Data processing addendum
Version
2.0
—
This Data Processing Addendum (“DPA”) is a part of, governed by, and incorporated by reference into the Terms of Service or the Master Subscription Agreement, as applicable (“Agreement”), between:
Framer B.V., a company incorporated and existing under the laws of the Netherlands and having its registered office at Rozengracht 207B, 1016 LZ Amsterdam, the Netherlands (“Framer” acting as processor), and
the entity or person placing an order for or accessing the Service (“Customer” acting as controller).
Each separately referred to as a “Party” and together as the “Parties”.
Preamble
1.1 This DPA sets out the rights and obligations of Framer and the Customer, regarding Framer’s processing of personal data as data processor on behalf of the Customer as data controller, in the context of the Agreement.
1.2 This DPA has been designed to ensure the Parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”).
1.3 Framer provides a subscription-based platform that can be used for designing and publishing interactive websites and offers services to the Customer in the context thereof, as detailed in the Agreement. In the context of the provision of the Service as specified in the Agreement, Framer will process personal data on behalf of the Customer in accordance with this DPA.
1.4 Non-capitalized terms not defined in this DPA that are defined in the GDPR, such as “personal data”, “processing” and “data subject”, shall have the same meaning as set forth in the GDPR.
1.5 Capitalized terms not defined in this DPA shall have the meaning as set forth in the Agreement.
1.6 This DPA shall take priority over any similar provisions contained in any other agreements between the Parties (except for any deviations to this DPA explicitly agreed by the Parties in an applicable Order Form).
1.7 Two annexes (“Annexes”) are attached to this DPA and form an integral part of this DPA.
1.8 Annex I contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
1.9 Annex II contains the minimum security measures to be implemented by Framer.
1.10 This DPA along with its Annexes shall be retained in writing, including electronically, by both Parties.
1.11 This DPA shall not exempt Framer from obligations to which Framer is subject pursuant to the GDPR or other applicable legislation.
1.12 This DPA shall apply to all Framer’s current and future processing of personal data as Processor under the Agreement to Customer, including any affiliated companies of the Customer, for whom Framer also processes personal data in the context of the Agreement.
The rights and obligations of the Customer
2.1 The Customer is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see article 24 GDPR), the applicable EU or Member State data protection provisions and this DPA.
2.2 The Customer has the right and obligation to make decisions about the purposes and means of the processing of personal data.
2.3 The Customer shall be responsible, amongst other matters, for ensuring that the processing of personal data, which Framer is instructed to perform, has a legal basis.
Framer acts according to instructions
3.1 This DPA covers Framer’s processing activities as processor on behalf of the Customer as controller, in the context of the Agreement. Framer shall process personal data only on the documented instructions from the Customer as set out in this DPA, unless otherwise required to do so by the EU or Member State law to which Framer is subject. Subsequent instructions can also be given by the Customer throughout the duration of the processing of personal data, and such instructions shall always be documented and kept in writing, including in electronic form, in connection with this DPA. If Framer incurs any additional costs for adhering to the subsequent instructions that fall outside the scope of the Agreement or this DPA, Framer is entitled to invoice the Customer for said costs.
3.2 Framer shall, without undue delay, inform the Customer if instructions given by the Customer, in the opinion of Framer, contravene the GDPR or the applicable EU or Member State data protection provisions. In such a case, the Customer has four (4) weeks to revise its written instructions as deemed unlawful by Framer. Pending the Customer's revision of such instructions, Framer may suspend the affected processing activities where Framer considers that continuing to perform them would cause Framer to breach its own obligations under the GDPR. Any such suspension shall not constitute a breach of the Agreement or this DPA. If the Customer has not provided revised instructions within the aforementioned four (4) weeks or if Framer also deems the revised instructions to contravene the GDPR or applicable data protection laws to which Framer is subject, Framer has the right to terminate (the relevant part of) the Agreement in line with article 18 of the Agreement.
Confidentiality
4.1 Framer shall only grant access to the personal data being processed on behalf of the Customer to persons under Framer’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. Based on this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently no longer be accessible to those persons.
4.2 Framer shall at the request of the Customer demonstrate that the concerned persons under Framer’s authority are subject to the abovementioned confidentiality, by providing a sample confidentiality clause as used in its employment contracts.
Security of processing
5.1 Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The Customer shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:
a) Pseudonymisation and encryption of personal data;
b) The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Also taking the above into account, Parties have determined that Framer shall apply the security measures detailed in Annex II in relation to its processing of personal data on behalf of the Customer. In the Customer’s opinion, said security measures provide a level of security that is tailored to the risk inherent to the processing of the personal data processed by Framer on behalf of the Customer, taking into account the factors referred to in this section.
5.2 The Customer may request Framer to implement further security measures. Decisions regarding the actual implementation thereof shall be taken only upon agreement in writing by both Parties. If Framer incurs any additional costs for making adjustments to its security measures at the Customer’s request, Framer is entitled to invoice the Customer for these costs.
5.3 Framer shall be entitled to adjust the security measures it has implemented, for as far as this does not undermine the level of security it is obliged to offer, based upon this DPA. Framer shall record the adjustments it chooses to make and shall provide the Customer with updated information on the implemented security measures per its request.
5.4 Furthermore, Framer shall assist the Customer in ensuring compliance with the Customer’s obligations pursuant to article 32 GDPR, by inter alia providing the Customer with information concerning the technical and organisational measures already implemented by Framer pursuant to Article 32 GDPR along with all other information necessary for the Customer to comply with the Customer’s obligation under article 32 of the GDPR, for as far as the Customer is unable to fulfil these obligations without the assistance of Framer.
Use of sub-processors
6.1 Framer shall meet the requirements specified in article 28(2) and (4) of the GDPR to engage another processor (a sub-processor).
6.2 Framer has the Customer’s general authorisation for the engagement of sub-processors. Framer will maintain an up-to-date list of its sub-processors, as specified within its Trust Center. Framer shall inform the Customer in writing of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. To receive these notices, Customer shall “Subscribe to Updates” in Framer’s Trust Center. If, within 30 days after notice of a new sub-processor, Customer objects in writing to the appointment of such new sub-processor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith. If the Parties are unable to reach a mutually agreeable resolution, Customer, as its sole and exclusive remedy, may terminate the affected Service by providing 30 days’ written notice.
6.3 Where Framer engages a sub-processor for carrying out specific processing activities on behalf of the Customer, essentially the same level of data protection obligations as set out in this DPA shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
6.4 Framer is responsible for documenting such a sub-processor agreement and any subsequent amendments, thereby giving a competent supervisory authority the opportunity to ensure that the same level of data protection obligations as set out in this DPA are imposed on the sub-processor.
6.5 If the sub-processor does not fulfil its data protection obligations, Framer shall remain fully liable to the Customer as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in articles 79 and 82 of the GDPR – against the Customer and Framer, including any sub-processors.
Transfer of data to third countries or international organizations
7.1 For the provision of the Service to the Customer under the Agreement, personal data may be processed in third countries. Any transfer shall always take place in compliance with chapter V of the GDPR. Transfers shall only occur on the basis of documented instructions from the Customer as set out in this DPA, unless otherwise required by the applicable law to which Framer is subject. Data transfers of sub-processors authorized by the Customer in line with section 6 of this DPA are deemed to take place on the Customer’s instruction.
7.2 Transfer mechanism. Where Framer transfers personal data to a country outside the EEA, the transfer will be made pursuant to a valid transfer mechanism under Chapter V GDPR, namely (a) an adequacy decision under Article 45 GDPR, including the EU-US Data Privacy Framework where the recipient is certified under it; or (b) where no adequacy decision applies, the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 (the “SCCs”) or another appropriate safeguard under Article 46 GDPR. In respect of onward transfers to sub-processors located in such countries, Framer, as data exporter, maintains the relevant transfer mechanism directly with each sub-processor in accordance with section 6 of this DPA. The detailed transfer mechanisms, including the order of precedence among them and the specific terms applicable to the SCCs, the UK International Data Transfer Addendum and transfers subject to Swiss law, are set out in Appendix 1 (Cross-Border Transfer Mechanisms), which forms an integral part of this DPA.
Assistance to the Customer
8.1 Taking into account the nature of the processing, Framer shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Customer’s obligations to respond to requests for exercising the data subject’s rights laid down in chapter III of the GDPR, insofar as the Customer is unable to fulfil these obligations without the assistance of Framer.
8.2 In addition to Framer’s obligation to assist the Customer pursuant to section 8.1 of this DPA, Framer shall furthermore, taking into account the nature of the processing and the information available to Framer, assist the Customer in ensuring compliance with its below obligations, for as far as the Customer is unable to fulfil these obligations without the assistance of Framer:
a) the Customer’s obligation to, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;
b) the Customer’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons;
c) the Customer’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);
d) the Customer’s obligation to consult the competent supervisory authority, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Customer to mitigate the risk.
Notification of a personal data breach
9.1 In case of any personal data breach, Framer shall, without undue delay after having become aware of it, notify the Customer of the personal data breach.
9.2 Framer’s notification to the Customer shall take place within 72 hours after Framer has become aware of the personal data breach to enable the Customer to comply with the Customer’s obligation to notify the personal data breach to the competent supervisory authority, in accordance with article 33 GDPR.
9.3 In accordance with section 8(2)(a) of this DPA, Framer shall assist the Customer in notifying the personal data breach to the competent supervisory authority, meaning that Framer is required to assist in obtaining the information listed below which, pursuant to article 33(3) GDPR, shall be stated in the Customer’s notification to the competent supervisory authority:
a) The nature of the personal data including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
b) the likely consequences of the personal data breach; and
c) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Erasure and return of data
10.1 Upon written request, Framer shall be obliged to delete all personal data processed on behalf of the Customer in the performance of the Agreement, unless (i) EU or Member State law requires storage of the personal data, (ii) the data is retained in back-ups in which the data is not separately accessible, or (iii) the Customer has modified its choice under article 28(3)(g) of the GDPR. Upon request, Framer can confirm erasure of data to Customer in writing.
Audit and inspection
11.1 Customer acknowledges that Framer is regularly audited by independent third-party auditors and/or internal auditors against the standards specified in Annex II. Upon Customer’s written request during the term of the Agreement, Framer shall supply a summary copy of its audit report(s) (“Report”) to Customer, subject to the non-disclosure section of the Agreement, in due course, so that Customer can verify Framer’s compliance with this DPA.
11.2 Framer shall also provide written responses subject to the non-disclosure section of the Agreement to all reasonable requests for information made by Customer related to its processing of personal data in the performance of the Agreement, including responses to information security and audit questionnaires that are necessary to confirm Framer’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
11.3 Insofar as the Customer is reasonably not able to assess Framer’s compliance with this DPA for its processing of the personal data based upon the information provided under section 11.1 and 11.2, Framer shall give the Customer the opportunity to periodically verify compliance with this DPA upon at least a three (3) months’ notice and at the Customer’s own costs. The checks shall be carried out on behalf of the Customer by an independent certified auditor. Said additional audit shall be limited to a maximum of once (1 time) a year.
11.4 The Parties shall consult each other on the findings of an audit at their earliest convenience. Framer shall implement the proposed measures for improvement insofar as it deems them appropriate, at its sole discretion, also taking into account the processing risks associated with the Service, the state of the art, the costs of implementation, the market in which it operates, and the intended use of the Service.
11.5 Framer shall be entitled to invoice the Customer for any costs it incurs in implementing additional measures as required by the Customer. Such invoicing will take place in accordance with the payment instructions as set out in the Agreement, if applicable.
Indemnification
12.1 The Customer shall indemnify and hold Framer harmless against claims by third parties on the basis of damage suffered as a result of the Customer’s failure to comply with the GDPR or other laws or regulations. Indemnification shall apply not only to the damage that third parties may have suffered (both material and immaterial), but also to (i) the costs that Framer must incur in connection therewith, for example in any legal proceedings, (ii) the costs of any fines imposed on Framer as a result of the Customer’s acts or omissions, and (iii) any damages suffered by Framer as a result of the Customer’s acts or omissions, including but not limited to reputational damages.
Costs
13.1 The costs associated with the processing of information which are inherent to the normal performance of the Agreement shall be deemed to be incorporated into the fees already owed under the Agreement.
13.2 The Customer shall be invoiced for any form of support or any other additional service Framer will be required to provide under this DPA or at the request of the Customer, including requests for assistance in line with section 5.3 and section 8 of this DPA.
13.3 The preceding provision shall not apply if the additional costs are related to a shortcoming attributable to Framer under this DPA. In such cases the duties shall be performed free of charge (without prejudice to the Customer's right to recoup the costs actually incurred from Framer).
Commencement and termination
14.1 This DPA shall commence on the Effective Date of the Agreement.
14.2 Both Parties shall be entitled to require this DPA renegotiated if changes to the law or the Agreement should give rise to such renegotiation.
14.3 This DPA shall apply for the duration of the personal data processing activities in the performance of the Agreement. For the duration of the personal data processing activities, this DPA cannot be terminated unless other sections governing data protection have been agreed between the Parties.
Data controller and data processor contact information
15.1 The Parties may contact each other using the following contact information:
Customer: the email addressed used for registration or listed on Customer’s Order Form, as applicable.
Framer: legal@framer.com (Legal Department).
15.2 The Parties shall be under obligation continuously to inform each other of changes to contact information.
Governing Law and Jurisdiction
16.1 This DPA will be governed by and interpreted in accordance with Dutch law without regard to international law regulations or principles of law leading to the application of other laws. The competent courts of Amsterdam, the Netherlands, will have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.
Processing in Accordance with the CCPA
17.1 This section 17 applies only to the extent Framer processes personal information that is subject to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (“CCPA”), on behalf of the Customer under this DPA. Terms such as "business", "service provider", "sell", "share", "business purpose", "consumer" and "personal information" have the meanings given to them in the CCPA. For the purposes of such processing, the Customer is the "business" and Framer is the "service provider".
17.2 Framer shall process such personal information solely to perform the Service and for the business purposes specified in the Agreement and Annex I, and shall not: (a) sell or share the personal information; (b) retain, use or disclose the personal information for any purpose (including any commercial purpose) other than those business purposes, or outside the direct business relationship between the Parties; or (c) combine the personal information with personal information that Framer receives from, or on behalf of, any third party, or collects from its own interaction with the consumer, except as permitted by the CCPA.
17.3 Framer shall: (a) provide the same level of privacy protection as is required of businesses under the CCPA; (b) taking into account the nature of the processing, reasonably assist the Customer, in the manner contemplated by section 8, in responding to verifiable consumer requests under the CCPA; and (c) notify the Customer without undue delay if it determines that it can no longer meet its obligations under the CCPA. The Customer may take reasonable and appropriate steps to ensure that Framer uses the personal information in a manner consistent with the Customer's obligations under the CCPA, and to stop and remediate any unauthorised use. Framer's engagement of sub-processors to process such personal information is governed by section 6.
17.4 Framer certifies that it understands the restrictions set out in this section 17 and will comply with them.
ANNEX I - Details of the processing
I.1. Purpose and nature of Framer’s processing of personal data
Framer’s processing of personal data on behalf of Customer shall mainly pertain to the Service described below:
Provision of the Service. Framer may process Customer personal data to facilitate the Service, including providing Framer’s Platform, Framer Community and Framer ´matched´, and Spam and Abuse Protection Features (where enabled by Customer).
Maintenance and Support. Framer may process Customer personal data to provide maintenance and support services, including maintenance and support upon request by the Customer, periodic maintenance and support and the provision of upgrades updates and new releases.
I.2. Types of personal data
The processing of personal data will consist of all information necessary for the provision of the Service to the Customer. The processing of personal data under this DPA may include the following (categories of) personal data which are provided to Framer:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I.3. Categories of data subjects
The categories of data subjects whose personal data is processed in the context of the provision of the Service as specified in the Agreement may include (subject to Customer’s use of the Service):
Customer’s business representatives, including the contact persons of the Customer, and Customer’s Users.
Customer’s customers, including the End Users of the Customer’s services in relation to the Service.
I.4. Frequency of the processing
Framer processes the personal data on an intermittent basis.
I.5. Duration of processing / retention period
Framer will process personal data for the duration of the Agreement, after which the procedure as detailed in the relevant section of this DPA shall apply, unless otherwise agreed upon in writing by Parties.
I.6. Competent supervisory authority
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) is the competent supervisory authority.
ANNEX II – Security
Framer has implemented appropriate technical and organizational security measures and controls to protect personal data and to ensure the ongoing confidentiality, integrity, and availability of the Framer’s Service in accordance with article 32 of the GDPR. Framer has processes in place to regularly test, assess and evaluate our technical and organizational security measures.
Governance
Framer maintains a number of information security policies that form the basis of our information security program and appropriately manage information throughout its product and services lifecycle. All Framer employees are required to review these policies as part of their on-boarding. These security policies cover the following topics:
Access control
Acceptable Use
Change management
Risk management
Data classification and asset inventory management
Incident response and management
Network security
Encryption and key management
Human resources security
Information transfer
Secure development
System monitoring and logging
Vendor management
Vulnerability management and malware protection
Mobile device management and remote working
Business continuity and disaster recovery
Backup & Restoration
Furthermore, all new hires are required to complete industry standard security awareness training as part of their on-boarding and all employees are required to complete routine annual security awareness training. Framer engineers are required to complete security training designed specifically for engineers.
Certifications
Framer is ISO 27001:2022 and SOC 2 Type 2 attested.
Organizational, environmental and physical (access) security
Framer implemented various measures to prevent unauthorized access and reduce risks from environmental threats to the physical premises of Framer, including:
Secured areas protected by appropriate entry controls (e.g. access tokens) to ensure only authorized personnel has access;
Equipment is sited and protected, to reduce the risks of environmental threats, hazards, and opportunities for unauthorized access;
Framer performs a periodic risk analysis and assessment;
Surveillance systems including alarms and, as appropriate, CCTV monitoring;
Framer maintains an accurate and up-to-date inventory of all its networks, services, servers, and employee devices.
Virtual/Data access control
Framer implements appropriate measures to prevent its systems from being used by unauthorized persons, including:
Individual, identifiable and role-based user account assignment;
Two factor authentication;
Access to Framer customer data is provided on an explicit need-to-know basis and follows the principle of least privilege;
The use of TLS is required to secure the transport of data, both on the internal network between services as well as the public network between the Framer applications and the Framer cloud infrastructure;
Framer’s TLS configuration requires at least TLS version 1.2 and the use of strong cipher suites, which supports important security features such as Forward Secrecy;
To defend against downgrade attacks Framer has implemented HTTP Strict Transport Security;
Centralized, standardized password management and password policies;
Anti-malware and security patch management;
Framer achieves network segmentation boundaries at various layers of their cloud infrastructure by using a multi-account strategy within AWS to isolate production, development, and test environments, but also domains such as logging, security and marketing;
Remote access only via VPN, including appropriate authorization and multi-factor authentication through SSO with enforced two-factor authentication;
Logs are collected centrally and ingested into our SIEM for monitoring, alerting, and investigation in the event of misuse or a security incident;
Framer’s Service is only available (except for its public web applications and API’s) on the internal network, and accessible by employees using a VPN or single sign-on proxy.
Data center security
Framer uses Amazon Web Services (“AWS”) for hosting its Service. This platform has all the controls in place to guarantee the security and availability of Framer’s Service, including the platform. Please click the following link to read detailed information regarding Amazon datacenter security: AWS data center security overview.
Encryption controls
Framer has recognized encryption measures in place at an appropriate level, in accordance with good industry practices for data in transit and data at rest:
Remote access to internal systems is managed through SSO via Google Workspace, with multi-factor authentication enforced for all users;
Data in transit is protected using TLS (version 1.2 or higher) for all communications between clients, services, and third-party integrations:
Data at rest is protected using AES with 256-bit keys, applied at the storage layer across databases, file and object storage, and backups.
Availability controls
Framer uses AWS infrastructure which provides resilient data availability. Examples of measures include:
Framer’s databases are databases are deployed across multiple availability zones;
Backups of Framer’s databases are continuous (point-in-time) and stored off-site;
The restoration of backups are tested and verified every 30 days;
All Framer customer data is stored redundantly at multiple AWS data centers (availability zones) to ensure availability.
APPENDIX 1 - Cross-border Transfer Mechanisms
Order of precedence
Where more than one of the transfer mechanisms referred to in section 7.2 of the DPA could apply to a given transfer, a single mechanism shall apply, in the following order of precedence: (i) the EU-US, Swiss-US or UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under the applicable framework; (ii) the SCCs, as incorporated and completed in section 2 of this Appendix; (iii) for transfers subject to UK data protection laws, the UK International Data Transfer Addendum, and for transfers subject to Swiss data protection law, the SCCs as adapted for Switzerland, in each case as set out in sections 3 and 4 of this Appendix; and (iv) any other transfer mechanism permitted under Chapter V of the GDPR or applicable data protection law.
SCCs between the Parties
SCCs between the Parties. To the extent that a transfer of personal data between the Customer (as data exporter) and Framer (as data importer) constitutes a restricted transfer under Chapter V of the GDPR - including where the contracting Framer entity is located outside the EEA, or where the Customer is established in a country outside the EEA that is not subject to an adequacy decision - the SCCs are incorporated into this DPA by reference and apply as follows: (a) Module Two (controller to processor) where Framer acts as importer of the Customer's personal data; (b) Module Three (processor to processor) where the Customer acts as a processor on behalf of its own controller(s); and (c) Module Four (processor to controller) where Framer exports personal data to the Customer as a controller located outside the EEA. For the purposes of the SCCs: Clause 7 (docking clause) is omitted; in Clause 9, Option 2 (general written authorisation) applies, with the sub-processor process and timing set out in section 6 of the DPA; the optional wording in Clause 11 (redress) does not apply; and under Clauses 17 and 18 the SCCs are governed by the laws of the Netherlands and subject to the jurisdiction of the courts of the Netherlands. Annex I.A (List of Parties) of the SCCs is populated by the identification of the Parties in the preamble to this DPA; Annex I.B (Description of the Transfer) is populated by Annex I to this DPA; and Annex I.C (Competent Supervisory Authority) shall, for Module Two and Module Three, be the supervisory authority of the data exporter's place of establishment determined in accordance with Clause 13 of the SCCs, and for Module Four shall be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens); Annex II to this DPA populates Annex II of the SCCs, and Framer's sub-processor list maintained in its Trust Center populates Annex III of the SCCs. The Parties' execution of the Agreement constitutes execution of the SCCs by the data exporter and the data importer, each of which is duly authorised to do so.
UK Transfers
Where UK data protection laws apply to a restricted transfer, the International Data Transfer Addendum issued by the UK Information Commissioner's Office (version B1.0) applies to that transfer with England and Wales as the governing law and forum, and the Tables in Part 1 of the IDTA are completed as follows: Table 1 (Parties) by the identification of the Parties in the preamble to this DPA; Table 2 by reference to the version of the SCCs and the Modules incorporated in section 2 of this Appendix; Table 3 (Appendix Information) by Annex I to this DPA (as Annex 1B), Annex II to this DPA (as Annex II) and Framer's sub-processor list at trust.framer.com (as Annex III); and Table 4 permits each of the Importer and the Exporter to end the IDTA when the ICO's Approved Addendum changes, and to the extent UK data protection laws apply, references in this DPA to the GDPR include the UK GDPR and the Data Protection Act 2018.
Swiss Transfers
Where Swiss data protection law applies, the SCCs apply with the adaptations necessary under the Swiss Federal Act on Data Protection (including recognition of the Swiss Federal Data Protection and Information Commissioner as a competent authority). The following further adaptations apply to such Swiss transfers: (a) the term “Member State” shall not be interpreted so as to exclude data subjects in Switzerland from enforcing their rights at their place of habitual residence in accordance with Clause 18(c) of the SCCs; and (b) references in this DPA and the SCCs to the GDPR shall, to that extent, be deemed to refer also to the FADP.
Liability, conflict and audit
For the purposes of Clause 12 of the SCCs, the liability of each Party to the other shall be subject to the limitations of liability set out in the Agreement, provided that nothing in this DPA shall limit the rights of any data subject under the SCCs. In the event of any conflict between the SCCs and any other provision of this DPA or the Agreement in respect of a restricted transfer, the SCCs shall prevail. The audit and information obligations set out in section 11 of this DPA shall satisfy the audit and documentation requirements of the SCCs (including Clauses 8.9, as applicable to the relevant Module).