Data Processing Agreement
This Data Processing Agreement ("DPA") is incorporated into the Master Subscription Services Agreement between Cyware Labs, Inc. and [counterpartyName_NFhbBtY] (“Client”) (as amended and supplemented from time to time, the "Principal Agreement") for the purposes of complying with the Data Protection Law [counterpartyName_NFhbBtY] shall act as controller (the “Controller” and “Client”) on its own behalf and on behalf of its Affiliates and Cyware Labs, Inc. shall act as processor (the “Processor”) on its own behalf and on behalf of its Affiliates. The terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect. For the avoidance of doubt, references in this DPA to the Principal Agreement shall include this DPA.
In consideration of the mutual obligations set out herein, the parties hereby agree as follows:
1. Definitions
1.1 In this DPA, the following terms have the meanings set out below:
1.1.1 "Affiliate" means with respect to an entity, any current or future entity that, directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with such entity. Affiliate includes any successor (whether by dissolution, merger, consolidation, reorganization, or otherwise) to such entity or its business and assets;
1.1.2 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. It shall have the same meaning ascribed to “controller” under the GDPR and UK GDPR and other equivalent terms under Data Protection Law as applicable.
1.1.3 "Controller Personal Data" means any Personal Data Processed by the Processor, any of the Processor’s Affiliates or Sub-processors on behalf of the Controller or the Controller’s Affiliates pursuant to or in connection with the Principal Agreement;
1.1.4 "Data Protection Law" means any of the following: (a) the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”); (b) the European Union ePrivacy Directive 2002/58/EC; (c) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the United Kingdom General Data Protection Regulation) (the “UK GDPR”); (d) the California Consumer Privacy Act of 2018, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Oregon Consumer Privacy Act, the Florida Digital Bill of Rights, the Texas Data Privacy and Security Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Data Privacy Act, the Delaware Personal Data Privacy Act, the Iowa Consumer Data Protection Act, the New Jersey Data Privacy Act, the Tennessee Information Protection Act, the Minnesota Consumer Data Privacy Act, and the Maryland Online Data Privacy Act, (collectively, “U.S. Data Protection Laws”); and (e) all applicable laws and regulations in any relevant jurisdiction with respect to data protection, the Processing of Personal Data or privacy as amended, re-enacted, replaced or superseded from time to time;
1.1.5 "Data Subject" has the same meaning as under the GDPR and UK GDPR and other equivalent terms under Data Protection Law as applicable;
1.1.6 "EU Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Decision (EU) 2021/914 as amended, re-enacted, replaced or superseded from time to time;
1.1.7 "Personal Data" means any information, including personal information, relating to an identified or identifiable natural person or as defined in and subject to Data Protection Law that Processor Processes on behalf of the Controller;
1.1.8 "Personal Data Breach" means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed by Licensor. A Personal Data Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Controller Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents;
1.1.9 "Processing" means any operation or set of operations performed upon Personal Data, whether or not by automated means, means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction;
1.1.10 “Processor” means the entity which processes Personal Data on behalf of the Controller. It shall have the meaning ascribed to “processor” under the GDPR and other equivalent terms under other Data Protection Law applicable;
1.1.11 "Restricted Transfer" means (i) where the GDPR applies, a transfer of Controller Personal Data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Controller Personal Data to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data ProtectionAct 2018;
1.1.12 "Services" means the products and services and other activities to be supplied to or carried out by or on behalf of the Processor, any of the Processor’s Affiliates or Sub-processors for the Controller or the Controller’s Affiliates pursuant to the Principal Agreement;
1.1.13 "Sub-processor" means any person appointed by or on behalf of the Processor or any of the Processor’s Affiliates to Process Controller Personal Data on behalf of the Controller or the Controller’s Affiliates in connection with the Principal Agreement; and
1.1.14 "UK Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to processors established in third countries approved under regulations in the United Kingdom as amended, re-enacted, replaced or superseded from time to time.
1.2 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Authority
2.1 The Processor warrants and represents that, before any of its Affiliates Processes any Controller Personal Data, the Processor’s entry into this DPA as agent for and on behalf of that Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Affiliate. References in this DPA to the Processor shall include any of its Affiliates when any such Affiliate Processes Controller Personal Data.
3. Processing of Controller Personal Data
3.1 The Processor shall:
3.1.1 comply with all applicable Data Protection Law in the Processing of Controller Personal Data; and
3.1.2 only Process Controller Personal Data on documented written instructions from the Controller as set forth in this DPA unless Processing is required by Data Protection Law to which the Processor is subject, in which case the Processor will to the extent permitted by law inform the Controller of the legal requirement before Processing the Controller Personal Data.
3.2 The Controller:
3.2.1 instructs the Processor to:
(a) Process Controller Personal Data; and
(b) subject to section 12, transfer Controller Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with the Principal Agreement;
3.2.2 warrants that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.2.1 on behalf of each relevant Affiliate. References in this DPA to the Controller shall include any of its Affiliates in relation to Controller Personal Data of any such Affiliate; and
3.2.3 shall be solely responsible for ensuring that: a) all such notices have been given, and all such authorizations have been obtained, as required under Data Protection Law, for Processor (and its Affiliates and Sub-processors) to process Controller Personal Data as contemplated by the Agreement and this DPA; b) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Data Protection Law; and c) it has the right to transfer, or provide access to, Controller Personal Data to Processor for processing in accordance with the terms of the Agreement and this DPA.
3.3 Annex 1 to this DPA sets out certain information regarding the Processor’s Processing of Controller Personal Data as required by article 28(3) of the GDPR and/or UK GDPR. The parties may make reasonable amendments to Annex 1 as agreed between them from time to time as necessary to meet those requirements.
3.4 Controller will ensure that its instructions comply with Data Protection Law. Controller acknowledges that Processor is neither responsible for determining which laws are applicable to Controller’s business nor whether Processor’s Services meet or will meet the requirements of such laws. Controller will ensure that Processor’s processing of Controller Personal Data, when done in accordance with Controller’s instructions, will not cause Processor to violate any applicable law, including Data Protection Law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Data Protection Law.
4. Processor Personnel
The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Controller Personal Data, ensuring in each case that access is limited to those individuals who need to know/access the relevant Controller Personal Data, as necessary for the purposes of the Principal Agreement and to comply with Data Protection Law in the context of that individual's duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and/or UK GDPR.
5.2 In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by Processing, in particular from Personal Data Breach.
5.3 Controller acknowledges that the security measures are subject to technical progress and development and that Processor may update or modify the security measures from time to time, provided that such updates and modifications do not result in the material degradation of the overall security of the Services purchased by the Controller.
6. Sub-processing
6.1 The Processor may continue to use those Sub-processors engaged by it and approved by the Controller as at the date of this DPA, subject to the Processor in each case meeting the obligations set out in this section 6.
6.2 The Processor must provide the Controller at least 30 days’ prior written notice of the appointment of any new Sub-processor, including full details of the Processing to be undertaken by the Sub-processor. The Processor shall not appoint (or disclose any Controller Personal Data to) a proposed Sub-processor until such Sub-processor has been approved by the Controller. Where the Controller does not approve the proposed Sub-processor based on grounds relating to the protection of Controller Personal Data, the Controller may elect to suspend or terminate the Principle Agreement without penalty.
6.3 With respect to each Sub-processor, the Processor shall:
6.3.1 before the Sub-processor first Processes Controller Personal Data, carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Controller Personal Data required by the Principal Agreement;
6.3.2 ensure that the arrangement between the Processor and the Sub-processor, is governed by a written contract, including terms which offer at least the same level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of article 28(3) of the GDPR and/or UK GDPR.
6.4 The Processor shall ensure that each Sub-processor performs the obligations in accordance with this DPA as if the Sub-processor were party to this DPA in place of the Processor. The Processor shall remain liable to the Controller for the performance of the Sub-processor’s obligations to the same extent the Processor would be liable for its performance of its own obligations.
7. Data Subject Rights
7.1 Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the Data Protection Law.
7.2 Where the Controller reasonably requests assistance from the Processor with respect to Data Subject rights under the Data Protection Law, the Processor shall promptly provide such assistance, cooperation or information as reasonably requested by the Controller within the timescales required for the Controller to satisfy its obligations under the Data Protection Law.
7.3 Without prejudice to sections 7.1 and 7.2, the Processor shall:
7.3.1 promptly notify the Controller if it or a Sub-processor receives a request from a Data Subject under the Data Protection Law in respect of Controller Personal Data; and
7.3.2 ensure that it or a Sub-processor does not respond to that request except on the documented instructions of the Controller or as required by Data Protection Law, in which case the Processor shall to the extent permitted by Data Protection Law inform the Controller of that legal requirement before the Processor or Sub-processor responds to the request.
8. Personal Data Breach
8.1 The Processor shall notify the Controller without undue delay upon the Processor or any Sub-processor becoming aware of a Personal Data Breach affecting Controller Personal Data and shall within the same timescales provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Law. Such notification shall as a minimum:
8.1.1 describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Controller Personal Data records concerned;
8.1.2 communicate the name and contact details of the Processor’s data protection officer or other relevant contact from whom more information may be obtained;
8.1.3 describe the likely consequences of the Personal Data Breach; and
8.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with the relevant supervisory authority or other competent data privacy authorities, which the Controller reasonably considers to be required of it by Data Protection Law, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.
10. Deletion or return of Controller Personal Data
10.1 Following cessation of any Services involving the Processing of Controller Personal Data, the Controller may in its absolute discretion by written notice to the Processor require the Processor to (a) return to the Controller all Controller Personal Data by secure file transfer; or (b) delete and procure the deletion of all other copies of Controller Personal Data Processed by any Processor’s Affiliate or Sub-processor.
10.2 The Processor may retain copies of Controller Personal Data to the extent required by Data Protection Law, other regulations, or legal processes and only to the extent and for such period as required by Data Protection Law, other regulations, or legal processes and always provided that the Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Data Protection Law requiring its storage.
11. Audit rights
11.1 The Processor shall make available to the Controller on request all information as it relates to Services rendered to Controller under the terms of the Principal Agreement that might be reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of Controller Personal Data related to the Principal Agreement.
11.2 Information and audit rights of the Controller under this section 11 shall be without prejudice to any other information and audit rights under the Principal Agreement.
11.3 Controller may reasonably audit Processor’s Processing if: (i) Processor fails to provide the information required under Section 11.1; (ii) an audit is requested by a supervisory authority; (iii) once every twelve (12) months; or (iv) as otherwise required in accordance with Data Protection Law. Controller shall give Processor at least thirty (30) days prior written notice of any audit initiated pursuant to this Section 11. The date, time, place, and scope of such audits shall be mutually agreed by the parties.
12. International Transfers
12.1 The parties agree that no Restricted Transfer shall be permitted unless it takes place in compliance with Chapter V of the GDPR and/or UK GDPR (as appropriate).
12.2 The parties can ensure compliance with Chapter V of the GDPR and/or UK GDPR by using the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses (as appropriate). The parties hereby enter into the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses in respect of any Restricted Transfer in accordance with the provisions of this section 12. Each party warrants that it has the right to enter into the EU Standard Contractual Clauses and into the UK Standard Contractual Clauses as provided in this section 12 as agent for and on behalf of its respective Affiliates to or from whom a Restricted Transfer occurs.
12.3 The EU Standard Contractual Clauses and the UK Standard Contractual Clauses shall come into effect under this section 12 upon commencement of a Restricted Transfer, subject to the following conditions:
12.3.1 the EU Standard Contractual Clauses and the UK Standard Contractual Clauses shall be incorporated into this DPA by reference;
12.3.2 the "data exporter" shall be the relevant party or Affiliate of a party who undertakes a Restricted Transfer to the other party or an Affiliate of the other party;
12.3.3 the "data importer" shall be the relevant party or Affiliate of a party who receives Controller Personal Data pursuant to a Restricted Transfer from the data exporter;
12.3.4 in relation to a Restricted Transfer to which the GDPR applies, the EU Standard Contractual Clauses will apply completed as follows:
(i) the relevant module will apply according to whether or not the data exporter is acting as a controller or processor in respect of the transfer and whether or not the data importer is acting as a controller, processor or sub-processor in respect of the transfer;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 1 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Clause 6 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU Standard Contractual Clauses will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Annex 1 to this DPA;
(viii) Annex II of the EU Standard Contractual Clauses shall be deemed completed with the information set out in section 5 to this DPA; and
(ix) (where applicable) Annex III of the EU Standard Contractual Clauses shall be deemed completed with the information set out in Annex 2 to this DPA.
12.3.5 in relation to Restricted Transfer to which the UK GDPR applies, the UK Standard Contractual Clauses will apply completed as follows:
(i) Appendix 1 of the UK Standard Contractual Clauses shall be deemed completed with the information set out in Annex 1 to this DPA;
(ii) Appendix 2 of the UK Standard Contractual Clauses shall be deemed completed with the information set out in section 5 to this DPA; and
(iii) such other details that are set out in respect of the EU Standard Contractual Clauses, or apply by virtue of section 12.4 below, shall be incorporated into the UK Standard Contractual Clauses where appropriate.
12.3.6 if there is any conflict between on the one hand (i) this DPA or the Principal Agreement, and on the other hand (ii) the EU Standard Contractual Clauses or the UK Standard Contractual Clauses, the latter will prevail.
12.4 The parties acknowledge that the EU Standard Contractual Clauses and UK Standard Contractual Clauses may be subject to modification or replacement from time to time. If any modification or replacement is made, the EU Standard Contractual Clauses or UK Standard Contractual Clauses shall apply and such details that are referred to in sections 12.3.4 and 12.3.5 shall be deemed to be incorporated in the equivalent parts of the modified or replaced clauses. At the date of this DPA, the parties agree that the UK Standard Contractual Clauses shall be in the form approved by the Information Commissioner's Office for controller to processor transfers to third countries and the supplementary measures set out in Annex 3 of this DPA shall also apply, unless and until such time as the form of UK Standard Contractual Clauses are modified or replaced under applicable Data Protection Law.
12.5 The Processor shall not participate in (nor permit any Sub-processor to participate in) any other Restricted Transfers (whether as an exporter or an importer of the Controller Personal Data) unless the Restricted Transfer is made in full compliance with Data Protection Law and pursuant to the applicable EU Standard Contractual Clauses or UK Standard Contractual Clauses. For the avoidance of doubt, this shall not apply to onward
13. No Sale or Sharing To the extent that the processing of Controller Personal Data is subject to U.S. Data Protection Laws, Processor is prohibited from: (a) selling Controller Personal Data or otherwise making Controller Personal Data available to any third party for monetary or other valuable consideration; (b) sharing Controller Personal Data with any third party for cross-behavioral advertising; (c) retaining, using, or disclosing Controller Personal Data for any purpose other than for the business purposes specified in this DPA or as otherwise permitted by U.S. Data Protection Laws; (d) retaining, using or disclosing Controller Personal Data outside of the direct business relationship between the parties, and; (e) except as otherwise permitted by U.S. Data Protection Laws, combining Controller Personal Data with personal data that Processor receives from or on behalf of another person or persons, or collects from its own interaction with the data subject. Processor will notify Controller promptly if it makes the determination that it can no longer meet its obligations under applicable U.S. Data Protection Laws.
14. General Terms
14.1 Without prejudice to and save as and to the extent provided in clauses 17 (Governing Law) and 18 (Choice of forum and jurisdiction) of the EU Standard Contractual Clauses and in clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the UK Standard Contractual Clauses, as applicable:
14.1.1 the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
14.1.2 this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country stipulated for this purpose in the Principal Agreement.
14.2 In the event that applicable Data Protection Law is amended or replaced by subsequent legislation and such subsequent legislation requires amendments to this DPA, the parties will discuss such potential amendments to this DPA and, if agreed, will enter into an amendment agreement signed by each party to effect such amendments. In such case, neither parties’ agreement or consent shall be unreasonably withheld, it being acknowledged by both parties that they will cooperate in good faith to comply with applicable law and regulation.
14.3 The parties may vary or rescind this DPA or any provision of it for and on its own behalf and on behalf of their Affiliates without having to obtain consent from any third party (including any Affiliate), so far as permitted under Data Protection Law and the EU Standard Contractual Clauses or UK Standard Contractual Clauses (where applicable).
14.4 The limitation of liability set forth in the Principal Agreement shall apply to this DPA.
ANNEX 1: DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by (i) Article 28(3) of the GDPR and/or UK GDPR, and (ii) the EU Standard Contractual Clauses and/or the UK Standard Contractual Clauses, if applicable.
1. Subject matter and duration of the Processing of Controller Personal Data The subject matter and duration of the Processing of Controller Personal Data are set out in the Principal Agreement and this DPA.
2. The nature and purpose of the Processing of Controller Personal Data The nature and purpose of the Processing of Controller Personal Data is solely for the purpose of providing the Services.
3. The types of Controller Personal Data to be Processed Contact information, communication information, account information, application security information (passwords etc.), financial transaction information (if paying Processor)
4. The categories of Data Subject to whom Controller Personal Data relates Data Subject and any authorized End Users
5. The obligations and rights of the Controller The obligations and rights of Controller are set out in the Principal Agreement and this DPA.
6. If applicable:
Data exporter(s): Name: Address: Contact person’s name, position and contact details: Activities relevant to the data transferred: Signature and date: Role (controller/processor): Data importer(s): Name: Address: Contact person’s name, position and contact details: Activities relevant to the data transferred: Signature and date: Role (controller/processor):
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period As may be required by the Principal Agreement, or if not specified in the Principal Agreement, the period required by applicable law.
8. Identify the competent supervisory authority/ies
For Processing of EU Controller Personal Data, the competent supervisory authority in Ireland. For Processing of UK Controller Personal Data, the competent supervisory authority in the UK.
ANNEX 2: LIST OF SUB-PROCESSORS
The Controller has authorised the use of the following Sub-processors: Cyware’s contact person’s name and contact details: GRC Lead, grc@cyware.com
Sub-processor | Product | Data Service Location | Processing Activity |
|---|---|---|---|
Amazon Web Services, Inc. | Cyware Products | Global [per product configuration at Client’s direction] | Data Center Provider |
Amazon Web Services, Inc. | Cyware Products | United States | Data Center Provider –Gov Cloud only |
LearnUpon Ltd | Cyware Products | United States and EU | Customer Training |
Okta, Inc. | Cyware Products & Internal Operations | United States, EMEA, Japan, and Australia | At Client’s election; Multifactor authentication, universal directory, lifecycle management, and single sign-on |
OpenAI, L.L.C. | Cyware Products | US | Generative AI services provider for intelligence product features |
Twilio, Inc. | Cyware Products | United States [default] | Customer Communications |
Please note: Cyware’s regional data hosting for Cyware’s own data is limited to the United States and India.
ANNEX 3: SUPPLEMENTARY MEASURES 1. The Processor will (and will procure that its Sub-processors will) notify the Controller if it can no longer Process the Controller Personal Data in compliance with Data Protection Law and the Principal Agreement.
2. Following a notification pursuant to paragraph 1 above that the Processor can no longer fulfil its data protection obligations, the parties shall promptly identify and agree appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted to address the situation.
3. The Processor shall suspend the Restricted Transfer if, after consideration with the Controller, the Controller determines that no appropriate safeguards for such transfer can be ensured. The Processor shall be relieved of its obligations under the Principal Agreement if and to the extent only that its performance is prevented or hindered as a result of the Restricted Transfer being suspended and the Processor has provided the Controller with written notice of such prevention or hindrance. In such circumstances, the parties shall promptly cooperate to find a suitable workaround to allow the performance of the Processor's obligations under the Principal Agreement.
4. If the Processor (or a Sub-processor) receives any request from a public authority for the disclosure of Controller Personal Data or becomes aware of any direct access by public authorities to Controller Personal Data, the Processor will (and will procure that its Sub-processors will):
(a) notify the Controller and provide regular updates, and use reasonable efforts to waive any prohibition on notification;
(b) review the legality of any request for disclosure; and challenge any request where possible; and
(c) if required to disclose information, only disclose the minimum necessary to comply with the request.