Data Processing Addendum

Last updated April 1st, 2025

DOUBLE ATELIER, INC., a Delaware Corporation
20 Jay St, Suite 1002, Brooklyn, NY 11201, USA

Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into by and between PSC Double Acquisition, LLC (“Double”) and the organization the customer using the Double Platform (“Customer”) pursuant to the Double Services Agreement available at https://withdouble.com/terms, as updated from time to time, or any other agreement between Customer and Double governing Customer’s use of the Services, as applicable (the “Agreement”). This DPA forms part of, and is subject to, the Agreement. Capitalized terms used but not otherwise defined herein shall have such meanings as set forth in the Agreement. In the event that Double Processes any Customer Personal Data (each as defined below) in the course of providing the Services to Customer under the Agreement, this DPA shall govern the Processing of such Customer Personal Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail solely with respect to the Processing of Customer Personal Data. To the extent that the SCCs (defined below) or the UK Addendum (defined below) are incorporated herein, such terms therein shall take precedent over both this DPA and the Agreement to the extent necessary to resolve the conflict or inconsistency. For the avoidance of doubt, execution of the Agreement shall be deemed to constitute signature and acceptance of this DPA and the SCCs and/or UK Addendum (as applicable) incorporated herein. Customer and Double hereby agree as follows:

1. BACKGROUND

1.1 Duties as a Processor. When providing the Services to the Customer, Double will act as the Processor of Customer Personal Data, and Double undertakes to Process Customer Personal Data on behalf of the Customer in accordance with the Agreement, this DPA and the documented instructions of the Customer, including Annex 1 attached hereto. The Processing will be performed exclusively within the framework of the Agreement or as otherwise required by applicable Data Privacy Laws. Except as required by applicable Data Privacy Laws, Double shall not use the Customer Personal Data for any purpose other than as specified in the Agreement and this DPA. The Customer will inform Double of any such purposes which may be prohibited by Data Privacy Laws (as applicable to each law). All Customer Personal Data that is Processed on behalf of the Customer shall remain the property of the Customer and/or the applicable Data Subjects.

1.2 Duties as a Controller. When Double Processes Customer Personal Data subject to Data Privacy Laws (as applicable to each law) for business operations incident to providing the Services to the Customer (for example, to create de-identified data sets or to communicate with the Customer about Double products and services in which the Customer may be interested), Double will act as a Controller of Customer Personal Data, as specified in greater detail below in Section 3.5 of this DPA.

2. DEFINITIONS

 2.1               The following capitalized terms used in this DPA shall be defined as follows:  

(a) "Controller" shall mean (i) a “controller” as that term is defined by the GDPR, (ii) a “business” as that term is defined by the CCPA, and/or (iii) any equivalent term under other Data Privacy Laws.

(b) "Customer Personal Data" means (i) "personal data" as defined in the GDPR, (ii) “personal information” as defined in the CCPA, and/or (iii) any equivalent term as defined in Data Privacy Laws, all as further described in Annex 1 to this DPA, that, in each case, Double Processes on Customer’s behalf in connection with Double’s provision of the Services.

(c) "Data Privacy Laws" means (i) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR"), as well as any applicable national implementing legislation; (ii) the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the Swiss Federal Data Protection Act (“Swiss Data Protection Act”); (iv) United States state privacy and data protection laws, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”); and (v) any other data privacy or data protection laws that are presently applicable or may in the future become applicable to Customer and/or Customer Personal Data, together with their implementing and/or interpretive regulations, each of the foregoing as they may be amended, replaced or superseded from time to time.

(d) "Data Subject" has the meaning given in the GDPR, and shall also include “consumers” as defined by the CCPA, as well as other equivalent terms under Data Privacy Laws.

(e) "European Economic Area" or "EEA" means the Member States of the European Union and Switzerland.

(f) "Processing", “Process” or “Processes” has the meaning given in the GDPR or the equivalent term under other Data Privacy Laws.

(g) "Processor" shall mean (i) a “processor” as that term is defined by the GDPR, (ii) a “service provider” as that term is defined by the CCPA, and/or (iii) any equivalent term under other Data Privacy Laws.

(h) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data.

(i) "Subprocessor" means any Processor engaged by Double to whom Double discloses Customer Personal Data.

(j) "Supervisory Authority" has the meaning given in the GDPR or the equivalent term under other Data Privacy Laws. Without limiting the foregoing, “Supervisory Authority” includes the California Privacy Protection Agency.

3. DATA PROCESSING

3.1 Instructions for Data Processing. Double will only Process Customer Personal Data in accordance with Customer’s written instructions. Except as may be otherwise required by Data Privacy Laws, the Agreement, including all addendums thereto, and this DPA shall be Customer’s sole, complete, and final instructions to Double in relation to the processing of Customer Personal Data. To the extent applicable Data Privacy Laws permit Customer to provide supplemental Processing instructions to Double, Double reserves the right to make corresponding reasonable adjustments to its fee schedule and/or to charge reasonable administrative fees commensurate with the costs of any new required Processing activities.

3.2 Processing of Customer Personal Data outside the scope of this DPA or the Agreement will require prior express written agreement between Double and Customer, setting forth additional instructions for such Processing. Without limiting the foregoing, Double agrees that it will not “sell” Customer Personal Data within the meaning of applicable Data Privacy Laws, or “share” Customer Personal Data within the meaning of the CCPA. Where required by Data Privacy Laws, Double also will not combine Customer Personal Data with other personally identifiable information it receives from or on behalf of others or in its own capacity, except as permitted by such Data Privacy Laws.

3.3 Lawful Basis. Customer hereby represents and warrants to Double that Customer has obtained all necessary consents, or established an alternative lawful basis or bases, for the Processing of Customer Personal Data by Double in accordance with the Agreement. Customer will furnish reasonable documentation evidencing the lawful basis or bases for Double’s Processing as may be reasonably requested by Double from time to time.

3.4 Special Categories of Customer Personal Data. Customer hereby represents and warrants to Double that Customer will not, without Double’s prior written consent, provide Double with any “special categories” data, as defined in GDPR, or any sensitive personal information (or any equivalent term), as defined in any applicable Data Privacy Laws.

3.5 To the extent Double uses or otherwise Processes Customer Personal Data subject to Data Privacy Laws (as applicable to each law), including, but not limited to, communicating with Customer’s employees regarding Double’s products and service offerings, Double will comply with the obligations of a Controller under Data Privacy Laws (as applicable to each law) for such use. Without limiting Double’s obligations as a Controller under other applicable Data Privacy Laws, Double is accepting the added responsibilities of a Controller under GDPR for such Processing to: (a) act consistent with regulatory requirements, to the extent required under GDPR; and (b) provide increased transparency to the Customer and confirm Double’s accountability for such Processing. Double employs safeguards to protect Customer Personal Data in such Processing, including those identified in this DPA and those contemplated in Article 6(4) of the GDPR

4. TRANSFER OF PERSONAL DATA

4.1 Authorized Subprocessors. Customer hereby consents and agrees to Double’s engagement of Subprocessors to Process Customer Personal Data, including, without limitation, Double’s engagement of the Subprocessors listed at https://withdouble.com/data-processing-addendum . Upon Customer’s reasonable written request, Double shall provide Customer with a list of any additional Subprocessors currently engaged by Double.

4.2 Double shall notify Customer from time to time of the identity of any new Subprocessors engaged by Double following the Effective Date. Such notice may be provided by Double via email or by providing Customer with a link to a webpage containing updated information regarding Double’s Subprocessors. If Customer (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Customer Personal Data only, then without prejudice to any right to terminate the Agreement, Customer may request that Double move the Customer Personal Data to another Subprocessor and Double shall, if possible within a reasonable time following receipt of such request, use reasonable measures to accommodate such request. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason relating to protection of Customer Personal Data, either party may terminate the Agreement without additional liability on thirty (30) days’ written notice. If Customer does not object within thirty (30) days of the date of Double’s notice, Customer will be deemed to have accepted the new Subprocessor.

4.3 Liability of Subprocessors. Double will be liable to Customer for the acts and omissions of any Subprocessor with respect to the Processing of Customer Personal Data to the same nature and extent that Double is liable to Customer for its own acts and omissions hereunder and under the Agreement.

4.4 International Transfers.

(a) Standard Contractual Clauses. Where adequate safeguards are required under GDPR or the Swiss Data Protection Act with respect to the transfer of Customer Personal Data to Double in a third country, the most recent standard contractual clauses for the transfer of personal data to third countries (module two – transfer controller to processor), as approved by the European Commission (the “SCCs”) shall be deemed to be adopted and incorporated into this DPA as the basis for any such international transfers contemplated under this Section 4.4, and shall be completed as follows: Module One (controller to controller transfers) shall apply when Double is the Controller of Customer Personal Data; Module Two (controller to processor transfers) shall apply when Double acts as the Processor of Customer Personal Data; in Clause 7, the optional docketing clause will apply; in Clause 9, Option 2 (General Written Authorisation) will apply, and the time period for prior notice of new Subprocessors shall be as set forth in Section 4.2 of this DPA; in Clause 11, the optional language will not apply; in Clause 17, Option 1 will apply, and the SCCs will be governed by Irish law; in Clause 18(b), disputes shall be resolved before the courts of Ireland; and Annex I and Annex II of the SCCs shall be deemed completed with the information set forth in Annex I and Annex II to this DPA.
(b) UK Addendum. Where adequate safeguards are required under UK GDPR with respect to the transfer of Customer Personal Data to Double in a third country, the SCCs, along with the International Transfer Addendum or Addendum to the SCCs for international data transfers issued under Section 119A of the Data Protection Act 2018 and approved by UK Parliament on 21 March 2022 (the “UK Addendum”), shall be deemed to be adopted and incorporated into this DPA as the basis for any such international transfers contemplated under this Section 4.4.
(c) Conflicts. In the event of any conflict between the terms of this DPA, on the one hand, and the SCCs or the UK Addendum, on the other hand, the SCCs or the UK Addendum (as applicable) shall control.

5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS

5.1 Double Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Double will implement such appropriate technical and organizational measures as are required by Data Privacy Laws (as applicable to each law) that are designed to ensure a level of security appropriate to such risk, including the measures set out in Annex 2. Double does not guarantee that such technical and organizational measures are effective under all circumstances.

5.2 Customer will only make Customer Personal Data available to Double if it is assured that the necessary technical and organizational measures have been taken.

5.3 Upon Customer’s reasonable request, Double will disclose information reasonably necessary to demonstrate Double’s compliance with this DPA.

5.4 Security Incident Notification. If Double becomes aware of a Security Incident affecting Customer Personal Data in its possession or control, or receives notice of such Security Incident from one of its Subprocessors, Double will (a) promptly notify Customer of the Security Incident after becoming aware of such Security Incident, (b) investigate the Security Incident and, upon Customer’s reasonable request, provide Customer (and any law enforcement or regulatory official, as may be required) with reasonable assistance as may be required to investigate and mitigate the effects of the Security Incident, and (c) promptly take steps necessary to remedy any non-compliance with this DPA. Except as may otherwise be required by applicable laws, the foregoing obligations described in this Section 5.3 shall constitute Customer’s sole remedy, and Double’s sole liability, in the event of any Security Incident.

5.5 Customer Employees and Personnel. Double will treat the Customer Personal Data as confidential, and shall ensure that any Double employees or other personnel with access to the Customer Personal Data have agreed in writing to protect the confidentiality and security of Customer Personal Data.

5.6 Audits. Double will, upon Customer’s reasonable advance written request, allow for and contribute to audits, including inspections, of those books and records reasonably necessary and relevant to verify Double’s compliance with this DPA, conducted by Customer (or a third party on Customer’s behalf) provided that (i) Double is given a minimum of thirty (30) days advance written notice of such audit, (ii) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (iii) are conducted only during Double’s normal business hours; and (iv) are conducted in a manner that causes minimal disruption to Double’s operations and business. Customer agrees that all information, documents, and other materials collected during the course of any audits constitutes Confidential Information of Double, and may not be used for any purpose other than to verify Double’s compliance with this DPA. Customer further agrees that audits under the SCCs and UK Addendum will be conducted in accordance with this Section 5.5.

6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS

6.1 Government Disclosure. Double will promptly notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.

6.2 Data Subject Rights. Customer shall ensure that the Data Subjects can avail themselves of their rights under applicable Data Privacy Laws, with the reasonable assistance of Double as required by such Data Privacy Laws and as described in this Section 6.2. Where applicable, and taking into account the nature of the Processing, Double will use reasonable endeavors to assist Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of Customer’s obligation to respond to requests by Data Subjects to exercise their rights under applicable Data Privacy Laws. Where permitted by applicable Data Privacy Laws, as to requests by Data Subjects made directly to Double relating to Customer Personal Data in Double’s possession, Double will notify Customer (email sufficing) and may inform the Data Subject that the request cannot be acted upon because the request has been sent to a Processor.

7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

7.1 To the extent required under applicable Data Privacy Laws, upon Customer’s reasonable request, Double will provide Customer with reasonably relevant information to enable Customer to carry out data protection impact assessments, transfer assessments, or prior consultations with any Supervisory Authority, in each case solely in relation to Double’s Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Double; provided, however, that where Customer requests assistance of any type that (i) is unnecessary, (ii) is not required of a Processor under applicable Data Privacy Laws, or (iii) is highly burdensome or costly, Double may charge a reasonable administrative fee as a condition to providing such assistance.

8. TERMINATION

8.1 Deletion of data. Except as otherwise set forth in the Agreement, and subject to Section 8.2 below, Double will, at Customer’s direction within ninety (90) days of the date of termination of the Agreement: delete and use all reasonable efforts to delete and/or procure the deletion of Customer Personal Data Processed by Double or any of its Subprocessors; or return a complete copy of all Customer Personal Data by secure file transfer in a mutually-agreed method and format.

8.2 Double and its Subprocessors may retain Customer Personal Data to the extent required by any applicable laws. Any retained Customer Personal Data shall continue to be subject to this DPA.

ANNEX 1

DETAILS OF THE PROCESSING

A. LIST OF THE PARTIES

Data exporter:

Name: The data exporter is the legal entity identified as “Customer” in the Agreement. Customer is a Controller with respect to Customer Information.

Activities relevant to the data transferred under these Clauses: The data importer provides Services to the data exporter in accordance with the Agreement.

Role (controller/processor): Customer is the data controller.

Data importer:

Name: PSC Double Acquisition, LLC Address: 206B West James Street, Lancaster PA 17603 Contact person’s name, position and contact details : Marlee Secary Chief Operating Officer [email protected]

Activities relevant to the data transferred under these Clauses: The data importer provides Services to the data exporter in accordance with the Agreement.

Role (controller/processor): Double is the data processor.

B. DESCRIPTION OF THE TRANSFER

Categories of data subjects whose personal data is transferred: The Customer Personal Data being processed concerns the following categories of data subjects: - Customer - Employees or other individuals affiliated with Customer’s employer/organization - Customer’s business contacts - Customers and end users of Customer’s employer/organization

Categories of personal data transferred: The Customer Personal Data being processed concerns the following types of personal data: - Full name and contact information - Company name and job title - Billing and payment information - Any other personal data uploaded, submitted, or otherwise provided to Double by Customer in its sole discretion.

Double does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of the Services. To the extent that Sensitive Data is nevertheless introduced into Customer Information, Customer agrees that it is solely responsible for ensuring that sufficient safeguards are in place to protect such Sensitive Data and Double shall have no liability whatsoever in relation to such data.

Frequency of the transfer: Continuous during the term of the Agreement

Nature of the processing: The Customer Personal Data will be subject to the following basic processing activities:

  • Computing, storage and other processing necessary to provide, maintain, and improve the service provided to Customer pursuant to the Agreement; and/or
  • Disclosures in accordance with the Agreement, Customer’s instructions, and/or as compelled by applicable law.

    Purpose of the processing: The data importer provides Services to the data exporter in accordance with the Agreement.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in Section 8 of the DPA.

    For transfers to (sub) processors, also specify subject matter, nature and duration of the processing: As set forth in Section 4 of the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

As set forth in Section 4.4(a) of the DPA.

ANNEX 2

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Double will, at a minimum, implement the following types of security measures: - Data is encrypted in transport between client and server, using HTTPS - Server-side Double-managed databases are encrypted at rest - File uploads are stored on AWS S3, encrypted at rest, accessed with a short-lived link - Executives and Assistants are encouraged to use a password manager to share secrets. - We provide a complimentary 1Password vault to users that do not already use a similar service