as defined by the California Consumer Privacy Act.

(9) Personal Data Security Incident means the actual (or reasonably suspected) accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Oyster.

(10) Process (and Processing) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.

(11) Processor means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of a Controller.

(12) Standard Contractual Clauses (“SCCs”) means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914/, as may be amended, superseded, or replaced.

(13) Strategic Partner means the entity that has entered into the OSP Agreement with Oyster for the distribution, sale, or enhancement of Oyster’s offerings. Strategic Partner may also be referred to as an Authorized Agent, Mutual Referral Partner, Reseller, a Managed Servicer, or an API, Data and Licensing Referral Partner.

(14) Team Member(s) means an individual engaged by or on behalf of End Customers through the Oyster Platform, including but not necessarily limited to:

(a) Employer-of-Record (EOR) Team Members: Oyster employees (or employees of an Oyster Third-Party EOR) who provide services to End Customers through the Oyster Platform.

(b) Payroll Team Members: Employees of End Customers to whom payments are made, or directed to be made, by the End Customer through the Oyster Platform.

(15) Third-Party EOR means a local employer of record (other than an Oyster Subsidiary) through which Oyster EOR Team Members may be employed.

(16) UK Addendum means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media/fororganisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2. Scope, Team Member Authorization, and Relationship of the Parties

2.1 Scope of Processing

As part of End Customer’s use of Oyster services, the performance of the services may include the collection and Processing of the Data Types set forth above. Such Processing may include:

(1) Oyster’s Processing of EOR Team Member Data for employment purposes (applies where Oyster provides Employer-of-Record services to an End Customer directly or through a Strategic Partner);

(2) Oyster’s Processing of Payroll Team Member Data for payroll purposes (applies where Oyster providers Global Payroll services to an End Customer directly or through a Strategic Partner);

(3) Oyster’s Processing of End Customer Data (applies where an End Customer has set up any type of account on the Oyster Platform);

(4) End Customer’s use of Team Member consultancy services for the Processing of End Customer Third-Party Data (applies whenever an End Customer uses a Team Member’s services to process Customer Third-Party Data); and

(5) Oyster’s Processing of Oyster Intelligence Personal Data for purposes of providing the Oyster Intelligence Services.

2.2 EOR Team Member Processing Authority

Notwithstanding anything to the contrary, End Customer acknowledges and agrees that EOR Team Members assigned to End Customer are hereby granted the limited authority to act on behalf of the End Customer for the sole and exclusive purpose of Processing End Customer Third-Party Data under this EC-DPS and the OSP Agreement.

2.3 Relationship of the Parties

Due to the nature of the relationships between Oyster, Strategic Partner, and End Customer, their respective roles relative to certain Data Types may change depending on whether Oyster has direct interaction with (and receives processing instructions from) the End Customer.

2.3a - When Oyster receives data and/or processing instructions from the End Customer

(1) EOR Team Member Data: With respect to EOR Team Member Data, for all purposes under Applicable Data Protection Laws:

(a) Oyster is an independent Controller;

(b) End Customer is an independent Controller; and

Nothing in this EC-DPS is intended to construe Oyster or the End Customer as a Processor of the other Party or as joint data controllers with the other with respect to EOR Team Member Data.

(2) End Customer Data: With respect to End Customer Data, for all purposes under Applicable Data Protection Laws:

(a) Oyster is an independent Controller;

(b) End Customer is an independent Controller; and

Nothing in this EC-DPS is intended to construe Oyster or the End Customer as the Processor of the other Party or as joint data controllers with the other with respect to End Customer Data.

(3) Payroll Team Member Data and Oyster Intelligence Personal Data: The Parties agree that with respect to Payroll Team Member Data and Oyster Intelligence Personal Data:

(a) End Customer is a Controller;

(b) Oyster is a Processor acting on behalf of the End Customer; and

2.3b - When Oyster receives data and/or processing instructions from the Strategic Partner

(1) EOR Team Member Data: With respect to EOR Team Member Data, for all purposes under Applicable Data Protection Laws:

(a) Oyster is an independent Controller;

(b) End Customer is an independent Controller; and

Nothing in this EC-DPS is intended to construe Oyster or the End Customer as a Processor or as joint data controllers with the other with respect to EOR Team Member Data.

(2) End Customer Data: With respect to End Customer Data, for all purposes under Applicable Data Protection Laws:

(a) Oyster is an independent Controller;

(b) End Customer is an independent Controller; and

Nothing in this EC-DPS is intended to construe Oyster or the End Customer as a Processor or as joint data controllers with the other with respect to End Customer Data.

(3) Payroll Team Member Data and Oyster Intelligence Personal Data: With respect to Payroll Team Member Data and Oyster Intelligence Personal Data:

(a) End Customer is a Controller;

(b) Strategic Partner is a Processor acting on behalf of each End Customer; and

2.3c - In all cases.

(4) End Customer Third-Party Data: With respect to End Customer Third-Party Data, for all purposes under Applicable Data Protection Laws, End Customer may act either as a Controller or a Processor.

(5) EOR Team Member Processing Activities: End Customer acknowledges and agrees that because EOR Team Member Processing of End Customer Third-Party Data will take place exclusively on End Customer-controlled systems, at the direction of the End Customer, and on behalf of the End Customer (pursuant to the authorization provided in Paragraph 2.2, above), Oyster has no role in the Processing of such data. For avoidance of doubt, the End Customer acknowledges and agrees that Oyster is not acting as a Processor under Applicable Data Protection Laws with respect to End Customer Third-Party Data.

2.4 Purpose Limitations and Instructions for Processing

End Customer acknowledges and agrees that:

(4) End Customer Third-Party Data:

EOR Team Members engaged by Oyster will process End Customer Third-Party Data under the authority granted in Section 2.2 of this EC-DPS on behalf of the End Customer and in accordance with the End Customer’s instructions.

However, where applicable and with respect to End Customer Third-Party Data, Oyster will:

(d) not disclose any such data to any third party without End Customer’s prior written consent; or

(e) not combine any such data with personal data that Oyster receives from, or on behalf of, other persons or collects other than in connection with the provision of services.

2.5 Third-Party Processors

End Customer acknowledges and agrees that when acting as a Controller, Oyster may engage third-party processors in connection with the provision of the Services.

For the avoidance of doubt, where Oyster acts as a Controller–for example, when processing EOR Team Member data–such third-party data processors are not sub-processors.

2.6 Sub-Processors

End Customer acknowledges and agrees that Oyster may engage sub-processors to Process Personal Data in connection with the provision of the Services. Oyster has currently appointed, as sub-processors, the Oyster Affiliates and third parties listed online at: https://legal.oysterhr.com/privacy/subprocessors. Oyster has agreed to notify Strategic Partner of any changes to sub-processors and will give Strategic Partner the opportunity to object to the engagement of a new sub-processor on reasonable grounds relating to the protection of Personal Data within 30 days of such notice. Strategic Partner is solely responsible for providing notice of any change in subprocessors to End Customer and for objecting to any such changes.

2.7 Processing Information

Appendix 1 of this EC-DPS details the duration of processing, the nature and purpose of processing, the type of Personal Data and the categories of Data Subjects processed by Oyster.

2.8 Data Subject Access Requests

(2) Payroll Team Member Data and Oyster Intelligence Personal Data: With respect to Payroll Team Member Data and Oyster Intelligence Personal Data, as a Processor, if a Data Subject submits a Data Subject Access Request directly to Oyster, Oyster will promptly inform the Strategic Partner and will advise the Data Subject to submit their request to the Strategic Partner.

End Customer and Strategic Partner are solely responsible for responding substantively to any such Data Subject Access Requests or communications involving Payroll Team Member Data. If End Customer or Strategic Partner is unable to independently address such a Data Subject Request, Oyster will provide reasonable assistance in doing so.

(3) End Customer Third-Party Data: As set forth in Sections 2.3c(4), (5) and 2.4(4) of this EC-DPS, Oyster has no access to or control over any End Customer Third-Party Data. If, however, Oyster becomes aware of a data subject access request related to End Customer Third-Party Data, Oyster has agreed to: (i) notify the Strategic Partner promptly but not later than forty-eight (48) after receiving such a request; (ii) provide the Strategic Partner with reasonable cooperation and assistance in relation to any request made by the data subject to have access to that person’s personal data; and (iii) not disclose the personal data to any data subject or to a third party other than at the request of the Strategic Partner.

3. Term, Termination, and Ongoing Obligations

3.1 Term and Termination

This EC-DPS is effective so long as Oyster provides services to (or for the benefit of) End Customer.

3.2 Premature Termination

Strategic Partner and End Customer acknowledge that the termination of this EC-DPS, at any time or for any reason, does not exempt them from their obligations under Applicable Data Protection Laws relating to the collection, processing, or use of Personal Data.

3.3 Deletion of Personal Data on Termination

Oyster has agreed that with respect to End Customer Data that Oyster may collect as part of its provision of services, Oyster will delete all such data in accordance with its applicable data retention policies. If Oyster receives a request to delete data at an earlier time, it will use commercially reasonable efforts to comply with the request, subject to any legal obligation that Oyster may have to retain any such End Customer Data.

3.4 Ongoing Compliance

Oyster has agreed to ensure that (a) it has and will continue to comply with Applicable Data Protection Laws in its provision of its services; and (b) Team Members are provided with adequate notice of Oyster’s processing activities for which Oyster acts as a controller.

End Customer acknowledge and agrees to ensure that (a) it has and will continue to comply with Applicable Data Protection Laws; and (b) it has, and will continue to have, the right to transfer, or provide access to, Team Member Data, End Customer Data, Oyster Intelligence Personal Data, and End Customer Third-Party Data to Oyster, where applicable.

4. Security of Personal Data

4.1 Technical and Organizational Measures

Oyster and Strategic Partner have agreed, and End Customer hereby agrees, to take suitable technical and organizational measures appropriate to the risk to ensure for protection of the security, confidentiality, and integrity of Personal Data they each Processes. The technical and organizational measures are subject to the current state of technology and technical progress. The technical and organizational measures carried out by Oyster are set forth in Schedule 3 of the Strategic Partner Data Processing Addendum between Oyster and Strategic Partner. In this regard, Strategic Partner and End Customer are permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to Personal Data transferred hereunder than the stipulated measures in Schedule 3 of the Strategic Partner Data Processing Addendum between Oyster and Strategic Partner.

4.2 Employee Access

Oyster has agreed to ensure that only such of its employees who may be required by it to provide the services to End Customers, to perform under the OSP Agreement, or to assist Oyster in meeting its data-protection obligations will have access to Personal Data. Oyster has also agreed to ensure that such employees are contractually obligated to comply with Oyster’s information security policies.

4.3 Security of End Customer Third-Party Data

As set forth in Sections 2.3c(4) and 2.4(4) of this EC-DPS, Oyster has no access to or control over any End Customer Third-Party Data. Oyster has agreed, however, to ensure that EOR Team Members assigned to Customer are contractually obligated to comply with End Customer’s policies, including all information security policies, through the execution of a Remote Work Schedule that includes such an obligation and will inform Strategic Partner in writing of any non-compliance of which it becomes aware. Additionally, Oyster has agreed to, at Strategic Partner’s request, (a) provide copies of Oyster’s information security policies (subject to execution of a non-disclosure agreement), (b) take all reasonable measures to cause any EOR Team Members placed with an End Customer to assist the End Customer with investigations related to information-security or data-protection matters; and (c) reasonably assist End Customer with any such investigations where commercially reasonable.

5. Personal Data Security Incidents

5.1 EOR Team Member Data, Payroll Team Member Data, and End Customer Data

Upon confirmation that a Personal Data Security Incident has occurred related to any Personal Data related to Team Member, End Customer, or End Customer Third-Party Data, Oyster has agreed to investigate the incident in accordance with its Incident Response Policy and:

(a) Where Oyster is a Controller, to the extent permitted (or required) by applicable law, notify Strategic Partner and any affected EOR Team Members without undue delay;

(b) Where Oyster is a Processor, to the extent permitted (or required) by applicable law, notify Strategic Partner without undue delay;

(c) Promptly provide Strategic Partner with all relevant information in its possession as reasonably required under Applicable Data Protection Law, to comply with any reporting obligations of a relevant regulatory authority concerning such incident; and

(d) To the extent such Personal Data Security Incident is caused by Oyster’s violations of its data-protection obligations, take such reasonable remedial steps to address the incident and prevent any further incidents.

5.2 Notification to Supervisory Authority

If End Customer determines that a Personal Data Security Incident must be notified to any supervisory authority and/or data subjects and/or the public or portions of the public pursuant to the Applicable Data Protection Law, End Customer must notify Strategic Partner, and Strategic Partner will, to the extent commercially feasible, notify Oyster before the communication is made (and where not commercially feasible, as soon as is commercially feasible after such communication is made) and supply Oyster with copies of any written documentation to be filed with the supervisory authority and of any notification End Customer proposes to make (whether to any supervisory authority, data subjects, the public or portions of the public) which directly or indirectly references Oyster, its security measures and/or role in the Personal Data Security Incident, whether or not by name. Subject to End Customer’s compliance with any mandatory notification deadlines under Applicable Data Protection Law, End Customer will consult with Strategic Partner and Oyster in good faith and take account of any clarifications or corrections Oyster reasonably requests to such notifications and that are consistent with Applicable Data Protection Law.

6. International (Cross-Border) Data Transfers

6.1 Transfers from the EEA, UK, or Switzerland

To the extent any personal data is transferred from the EEA, UK, or Switzerland to any country that has not been deemed adequate, Oyster and Strategic Partner have entered into a Strategic Partner Data Processing Addendum as part of the OSP Agreement that incorporates by reference the Standard Contractual Clauses and the UK Addendum. A copy of Oyster’s Standard Contractual Clauses and UK Addendum with Strategic Partners is available on request.

If Oyster obtains certification under the EU-U.S. and/or Swiss-U.S. Data Privacy Framework(s) and/or the UK Extension to the EU-U.S. DPF at any time after the effective date of the OSP Agreement, Oyster’s adherence to the DPF Principles will immediately supersede the application of the SCCs unless and until such time as adherence to the DPF Principles is found by a court of competent jurisdiction to be inadequate.

6.2 Oyster In-Group Processing

Information stored on the Oyster Platform is stored in Ireland. End Customer acknowledges, however, that due to the nature of Oyster’s Services, and because Oyster is a globally distributed organization with Oyster Staff seated in more than 30 countries, Personal Data may be stored or processed on a limited basis in any country in which an Oyster Staff Member is located, including but not necessarily limited to the following countries:

- Armenia
- Austria
- Brazil
- Canada
- Chile
- Costa Rica
- Czech Republic
- France
- Ghana
- Greece
- Honduras

- Hungary
- India
- Ireland
- Italy
- Kenya
- Latvia
- Lithuania
- Mexico
- Netherlands
- Nigeria
- Norway

- Philippines
- Portugal
- Romania
- Serbia
- Singapore
- Spain
- Switzerland
- United Arab Emirates
- United Kingdom
- United States

6.3 Conflicts and Invalidity

If any provision of the OSP Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, then the Standard Contractual Clauses will prevail to the extent of the conflict. If the Standard Contractual Clauses are deemed invalid by a governmental entity with jurisdiction over transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such transferred Personal Data, Oyster and Strategic Partner have agreed to work in good faith to find an alternative and/or modified approach with respect to such transferred personal data which is in compliance with applicable laws. The relevant details of any such agreement will be provided to End Customer as an addendum to this Section 6 of this EC-DPS.

7. Liability and Penalties

Notwithstanding anything to the contrary in this EC-DPS, End Customer agrees that Oyster is not responsible for any fines issued or levied under Applicable Data Protection Laws (including Article 83 of the GDPR) against it by a regulatory authority or governmental body in connection with End Customer’s violation of such law.

8. Strategic Partner Obligations, Representations, and Warranties

8.1 Updates

Oyster may update its data protection terms where the changes (a) are required to comply with Applicable Data Protection Law, applicable regulation, a court order, or guidance issued by a regulator or agency; or (b) do not have a material adverse impact on Strategic Partner’s or and Customer’s rights. Oyster has agreed to provide Strategic Partner with thirty (30) days’ notice prior to making any material change to the provisions of the Strategic Partner Data Processing Addendum between Oyster and Strategic Partner. Strategic Partner is solely responsible for providing notice of any such changes to End Customer and for objecting to any such changes.

Appendix 1 to EC-DPS: Details of Processing

A. Nature and Purpose of Processing. Oyster Processes Personal Data applicable to this EC-DPS on the basis of Contractual Necessity (CN), Legitimate Interest (LI), and Legal Obligation (LO), and Vital Interests (VI). The purpose of the Personal Data processing for the following categories of data subjects includes:

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

vii. For the Protection of an Individual’s Life (VI)

2. End Customer Administrators and Authorized Users. Oyster will process End Customer Data as a controller to perform the functions of a global employment enablement platform provider, which may include, but are not limited to:

i. To Provide Our Services, including Account Setup and Creation (CN)

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

i. To Provide Our Services, including analytics and benchmarking services and any other Services that may be identified as part of the Oyster Intelligence Services. (CN)

ii. For Security Purposes (LI)

iii. For Customer Support (CN)

iv. For Research and Development (LI)

v. For Non-Marketing Communications (CN)

vi. For Legal Proceedings and Requirements (LO)

5. End Customer’s Customers, Clients, and End Users. As described in Paragraph 2.3c(4) of this EC-DPS, because EOR Team Member Processing of End Customer Third-Party Data will take place exclusively on End-Customer-controlled systems, at the direction of the End Customer, and on behalf of the End Customer, Oyster has no role in the Processing of such data.

B. Duration of Processing. Oyster will process Personal Data for as long as needed to provide its services. On termination of the OSP Agreement, Oyster may retain personal data: (a) for the purposes outlined in Section A of this Appendix 1; or (b) as required by law. Unless otherwise disclosed and in accordance with Applicable Data Protection Law, Oyster will promptly delete or anonymize Personal Data when no longer required for the purposes set forth herein.

C. Types of Personal Data. Oyster collects and processes Personal Data contained in EOR Team Member Data, End Customer Data, Payroll Team Member Data, Oyster Intelligence Personal Data, and End Customer Third-Party Data as described in Paragraph 1(5) of this EC-DPS. For more information on the specific Personal Data collected from each of these data subject types, please refer to the following Privacy Notices:

1. Oyster Website Privacy Notice - available at: https://legal.oysterhr.com/privacy/privacy-notice

2. Oyster EOR Team Member and Staff Privacy Notice - available at: https://legal.oysterhr.com/privacy/sctm-privacy

3. Oyster Payroll Team Member Privacy Notice - available at https://legal.oysterhr.com/privacy/gptm-privacy

D. Categories of Data Subjects

1. EOR Team Member Data may concern the following categories of data subjects:

i. EOR Team Members, as defined in Paragraph 1(14)(a).

2. End Customer Data may concern the following categories of data subjects:

i. End Customer’s employees and agents

ii. End Customer’s authorized users

3. Payroll Team Member Data may concern the following categories of data subjects:

i. Payroll Team Members, as defined in Paragraph 1(14)(b).

4. End Customer Third-Party Data may concern the following categories of data subjects:

i. Customer’s customers, clients, and end users

5. Oyster Intelligence Personal Data may concern the following categories of data subjects:

i. EOR Team Members

ii. Payroll Team Members

iii. End Customer employees other than Payroll Team Members, as defined in Paragraph 1(12)(e)

Oyster Strategic Partner Data Processing Addendum

Table of Contents

1. Definitions

2. Scope, Team Member Authorization, and Relationship of the Parties

3. Term, Termination, and Ongoing Obligations

4. Security of Personal Data

5. Personal Data Security Incidents

6. International (Cross-Border) Data Transfers

7. Liability and Penalties

8. Strategic Partner Obligations, Representations, and Warranties

9. General

Schedule 1: Details of Processing

Schedule 2: Standard Contractual Clauses Decision (EU) 2021/914

Schedule 3: Oyster’s Technical and Organizational Security Measures

Schedule 4: Oyster’s Sub-Processor List

Schedule 5: UK International Data Transfer Addendum

Schedule 6: Jurisdiction-Specific Terms

Schedule 7: End Customer Data Protection Supplement (Template)