Updated: April 1, 2025
AGREEMENT ENTERED INTO BY OUTSYSTEMS AS PROCESSOR AND ITS CUSTOMER AS CONTROLLER
WHEREAS:
A.Customer has entered into a Master Subscription Agreement or into an agreement with similar nature and purpose (hereinafter “Master Subscription Agreement” or “MSA”) with OutSystems (hereinafter “OutSystems” or the “Processor”);
B.The execution of such Master Subscription Agreement and the provision of Services by OutSystems may entail the Processing of Personal Data on behalf of the Controller; and
C.Customer and OutSystems intend to regulate the Processing of Personal Data by OutSystems on behalf of the Controller to the extent required by the applicable Data Protection Laws.
The Customer and OutSystems (jointly referred to as “Parties”) enter into this Data Processing Agreement (also referred to as “DPA”), which is regulated by the following clauses:
1. DEFINITIONS
Capitalized terms shall have the meaning set out below. Any capitalized terms not defined in this DPA shall have the meaning set out in the Master Subscription Agreement or as otherwise defined in the applicable Data Protection Laws:
“Authorized Affiliate” means the Customer’s Affiliate (as defined in the Master Subscription Agreement) which is bound by the terms of this DPA, is subject to the Data Protection Laws and is permitted to use the Services pursuant to the Master Subscription Agreement, but has not executed or accepted any Order with OutSystems, being Customer’s responsibility to guarantee that it has the legal powers to bind the Authorized Affiliate to the DPA, that the Affiliate is aware of the Processing activities that may be carried out by OutSystems and that all authorizations from Affiliate for such processing activity are collected.
“Breach Event” means a breach of security affecting OutSystems or its Sub-Processors facilities, processes or systems leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller’s Personal Data transmitted, stored, or otherwise Processed by OutSystems.
“Controller” means the Customer or any of its Authorized Affiliates or any other entity that the Customer appoints to provide instructions to OutSystems as the natural or legal person who determines the purposes and means of Processing of the Personal Data.
“Customer” means the Customer who has entered into the Master Subscription Agreement with OutSystems.
“Controller's Personal Data” means any Personal Data Processed by OutSystems or another Sub-Processor on behalf of the Controller, which is transmitted to or given access to OutSystems by the Controller pursuant to or in connection with the Master Subscription Agreement.
“Data Subject” means the identified or identifiable natural person whose Personal Data is Processed.
“Data Protection Laws” means all applicable laws and regulations, including the GDPR, laws and regulations of the European Union, the European Economic Area, and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the DPA.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“List of Sub-processors” means the list of Sub-Processors engaged by OutSystems, available here: https://www.outsystems.com/-/media/files/legal/dpa-list-of-sub-processors.pdf
“Personal Data” means any information relating to a Data Subject, as defined under the GDPR or other applicable Data Protection Laws.
“Personnel” means OutSystems’ employees or other individuals with a contractual relationship with OutSystems.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, as defined under the GDPR or other applicable Data Protection Laws, and “Process” and “Processed” shall be construed accordingly.
“Processor” means OutSystems as the legal person who processes Personal Data on behalf of the Controller.
“Restricted Transfers” means the transfer of Personal Data to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws, to the extent such transfers are subject to such Data Protection Laws. Restricted Transfers include transfers of Controller’s Personal Data to OutSystems and onward transfers of Controller’s Personal Data to or between Sub-Processors.
“Services” means the OutSystems Software provided on cloud (platform as a service) and the Support and Updates jointly provided through a Subscription and/or the Professional Services provided by OutSystems, as defined in the Master Subscription Agreement.
“Standard Contractual Clauses” shall have the meaning set forth in Exhibit B to the DPA.
“Sub-Processor” means an entity engaged by the Processor exclusively for the Processing activities to be carried out on behalf of the Controller pursuant to the Master Subscription Agreement.
“Third-Party Services” means certain services and applications, including non-OutSystems applications and add-ons, operated by third parties chosen and directly contracted by Customer, that integrate with the Services. The providers of said Third-Party Services are not qualified as Sub-Processors and OutSystems shall not be liable, in any way, for those Third-Party Services.
“User” means a natural person authorized by the Customer to use the Services.
2. PROCESSING OF PERSONAL DATA
2.1Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Controller’s Personal Data, OutSystems is the Processor, and the Customer (or Authorized Affiliate, as applicable) is the Controller.
2.2Processing of Personal Data. OutSystems shall Process Controller’s Personal Data as confidential information and shall only Process Controller’s Personal Data on behalf of the Controller and in accordance with the requirements of the Data Protection Laws, the documented instructions provided by the Controller and Exhibit A attached hereto, as necessary for the provision of the agreed Services by OutSystems. The Parties agree that this DPA and the Master Subscription Agreement constitute the documented instructions regarding OutSystems’ processing of Controller’s Personal Data (“Documented Instructions”), and that any changes to the Documented Instructions shall be mutually agreed between the Parties.
OutSystems must inform the Controller immediately in case it believes that any Documented Instructions infringe the Data Protection Laws, further having the right to postpone the execution of the relevant instruction until this is confirmed or changed by the Controller. OutSystems will not disclose or provide access to any Controller’s Personal Data to any third-party unless required by law or approved by the Controller. If OutSystems receives a binding request from a third-party demanding Controller’s Personal Data, OutSystems will attempt to redirect the third-party to request that data directly from Controller. If compelled to disclose or provide access to any Controller’s Personal Data to a third-party, OutSystems will promptly notify Controller and provide a copy of the demand unless legally prohibited from doing so.
2.3Controller’s Processing of Personal Data. Controller shall assess the use of the Services from a data protection perspective, considering its jurisdiction and applicable laws. Controller is solely liable to ensure the use of the Services and the underlying Processing of Controller’s Personal Data comply with the data protection laws to which the Controller is subject to.
2.4Details of Processing. The subject matter of Processing of Controller’s Personal Data by OutSystems is the execution of the Master Subscription Agreement. The nature and purpose of the Processing, the categories of Data Subjects and the types of Personal Data Processed under this DPA are further specified in Exhibit A hereto.
2.5Duration of the Processing. The Processing shall be carried out for the duration of the Master Subscription Agreement, unless otherwise agreed upon in writing by the Parties.
3. SECURITY
3.1OutSystems uses appropriate technical and organizational security measures to protect the Controller’s Personal Data against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration and destruction. Those measures are set forth on https://security.outsystems.com, including in the document OutSystems Information Security and Business Continuity Terms and Conditions available therein. OutSystems security measures are continually improved in line with technological developments. In this respect, Controller authorizes OutSystems to implement alternative security measures from time to time, provided that the level of security of the Controller’s Personal Data is not reduced.
3.2OutSystems has implemented access controls to ensure that the access to and Processing of Controller’s Personal Data in relation to the provision of the Services is strictly limited to those individuals who need to know or have access to such Personal Data for the performance of their specific duties or tasks (need-to-know).
3.3OutSystems is certified and attested by independent auditors to confirm compliance with the standards listed on https://security.outsystems.com.
3.4Controller is solely responsible for making an independent determination as to whether the technical and organizational measures mentioned in this clause meet Controller’s requirements. Controller is responsible for implementing and maintaining adequate security measures for its own IT infrastructure and Applications.
4. OUTSYSTEMS’ PERSONNEL
4.1OutSystems ensures that its Personnel who has access or Processes Controller’s Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. COOPERATION
5.1Cooperation with the Controller. OutSystems shall, where necessary and upon request, reasonably cooperate with and assist the Controller in relation to the response to any notifications from a supervisory authority, or in connection with the Controller’s Personal Data including, without limitation, when requested by the Controller, the preparation of supporting documentation to be submitted to the relevant supervisory authority and provision of supporting documentation sufficient to evidence that OutSystems is legally bound by the terms of this DPA.
OutSystems shall, where necessary and upon request, reasonably assist Controller in ensuring the latter applies appropriate technical and organizational measures to ensure the security of the data.
OutSystems shall, and shall procure that its Sub-Processors shall, promptly provide to the Controller, upon request, the reasonably necessary information in its possession or control in relation to the Processing of the Controller’s Personal Data under this DPA and provide all assistance and cooperation as may reasonably be required by the Controller for the latter to assess whether the Processing of the Controller’s Personal Data is carried out in accordance with this DPA.
OutSystems shall reasonably cooperate, taking into account the information available to OutSystems, with and assist the Controller in relation to any notifications to be carried out or prior approvals that the latter may be required to obtain from a supervisory authority, in connection with the Personal Data whenever requested by the Controller including, without limitation, the preparation of supporting documentation.
5.2Data Protection Impact Assessment and Prior Consultation. Where requested to do so by the Controller, OutSystems shall, taking into account the information available to it, disclose the information reasonably required to demonstrate compliance with the applicable Data Protection Laws, including the reasonably necessary information for the Controller to carry out a privacy impact assessment of the Services and carrying out any mandatory prior consultations.
5.3Data Subject Requests. OutSystems will make available to Controller, in a manner consistent with the functionality of the Services, the ability to fulfill data subject requests to exercise their rights under Data Protection Laws. OutSystems shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise any of the Data Subject's rights under the Data Protection Laws (“Data Subject Request”).
Considering the nature of the Processing, OutSystems shall, upon request, reasonably assist the Controller in the fulfillment of Controller’s obligation to respond to a Data Subject Request under Data Protection Laws.
5.4Data Quality. OutSystems shall, and shall procure that the Sub-Processors shall, preserve the accuracy and integrity of Controller’s Personal Data, by updating, amending, correcting or deleting Controller’s Personal Data at Controller’s request, in accordance with the provisions set forth in this DPA and the Data Protection Laws.
5.5Costs. OutSystems may charge additional costs in order to comply with its cooperation duties referred in this DPA.
6. BREACH EVENT
6.1Breach Notification. OutSystems shall notify the Controller promptly and without undue delay after becoming aware of any Breach Event. Where and in so far as it is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue delay. Controller must promptly notify OutSystems about any possible misuse of its accounts or authentication credentials or any Breach Event of which it becomes aware related to the Services.
6.2Cooperation. OutSystems shall provide the Controller with all assistance and cooperation as may reasonably be deemed necessary in the event of a Breach Event, namely in the preparation of the relevant notifications and in the implementation of the necessary mitigation measures, as determined by the applicable Data Protection Laws.
7. SUB-PROCESSORS
7.1Selection of Sub-Processors. The Controller hereby gives OutSystems a general authorization to engage Sub-Processors, expressly authorizing the engagement as Sub-Processors of the entities identified in the List of Sub-processors. The Sub-Processors engaged must ensure compliance with the requirements and/or obligations foreseen in the Data Protection Laws and this DPA.
7.2Objection. If necessary, OutSystems will update the Sub-Processors listed in the List of Sub-processors. In case OutSystems updates the List of Sub-Processors, Controller shall be promptly notified of such fact, and shall be given the opportunity to reasonably object to such change, providing a reasonable and objective justification for such objection, within 30 days as of OutSystems’ notification. Controller accepts to be informed of the amendments to the List of Sub-processors by email.
7.3Cooperation. If within such 30 days, the Controller notifies OutSystems of any objection to the proposed appointment, the Parties shall negotiate in good faith and mutually agree upon a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-Processor.
7.4Engagement of Sub-Processors. With respect to each Sub-Processor, OutSystems shall ensure that the arrangement between OutSystems and any prospective Sub-Processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this DPA, and that the Sub-Processors act in accordance with Controller’s instructions, as transmitted by OutSystems.
7.5Logs and URL in Controller application(s). The Controller undertakes to not include any Personal Data in the logs and URL of its application(s) developed with the scope of the provision of the Services.
7.6Third-Party Services. If Controller subscribes to any Third-Party Services, even if they have some interaction with the Services, Controller shall perform its own due diligence from a data protection, privacy and security perspective. Said Third-Party Services providers are not qualified as Sub-Processors for the purposes of this DPA and OutSystems is not liable for the Processing of Controller’s Personal Data by any Third-Party Providers.
7.7OutSystems liability. Where the Sub-Processor fails to fulfil its data protection obligations, OutSystems will remain liable to the Controller for the performance of such Sub-Processor’s obligations.
8. ERASURE OR RETURN OF DATA
8.1Upon termination of the Master Subscription Agreement, Controller may export the Controller’s Personal Data in accordance with the rules set forth in the Master Subscription Agreement regarding the detachment of Customer Content. OutSystems will delete the Controller’s Personal Data once the deadline defined for the detachment of Customer Content under the Master Subscription Agreement has elapsed.
9. AUDIT RIGHTS
9.1Information. OutSystems shall, upon request, make available to the Controller, the information reasonably necessary to demonstrate compliance with this DPA.
9.2Audits. OutSystems will conduct audits in relation to the Processing of Personal Data under the Master Subscription Agreement. Each audit will result in an audit report or other applicable certificate, which will be made available to the Controller upon request, subject to non-disclosure and distribution limitations of OutSystems and the auditor. OutSystems will promptly address issues raised in any audit report.
To the extent Controller’s audit requirements under the Data Protection Laws cannot reasonably be satisfied through the aforementioned audit reports and certificates, Controller may request the conduction of audits in relation to the Processing of Controller’s Personal Data under the Master Subscription Agreement. Controller shall give OutSystems a reasonable prior written notice of any audit or inspection to be conducted under this Section (which shall, in no event, be less than thirty (30) days’ notice, unless a narrower deadline is imposed by a competent authority), and the Parties shall mutually agree upon the scope, methodology, results, timing and duration of the audit. To the extent needed to perform the audit, OutSystems will make the processing systems and supporting documentation relevant to the Processing of Controller’s Personal Data by OutSystems available. Any audit shall be conducted by an independent, accredited third-party audit firm, during regular business hours, subject to reasonable confidentiality procedures. Neither Controller nor the auditor shall have access to any data from OutSystems’ other customers or to OutSystems systems or facilities not involved in providing the Services. Audits can be conducted, as a maximum, once per each twelve (12) months of provision of the Services, except for any additional audits or inspections which (a) Controller reasonably considers necessary because of a Breach Event; or (b) Controller is required to carry out by the Data Protection Laws or a competent authority. Unless otherwise agreed in writing between the Parties, Controller shall bear any third party costs in connection with any audit to be carried out by or on behalf of the Controller and reimburse OutSystems for all costs and time spent (at OutSystems’ then-current professional services rates) in connection with any such inspection or audit.
10. RESTRICTED TRANSFERS
10.1 Where applicable, Restricted Transfers from the Controller to OutSystems are governed by Exhibit B of this DPA.
10.2 OutSystems agrees that no Personal Data Processed on behalf of the Controller shall be Processed by any Sub-Processor outside the EU/EEA otherwise in accordance with adequate transfer mechanisms, namely, the existence of an adequacy decision from the relevant authorities or, in the absence of such a decision, the use of Standard Contractual Clauses.
10.3 OutSystems shall include in the List of Sub-processors information regarding Restricted Transfers and inform the Controller of any changes to the appropriate safeguards.
11. LIABILITY
Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and OutSystems, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Master Subscription Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that party and all of its Affiliates under the Master Subscription Agreement and all DPAs together.
12. NOTICES
Any notice, consent, approval, or other communication intended to have legal effect to be given under this DPA (“Notices”) must be in writing and will be delivered (as elected by the Party giving such notice): (i) to OutSystems: by email to legal@outsystems.com or to Controller: to the email address of the Controller provided by the Controller by any means (ii) by registered mail. Unless otherwise provided herein, all Notices will be deemed effective on the date of receipt (or if delivery is refused, the date of such refusal) if delivered by registered mail and at 9.00 am of the next business day after the date of the transmission by email. Notices hereunder will be sent to the contact and addresses set forth in the signature sections of this Agreement. Either Party may change the address to which Notices shall be sent by giving Notice to the other Party in the manner herein provided. Notices shall be written in English.
13. SEVERABILITY
If for any reason a court of competent jurisdiction finds any provision of this DPA, or portion thereof, to be unenforceable, that provision of the DPA will be enforced to the maximum extent permissible so as to affect the intent of the Parties, and the remainder of this DPA or of the provision will continue in full force and effect, except to the extent such invalid provision or part of provision relates to essential aspects of the DPA. The Parties agree that such provision or portion thereof shall be substituted by a provision with an equivalent legal and economic effect.
14. GOVERNING LAW AND JURISDICTION
This DPA shall be governed by, and construed and enforced in accordance with, the governing clause established in the Master Subscription Agreement, excluding the rules regarding the conflict of laws. In the absence of a governing clause, the governing law applicable to the OutSystems contracting party, as determined by the place of its registered office, shall prevail.
15. COUNTERPARTS AND ELECTRONIC SIGNATURES
15.1 This DPA may be executed in one or more counterparts, each of which will be deemed to be an original copy of this DPA and all of which, when taken together, will be deemed to constitute one and the same DPA, binding upon all of its Parties notwithstanding the fact that all Parties are not signatory to the original or the same counterpart. The Parties hereby agree that this DPA may be delivered by electronic signature (e.g. DocuSign, in portable data format – PDF - or in any other digital mean of identifying that party’s identity and approval of the counterpart) by any or both Parties in which case all Parties agree to rely on the receipt of such document so executed and delivered by electronic means as if the original had been received. The relevant Parties hereby warrant and represent that such electronic signature is valid and legally binding in jurisdictions they may respectively be subject to, and they waive any potential right or claim against the validity of this DPA on the basis of its electronic signature.
THE UNDERSIGNED REPRESENT AND WARRANT THAT THEY HAVE THE AUTHORITY TO ENTER INTO THIS DATA PROCESSING AGREEMENT ON BEHALF OF THE PERSON, ENTITY OR CORPORATION LISTED ABOVE THEIR NAME.
EXHIBIT A
PROCESSING ACTIVITIES
| Brief description of the Processing activities | Nature and Purpose of the Processing | Categories of Data Subjects | Type of Personal Data |
|---|---|---|---|
|
OutSystems will Process Personal Data as necessary to perform the Services pursuant to the Master Subscription Agreement and applicable order(s). These Processing activities may include:
|
The Processing to be carried out may include, as applicable, the following type of operations performed on Controller’s Personal data: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The purpose of the Processing is the provision of Services by OutSystems pursuant to the Master Subscription Agreement and instructed by the Controller in this Data Processing Agreement. |
May include, as applicable, Personal Data supplied by Controller or by third-parties on behalf of Controller in connection with an Application (as defined in the Master Subscription Agreement), which is Processed by OutSystems as a processor, relating to the following categories of Data Subjects:
|
Controller may submit Personal Data to OutSystems, to the extent of which is determined and controlled by Controller in its sole discretion, and which may include, as applicable, but is not limited to the following categories of Personal Data:
|
EXHIBIT B
RESTRICTED TRANSFERS
1. DEFINITIONS
1.1“Adequate Jurisdiction” means, as applicable, (i) any country in the European Economic Area, as well as any country that the European Commission has formally determined that it provides adequate protection for Personal Data as reflected in a published adequacy finding; (ii) any third country, territory, or one or more specific sectors within that third country listed in the FDPIC’s list of adequate countries (found at https://www.edoeb.admin.ch/edoeb/en/home/data-protection/handel-und-wirtschaft/transborder-data-flows.html), or otherwise acknowledged as a country deemed adequate for the purpose and in accordance with Swiss Data Protection Law; and/or (iii) any third country; territory or international organization that the Secretary of State has formally determined that it provides an adequate level of protection for Personal Data in accordance with the UK Data Protection Law.
1.2“Standard Contractual Clauses” means the EU Standard Contractual Clauses, the UK Standard Contractual Clauses and the Swiss Standard Contractual Clauses.
1.3“EU Standard Contractual Clauses” means the model clauses approved by European Commission through Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as amended, superseded or replaced from time to time).
1.4“FDPIC” means the Federal Data Protection and Information Commissioner.
1.5“Swiss Data Protection Law” means any law, enactment, regulation or order in Switzerland concerning the Processing of Personal Data, including the Federal Act on Data Protection revised on 25 September 2020 (“FADP”) (as amended, superseded or replaced from time to time).
1.6“Swiss Standard Contractual Clauses” means the EU Standard Contractual Clauses adapted and supplemented as considered necessary by the FDPIC.
1.7“UK Data Protection Law” means the Data Protection Act (DPA 2018), as amended, and the GDPR as incorporated into UK law as the UK GDPR, and any other applicable UK data protection laws (as amended, superseded or replaced from time to time).
1.8“UK Standard Contractual Clauses” means the template IDTA B.1.0 issued by the Information Commissioner’s Office in force as of 21 March 2022 (as amended, superseded or replaced from time to time).
2. EU Standard Contractual Clauses
2.1Where the Controller is subject to the GDPR and a transfer of Controller’s Personal Data to OutSystems is qualified, under the GDPR, as a Restricted Transfer to a country that does not qualify as an Adequate Jurisdiction, the Parties hereby enter into the EU Standard Contractual Clauses, which are incorporated by reference in this DPA.
2.2Where the EU Standard Contractual Clauses apply, they will be deemed completed as follows:
(a) Controller is the data exporter and OutSystems is the data importer;
(b) Clause 7, the optional docking clause will apply;
(c) Module TWO (Controller to Processor) will apply where Controller is a controller of Controller’s Personal Data and OutSystems is a processor;
(d) in Clause 9(a), the “General Written Authorisation” will apply, and the time period for prior notice of a change of sub-processors is of 30 days;
(e) in Clause 11, the optional language will not apply;
(f) in Clause 17, Option 1 will apply and will be governed by the laws provided in the Master Subscription Agreement. If the Master Subscription Agreement is not governed by an EU member state law, then the laws of Portugal shall govern;
(g) in Clause 18(b), disputes shall be resolved before the courts provided in the Master Subscription Agreement. If the Master Subscription Agreement does not provide courts in an EEA Member State, the parties agree to the courts of Portugal;
(h) Annex I.A shall be deemed completed as follows:
Data exporter(s):
Name: Customer or an Authorized Affiliate, as applicable and identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s).
Address and contact person’s name, position and contact details: As identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s).
Activities relevant to the data transferred under these Clauses: the usage of the software products and services associated with the OutSystems platform.
Role: controller
Data importer(s):
Name: OutSystems, as identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s).
Address and contact person’s name, position and contact details: As identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s).
Activities relevant to the data transferred under these Clauses: processor is an information technology company providing software products and services associated with its proprietary software, the OutSystems Platform.
Role: processor
(i) Annex I.B shall be deemed completed with the information set out in Exhibit A to this DPA, complemented by the following information:
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): continuous basis.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: during the duration of the agreement between the controller and the processor.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: as described above and in Exhibit A to this DPA.
(j) Annex I.C shall be deemed completed as follows:
Where the data exporter is established in the EEA shall be the Supervisory Authority with responsibility for ensuring compliance by the data exporter with GDPR as regards the data transfer. Where the data exporter is not established in the EEA, but is within the territorial scope of application of GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1), the Supervisory Authority shall be the member state in which the representative within the meaning of Article 27(1) is established. If the data exporter is not established in the EEA, but falls within the territorial scope of application of GDPR without having to appoint a representative pursuant to Article 27(2), the Supervisory Authority of Portugal shall act as the competent Supervisory Authority.
(k) Annex II shall be deemed completed with the information set out in clause 3 of the DPA.
(l) Annex III shall be deemed completed with the information included on https://www.outsystems.com/-/media/files/legal/dpa-list-of-sub-processors.pdf
2.3Nothing in this clause 2 is intended to conflict with either Party's rights or responsibilities under the EU Standard Contractual Clauses and, in the event of any such conflict, the EU Standard Contractual Clauses shall prevail. However, as an exception to this clause, the Parties agree that the clauses on the limitation of the Parties’ liability included in the DPA and the Master Subscription Agreement shall prevail over the clauses on liability included in the EU Standard Contractual Clauses.
3. UK Standard Contractual Clauses
3.1Where Controller is subject to UK Data Protection Law and a transfer of Controller’s Personal Data to OutSystems is qualified, under the UK Data Protection Law, as a Restricted Transfer to a country that does not qualify as an Adequate Jurisdiction, the Parties hereby enter into the UK Standard Contractual Clauses, which are incorporated by reference in this DPA.
3.2Where the UK Standard Contractual Clauses apply, they will be deemed completed as follows:
(a) Table 1 shall be deemed completed as follows:
| Start date |
|---|
|
The starting date of the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). |
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
|---|---|---|
|
Parties’ details |
Full legal name: Customer or Authorized Affiliate, as applicable and identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). Trading name (if different): same as above. Main address (if a company registered address): Customer or Authorized Affiliate address, as applicable and identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). Official registration number (if any) (company number or similar identifier): Customer or Authorized Affiliate official registration number, as applicable and identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). |
Full legal name: OutSystems, as identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). Trading name (if different): same as above. Main address (if a company registered address): OutSystems address, as identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). Official registration number (if any) (company number or similar identifier): OutSystems official registration number, as identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). |
|
Key Contact |
Full Name (optional): as identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). Job Title: as above. Contact details including email: as above |
Full Name (optional): as identified in the Master Subscription Agreement in relation to which this Exhibit B forms part of and applicable order(s). Job Title: as above. Contact details including email: as above. |
(b) Regarding Table 2, the Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed completed according to the Parties’ preferences outlined in clause 2 above;
(c) Table 3 shall be deemed completed with the information included in clause 2 above; and
(d) Regarding Table 4, the Parties agree that both Parties may terminate the Addendum as set out in Section 19.
3.3Nothing in this clause 3 is intended to conflict with either Party's rights or responsibilities under the UK Standard Contractual Clauses and, in the event of any such conflict, the UK Standard Contractual Clauses shall prevail. However, as an exception to this clause, the Parties agree that the clauses on the limitation of the Parties’ liability included in the DPA and the Master Subscription Agreement shall prevail over the clauses on liability included in the UK Standard Contractual Clauses.
3. Swiss Standard Contractual Clauses
4.1Where Controller is subject to Swiss Data Protection Law and a transfer of Controller’s Personal Data to OutSystems is qualified, under the Swiss Data Protection Law, as a Restricted Transfer to a country that does not qualify as an Adequate Jurisdiction, the Parties hereby enter into the Swiss Standard Contractual Clauses, which are incorporated by reference in this DPA.
4.2Where the Swiss Standard Contractual Clauses apply, they shall be deemed completed with the information set forth in clause 2 above, as appropriate, and the following shall apply:
(a) For the purposes of Annex I.C of the EU Standard Contractual Clauses, where Controller is the data exporter and the Controller’s Personal Data transferred is exclusively subject to Swiss Data Protection Law, the FDPIC shall be the competent Supervisory Authority. Where the Controller’s Personal Data transferred is subject to both the FADP and the GDPR, parallel supervision should apply.
(b) For the purposes of clause 17 of the EU Standard Contractual Clauses, where Controller is the data exporter and the Controller’s Personal Data transferred is exclusively subject to Swiss Data Protection Law, Swiss law shall apply.
(c) Clause 18(b) of the EU Standard Contractual Clauses shall be deemed completed with the information included in clause 2 above.
(d) The term “member state”, as used in the EU Standard Contractual Clauses, shall not be interpreted to limit data subjects in Switzerland from being able to sue for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses.
(e) References to the GDPR should be understood as references to the FADP, insofar as Personal Data transfers are subject to the FADP.
4.3Nothing in this clause 4 is intended to conflict with either Party's rights or responsibilities under the Swiss Standard Contractual Clauses and, in the event of any such conflict, the Swiss Standard Contractual Clauses shall prevail. However, as an exception to this clause, the Parties agree that the clauses on the limitation of the Parties’ liability included in the DPA and the Master Subscription Agreement shall prevail over the clauses on liability included in the Swiss Standard Contractual Clauses.