1. Introduction and Purpose

This UK Addendum ("UK Addendum") supplements and forms part of the GoldFynch Data Processing Addendum ("DPA") and the Standard Contractual Clauses ("SCCs"), as entered into between:

• Mazira LLC dba GoldFynch ("Vendor" / Data Importer), 136 S Dubuque Street, Iowa City, IA 52240; and
• The Customer ("Company" / Data Exporter).

This UK Addendum adapts the SCCs for the transfer of personal data from the United Kingdom to the United States, in accordance with:

• The UK General Data Protection Regulation (as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) ("UK GDPR");
• The Data Protection Act 2018 ("DPA 2018"); and
• The ICO's International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) ("IDTA"), issued under s.119A of the DPA 2018.

This UK Addendum forms part of the GoldFynch Data Transfer Compliance Pack (Part B, Document Ref: GF-IDTA-001).

2. Relationship to the GoldFynch DPA

2.1. This UK Addendum supplements the DPA. Capitalised terms used but not defined herein have the meanings given in the DPA.

2.2. The following amendments are made to the DPA for UK transfers:

• In DPA section 1.1.6 (Definition of "Data Protection Laws"): the definition is extended to expressly include the UK GDPR and the Data Protection Act 2018.
• In DPA section 1.1.8 (Definition of "EU Data Protection Laws"): references to EU Data Protection Laws shall, for UK data subjects, be read to include the UK GDPR and DPA 2018.
• In DPA section 1.1.9 (Definition of "GDPR"): references to "GDPR" shall, where the context relates to UK personal data, be read as references to the UK GDPR.
• In DPA section 1.1.10 (Definition of "Restricted Transfer"): the definition is extended to include transfers of personal data from the UK to any country not subject to UK adequacy regulations.
• DPA Section 12 (Restricted Transfers) is extended so that the Standard Contractual Clauses, as amended by this UK Addendum, apply to UK Restricted Transfers.

2.3. In the event of conflict between this UK Addendum and the DPA, this UK Addendum prevails for the purposes of UK Restricted Transfers.

3. Amendment of the Standard Contractual Clauses

3.1. The SCCs (as set out in the Data Transfer Compliance Pack, Part A, based on Commission Implementing Decision (EU) 2021/914) are hereby amended for UK transfers as follows, in accordance with the ICO's IDTA:

4. Table of Information (IDTA Part 1 – Mandatory)

The following information is required by the ICO's IDTA:

4.1. Parties

4.2. Selected SCCs and Module

• SCCs: EU SCCs (Commission Implementing Decision 2021/914), as set out in the Data Transfer Compliance Pack, Part A
• Module: Module 2 (Controller to Processor) — default; Module 3 (Processor to Processor) where the Company itself acts as Processor for a third-party Controller
• Clause 7 docking clause: Included

Note: If the Company is acting as a Processor on behalf of another Controller, GoldFynch will provide appropriate transfer clauses on request. Please contact support@goldfynch.com.

4.3. Appendix Information

The following information from the DPA and Compliance Pack is incorporated into this UK Addendum:

• Data Subjects: Legal professionals; clients of legal professionals; employees; managers; accountants; administrators; payees; individuals referenced in Company Content
• Categories of Personal Data: (1) Account/identifying data: name, email, phone number, billing address, credit card details, account preferences; (2) Usage data: IP address, browser type, ISP, location, date/time stamp, clickstream; (3) Company Content: emails, legal documents, ESI and other electronically stored information uploaded by Company
• Special Categories of Data: Not routinely processed; Company must notify GoldFynch if special category data is included in Company Content
• Processing Operations: Storage, indexing, search, retrieval, organisation and e-discovery processing of Company Content; account management and billing
• Technical and Organisational Security Measures: As set out in the Compliance Pack (Part A, Annex II and Part D) and Section 11 of the GoldFynch Privacy Policy
• Sub-processors: As set out in DPA Annex 1, Appendix 1 (Sub-processors list). All listed sub-processors are located in North America – US

4.4. Supervisory Authority

UK Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

4.5. Transfer Details

• Frequency of transfer: Continuous, for the duration of the Principal Agreement
• Nature of transfer: Remote access to cloud-hosted platform; data stored on Google Cloud infrastructure (North America – US)
• Retention period: As set out in DPA section 10; deletion within 14 days of Cessation Date

5. Transfer Safeguards

5.1. All sub-processors listed in DPA Annex 1, Appendix 1 are located in the United States. GoldFynch relies on this UK Addendum (incorporating the amended SCCs) as the lawful transfer mechanism for onward transfers to those sub-processors where required.

5.2. GoldFynch shall ensure that each sub-processor is bound by equivalent data transfer obligations to those set out in this UK Addendum and the DPA, consistent with DPA section 6.4.

5.3. GoldFynch has conducted a Transfer Impact Assessment under Clause 14 of the SCCs, formally documenting and assessing US surveillance law as it affects GoldFynch's data processing. This assessment is set out in the Data Transfer Compliance Pack (Part C) and is reviewed annually or when review triggers are met.

5.4. GoldFynch maintains a Supplementary Measures Register documenting technical, contractual and organisational safeguards in place, as set out in the Data Transfer Compliance Pack (Part D).

6. Data Subject Rights (UK GDPR)

6.1. In addition to its obligations under DPA section 7, GoldFynch shall assist Company in responding to UK data subject rights requests under the UK GDPR, including:

• Right of access (Article 15 UK GDPR)
• Right to rectification (Article 16 UK GDPR)
• Right to erasure (Article 17 UK GDPR)
• Right to restriction of processing (Article 18 UK GDPR)
• Right to data portability (Article 20 UK GDPR)
• Right to object (Article 21 UK GDPR)

7. Personal Data Breach

7.1. In addition to DPA section 8.1, where a Personal Data Breach affects UK personal data, GoldFynch shall notify Company without undue delay and, where feasible, within 48 hours of becoming aware of the breach, to enable Company to meet its 72-hour reporting obligation to the ICO under Article 33 UK GDPR.

8. Government Access Commitments

8.1. GoldFynch commits to notify Company of any legally binding request for access to Company Personal Data by a public authority, to the fullest extent permitted by law.

8.2. GoldFynch commits to challenge any government access request it reasonably considers unlawful or disproportionate before complying.

8.3. GoldFynch publishes an annual transparency report disclosing aggregate information on government access requests received (or confirming that none were received), to the extent permitted by law.

9. Revision of This UK Addendum

9.1. Should the ICO issue a revised or replacement Addendum under s.119A DPA 2018, GoldFynch will provide Company with no less than 30 days' written notice.

9.2. If Company reasonably determines that the revised version does not provide adequate protection, Company may terminate the affected Services by written notice within that 30-day period.

9.3. If Company does not accept a revised UK Addendum, the parties will work in good faith to agree an alternative lawful transfer mechanism; if they cannot, Company may terminate the affected Services.

10. Governing Law and Jurisdiction

10.1. This UK Addendum, and any non-contractual obligations arising from or in connection with it, shall be governed by and construed in accordance with the law of England and Wales. This is a mandatory requirement of the ICO's IDTA and applies to this UK Addendum only.

10.2. For the avoidance of doubt, the GoldFynch Terms of Service and DPA (other than this UK Addendum) continue to be governed by the law stipulated in the Principal Agreement.

10.3. The parties submit to the jurisdiction of the courts of England and Wales solely in respect of disputes arising under this UK Addendum.

10.4. Where the data exporter is established in Scotland or Northern Ireland, the parties may agree in writing to substitute the law and courts of that jurisdiction for those of England and Wales in sections 10.1 to 10.3 above.

11. Incorporation and Execution

11.1. This UK Addendum is incorporated automatically into the GoldFynch DPA for all Customers whose use of GoldFynch involves the transfer of UK personal data to GoldFynch.

11.2. Acceptance of the GoldFynch Terms of Service (Principal Agreement) constitutes acceptance of this UK Addendum. No separate signature is required.

11.3. Where a separately executed version is required, please contact GoldFynch support at support@goldfynch.com.

This UK Addendum should be read alongside the GoldFynch Privacy Policy, Data Processing Addendum, Data Transfer Compliance Pack, International Data Transfers: Customer Notice, and Terms of Service. For data protection queries, contact info@goldfynch.com.

Mazira LLC dba GoldFynch | 136 S Dubuque Street, Iowa City, IA 52240