Feezy | Data Processing Agreement

This Data Processing Agreement ("Agreement" or "DPA") is incorporated into and forms part of the Platform Terms of Use ("Principal Agreement") between the Customer and Feezy Pty Ltd (ACN 661 267 385) of 81–83 Campbell Street, Surry Hills NSW 2001, Australia ("Feezy", "Processor").

This Agreement applies to Customers of both Feezy products: the Feezy platform (feezy.io) and the HE Comply platform (hecomply.com). In this Agreement, "Customer" refers to any institution or agent that has entered into a Principal Agreement with Feezy, whether as an institution user of HE Comply or as an agent user of Feezy. The Customer is the Data Controller; Feezy is the Data Processor.

WHEREAS:

(A) the Customer acts as a Data Controller in respect of Personal Data processed through the Platform;

(B) the Customer wishes to engage Feezy to process certain Personal Data on its behalf as part of the Services;

(C) the Parties seek to implement an agreement that complies with applicable Data Protection Laws, including the EU GDPR, UK GDPR, and the Australian Privacy Act 1988 (Cth); and

(D) the Parties wish to record their respective rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions And Interpretation

Unless otherwise defined, capitalised terms have the meanings set out below or in the Principal Agreement:

Agreement means this Data Processing Agreement, including all Annexes.

Applicable Laws means all laws applicable to the Processing, including the Data Protection Laws.

Company Personal Data means any Personal Data Processed by Feezy (or a Subprocessor) on behalf of the Customer under the Principal Agreement.

Cessation Date means the date on which Feezy ceases to provide Services to the Customer under the Principal Agreement.

Controller means the entity that determines the purposes and means of Processing Personal Data.

Data Protection Laws means the EU GDPR; the UK GDPR and Data Protection Act 2018; the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles; and any national or state laws implementing, supplementing, or replacing any of them, in each case as amended or replaced from time to time.

Data Subject means an identified or identifiable natural person to whom Personal Data relates.

EEA means the European Economic Area.

EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

Processing means any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.

Processor means Feezy Pty Ltd, which Processes Personal Data on behalf of the Customer.

Restricted Transfer means a transfer of Personal Data from the EEA or UK to a country not deemed adequate under the EU GDPR or UK GDPR.

SCCs means the EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as set out in Annex D.

Subprocessor means any processor engaged by Feezy to Process Company Personal Data on Feezy's behalf.

Supervisory Authority means a public authority competent for the supervision of the Processing of Personal Data under applicable Data Protection Laws.

UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (version B1.0, 21 March 2022), as set out in Annex E.

UK GDPR means the EU GDPR as retained in UK law by the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

In the event of any inconsistency or conflict between this Agreement (including the Annexes) and the Principal Agreement, in relation to the Processing of Personal Data this Agreement prevails. In the event of any inconsistency or conflict between this Agreement and the SCCs or UK Addendum, the SCCs and UK Addendum prevail to the extent required by applicable Data Protection Laws.

2. Duration

This Agreement commences on the effective date of the Principal Agreement and continues until the Cessation Date. Obligations relating to confidentiality, data protection, and the deletion or return of Personal Data survive termination as set out in this Agreement.

3. Processing of Company Personal Data

3.1 Processing

a. Feezy shall:

i. Process Company Personal Data only on the documented instructions of the Customer (including as set out in this Agreement and the Principal Agreement), and notify the Customer if Feezy considers that any instruction infringes applicable Data Protection Laws;

ii. comply with all applicable Data Protection Laws in connection with its Processing of Company Personal Data;

iii. maintain records of Processing activities as required by Article 30(2) of the EU GDPR or equivalent provisions of applicable Data Protection Laws; and

iv. ensure that all staff with access to Company Personal Data are subject to enforceable obligations of confidentiality and have received appropriate data protection training.

b. The Customer instructs Feezy to Process Company Personal Data as necessary to perform the Services and as otherwise set out in Annex A (Processing Particulars).

c. Feezy shall not use Company Personal Data for its own purposes or for any purpose other than those documented by the Customer or set out in this Agreement.

3.2 Anonymised and Aggregated Data

Feezy may derive anonymised and aggregated insights from data processed through the Platform (including from Company Personal Data) for the purposes of product development, analytics, security monitoring, and service improvement, including for use in machine learning and artificial intelligence systems, provided that:
1. 1. such use is performed exclusively on data that has been irreversibly anonymised such that no individual person, customer, institution, or agent is identifiable from or through the data, consistent with Recital 26 of the EU GDPR; and
  2. Feezy does not attempt to re-identify any individual from anonymised or aggregated data.
Properly anonymised data is not Personal Data. Clause 3.4.1 does not constitute Processing of Personal Data and does not require the Customer's instruction. Feezy will not use identified Personal Data to train, fine-tune, or otherwise develop AI or machine learning models without the Customer's explicit prior written consent.

4. Customer Obligations

The Customer shall:

1. provide Company Personal Data to Feezy lawfully, fairly, and transparently;
2. ensure that it has a valid legal basis under applicable Data Protection Laws for all transfers of Company Personal Data to Feezy; and
3. provide all required notices to Data Subjects in accordance with applicable Data Protection Laws, including notifying Data Subjects that their Personal Data may be processed by Feezy as described in this Agreement.

5. Personnel

1. Feezy shall take reasonable steps to ensure the reliability of all employees, agents, and contractors who have access to Company Personal Data, ensuring that access is strictly limited to those who need it to perform the Services.
2. All persons with access to Company Personal Data shall be subject to enforceable confidentiality obligations or professional obligations of confidentiality.
3. Feezy shall implement data minimisation measures to limit access to Company Personal Data to only what is necessary for the performance of the Services.

6. Security

1. Feezy shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, including as required by Article 32 of the EU GDPR. The measures in place are described in Annex B (Security Measures).
2. In assessing the appropriate level of security, Feezy shall take into account the risks presented by the Processing, in particular the risk of a Personal Data Breach.

7. Subprocessing

1. The Customer hereby grants general authorisation for Feezy to engage the Subprocessors listed in Annex C. Feezy shall ensure that each Subprocessor is bound by written data protection obligations no less protective than those in this Agreement.
2. Feezy shall provide at least 15 days' prior written notice of any intended addition, replacement, or other material change to its Subprocessors ("Change Notice").
3. The Customer may object to any proposed Subprocessor change on reasonable data protection grounds by written notice within the Change Notice period. If the parties cannot agree on a commercially reasonable mitigation within 30 days of the objection, the Customer may terminate the affected Services without penalty.
4. Feezy remains fully liable for the acts and omissions of each Subprocessor as if they were Feezy's own.

8. Data Subject Rights

1. Taking into account the nature of the Processing, Feezy shall assist the Customer, through appropriate technical and organisational measures, to fulfil the Customer's obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws.
2. Feezy shall promptly notify the Customer if it receives a request from a Data Subject in respect of Company Personal Data and shall not respond to that request except on the Customer's documented instructions or as required by applicable law.

9. Personal Data Breach

1. Feezy shall notify the Customer without undue delay, and in any event within 48 hours of becoming aware, of any Personal Data Breach affecting Company Personal Data. The notification shall include such information as is required by Article 33 of the EU GDPR (or equivalent) as it becomes available.
2. Feezy shall cooperate with the Customer and take reasonable steps directed by the Customer to assist in the investigation, mitigation, and remediation of any such Personal Data Breach.
3. Where a Personal Data Breach is likely to result in a high risk to the rights and freedoms of Data Subjects, Feezy shall provide the Customer with such information and reasonable assistance as the Customer requires to fulfil its obligations to communicate the breach to affected Data Subjects under Article 34 of the EU GDPR or equivalent provisions of applicable Data Protection Laws.

10. Data Protection Impact Assessments

1. Feezy shall provide reasonable assistance to the Customer with any data protection impact assessments or prior consultations with Supervisory Authorities that the Customer reasonably considers to be required by Article 35 or 36 of the EU GDPR or equivalent provisions of applicable Data Protection Laws, to the extent they relate to the Processing of Company Personal Data by Feezy.
2. Upon reasonable written request, Feezy shall make available to the Customer summaries of independent third-party audit reports and certifications (such as ISO/IEC 27001 or SOC 2 reports) relevant to the Services, subject to appropriate confidentiality obligations.

11. Deletion and Return of Company Personal Data

1. Within 10 Business Days of the Cessation Date, at the Customer's written election, Feezy shall either:
  1. return to the Customer all Company Personal Data in a commonly used, machine-readable format and thereafter delete all remaining copies; or
  2. securely delete all Company Personal Data and certify such deletion in writing.
2. Where applicable laws require Feezy to retain Company Personal Data beyond the Cessation Date, Feezy shall notify the Customer of the legal requirement, isolate and protect the retained data from further processing, and delete it promptly once the legal requirement ceases.
3. Feezy shall not retain Company Personal Data for longer than is necessary for the provision of the Services, except as required by applicable law.

12. Audit Rights

1. Feezy shall, on reasonable written request (and no more than once per calendar year unless a Personal Data Breach has occurred), make available to the Customer all information reasonably necessary to demonstrate compliance with this Agreement and shall cooperate with audits and inspections by the Customer or an auditor appointed by the Customer.
2. Audits shall be conducted during normal business hours with at least 30 days' prior written notice and shall be subject to reasonable confidentiality obligations. The Customer shall bear the costs of any audit unless the audit reveals a material non-compliance by Feezy.

13. Data Transfers

1. Feezy routes Customer data as follows:
  1. Where the Customer, or any party to a Contract processed through the Platform, has a presence within the EEA, the relevant data is stored on AWS infrastructure located in Dublin, Ireland (within the EEA); and
  2. In all other cases, data is stored on AWS infrastructure located in Sydney, Australia.
2. To the extent that any transfer of Company Personal Data from the EEA to a third country constitutes a Restricted Transfer, the Parties shall rely on the SCCs set out in Annex D (Module 2: Controller to Processor). The SCCs apply automatically to any such Restricted Transfer without further action by the Parties.
3. To the extent that any transfer of Company Personal Data from the UK to a third country constitutes a Restricted Transfer under the UK GDPR, the Parties shall rely on the UK Addendum set out in Annex E, which supplements and modifies the SCCs for the purposes of UK transfers.
4. Feezy shall implement any supplementary technical and organisational safeguards required in connection with a Restricted Transfer and shall conduct a Transfer Risk Assessment prior to initiating any new Restricted Transfer, the results of which shall be made available to the Customer on request.
5. Feezy may update the SCC and UK Addendum references in this Agreement to reflect any replacement clauses formally adopted by the European Commission, UK ICO, or other competent authority, with notice to the Customer.

14. Confidentiality

Each party shall keep this Agreement and all Confidential Information received from the other party in connection with this Agreement confidential and shall not use or disclose such Confidential Information without the other party's prior written consent, except:

A. to the extent required by applicable law, court order, or regulatory authority; or

B. to the extent the information is already in the public domain through no fault of the receiving party.

15. General

1. This Agreement (including its Annexes) constitutes the entire agreement between the Parties regarding the Processing of Personal Data and supersedes all prior representations or agreements on the same subject.
2. No third party has rights under this Agreement, except where Data Protection Laws confer enforceable rights on Data Subjects.
3. All notices under this Agreement must be in writing to the addresses set out in the Principal Agreement. Notices to Feezy for data protection matters should be directed to: legal@feezy.io or legal@hecomply.com.
4. This Agreement is governed by the laws of New South Wales, Australia, except that the SCCs and UK Addendum are governed by the laws specified therein (EU Member State law and the laws of England and Wales respectively).

ANNEX A - Processing Particulars

A.1 Subject Matter

The subject matter of the Processing is Feezy's provision of Software-as-a-Service (SaaS) platforms for contract upload, management, eSigning, and compliance, including storage, retrieval, and processing of contract data and associated CRM functionality, operated under the Feezy (feezy.io) and HE Comply (hecomply.com) brands.

A.2 Duration

Processing continues for the term of the Principal Agreement between Feezy and the Customer, including any renewal periods, and until completion of deletion or return of Personal Data in accordance with clause 11.

A.3 Nature and Purpose of Processing

Feezy processes Personal Data as necessary to:

(a) provide and operate the Platform, including user account creation, authentication, and access management;

(b) enable contract upload, storage, lifecycle management (including expiry tracking, renewal reminders), and retrieval;

(d) enable co-management of Contracts between institutions and agents;

(e) operate CRM functions and communicate with Customer contacts via transactional and support communications;

(f) provide analytics, reporting, and platform monitoring; and

(g) provide support, maintenance, security monitoring, and compliance with applicable law.

A.4 Types of Personal Data

The Personal Data processed may include (without limitation):

(a) Identification data: names, job titles, roles, digital signatures, user identifiers;

(b) Contact data: email addresses, telephone numbers, business addresses;

(d) Contract data: commission agreements, agency partnership contracts, eSigned documents, and any personal data contained within those documents; and

(e) Usage data: system logs, device information, and Platform activity data.

A.5 Categories of Data Subjects

The categories of Data Subjects may include:

(a) Customer personnel (employees, contractors, Authorised Users);

(b) Counterparties to Contracts (e.g. signatories, contract representatives, agents);

(c) Students, to the limited extent that the Customer uploads student identifiers or placement data through the Platform; and

(d) Any other natural persons whose Personal Data is contained within contract documents or CRM records.

A.6 Obligations and Rights of the Controller

The Controller's obligations and rights include: the right to issue documented processing instructions; the right to require assistance with Data Subject rights, DPIAs, and breach notifications; the right to audit Feezy's compliance with this Agreement; and the right to require deletion or return of Personal Data.

ANNEX B - Security Measures

Feezy implements and maintains the following technical and organisational security measures:

B.1 Access Controls

(a) Role-based access controls applying the principle of least privilege;

(b) Multi-factor authentication for administrative and privileged accounts;

(d) Comprehensive logging and monitoring of access to Company Personal Data; and

(e) Immediate revocation of access upon termination of employment or contractor engagement.

B.2 Encryption

(a) Personal Data encrypted in transit using TLS 1.2 or higher;

(b) Personal Data encrypted at rest using AES-256 or equivalent; and

B.3 System Integrity and Availability

(a) Firewalls, intrusion detection systems, and anti-malware protection;

(b) Logical isolation of Customer data from other tenants;

(c) Redundant architecture across multiple AWS availability zones within the applicable AWS region (Dublin for EU-connected Customers; Sydney for all others); and

(d) Regular patching and vulnerability remediation of infrastructure and applications.

B.4 Backup and Disaster Recovery

(a) Daily encrypted backups of Customer data;

(b) Backups stored in geographically separate availability zones within the same AWS region as the primary data; where cross-region backups are implemented, the applicable regions and transfer safeguards will be documented and made available to the Customer on written request;

(d) Recovery Time Objective (RTO): ≤ 24 hours; and

(e) Quarterly disaster recovery testing.

B.5 Monitoring and Testing

(a) Continuous monitoring for unauthorised or anomalous activity;

(b) Regular vulnerability scanning and remediation;

(d) Security incident response plan with a 48-hour Personal Data Breach notification capability.

B.6 Organisational Measures

(a) Mandatory data protection and information security training for all staff;

(b) Confidentiality agreements for all staff with access to Personal Data;

(d) Secure device management policies including encryption, remote wipe, and patching; and

(e) Annual review of security policies and controls against ISO 27001 / NIST CSF benchmarks.

ANNEX C - Subprocessor List

Feezy engages the following Subprocessors to deliver the Services. Feezy has entered into data processing agreements with each Subprocessor that impose data protection obligations no less protective than those in this Agreement.

Subprocessor	Details
Amazon Web Services, Inc. (AWS)	Purpose: Cloud hosting, infrastructure, storage, and transactional email (AWS SES). Locations: Dublin, Ireland (EU) and Sydney, Australia. Transfer mechanism: EU SCCs (2021/914) Module 2 (Controller → Processor) + UK Addendum. AWS DPA: aws.amazon.com/agreement
Stripe, Inc.	Purpose: Payment processing and subscription billing. Location: United States (with global infrastructure). Transfer mechanism: EU SCCs (2021/914) Module 2 + UK Addendum. Stripe DPA: stripe.com/legal/dpa
DocuSign, Inc.	Purpose: Electronic signature and contract execution services (HE Comply platform). Locations: Australia / EEA, configurable by account region. Current production account: Australia (AWS AP-Southeast-2). EU account pending configuration. Transfer mechanism: EU SCCs (2021/914) Module 2 + UK Addendum. DocuSign DPA: docusign.com/company/privacy-policy
HubSpot, Inc.	Purpose: CRM platform and customer communications (internal team use, client contact management). Locations: United States (with EU data centre replication). Transfer mechanism: EU SCCs (2021/914) Module 2 + UK Addendum. HubSpot DPA: legal.hubspot.com/dpa
Google LLC (Google Workspace)	Purpose: Team email, productivity tools, and internal communications (may incidentally process client contact data). Locations: Primary EEA processing with global replication. Transfer mechanism: EU SCCs (2021/914) Module 3 (Processor → Processor) + UK Addendum. Google DPA: workspace.google.com/terms/dpa_terms.html

Feezy maintains an up-to-date list of Subprocessors. Customers will be notified in advance of any addition or replacement in accordance with clause 7.b.

ANNEX D - EU Standard Contractual Clauses

The following clauses are the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), as required for Restricted Transfers from the EEA to third countries. These clauses are incorporated into this Agreement as legally binding obligations of the Parties.

For the purposes of these SCCs: the "data exporter" is the Customer (Controller); the "data importer" is Feezy Pty Ltd (Processor). The Appendix information (Annex I, II, and III to the SCCs) is as set out in Annexes A, B, and C of this Agreement respectively.

Section I — General Provisions

Clause 1 — Purpose and scope.

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties agree to the clauses in order to adduce appropriate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of personal data as specified in Annex I.

(d) The Appendix to these Clauses shall be considered part of the Clauses.

Clause 2 — Effect and invariability of the Clauses.

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

Clause 3 — Third-party beneficiaries.

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer.

(b) This shall not affect the rights of data subjects under Regulation (EU) 2016/679.

Clause 4 — Interpretation. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

Clause 5 — Hierarchy. In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 — Description of the transfer(s). The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 — Docking clause. (Optional) An entity that is not a party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time as a data exporter or as a data importer by completing the Appendix and signing Annex I.A. Once the Appendix is completed and signed, the acceding entity shall be treated as a party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

Section II — Obligations of the Parties

Clause 8 — Data protection safeguards. The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses. The data importer shall process the personal data only on documented instructions from the data exporter. The data importer shall process personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter. The data importer shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. The data importer shall notify the data exporter without undue delay if it is unable to follow the instructions given by the data exporter. The data importer shall not engage sub-processors without prior specific or general written authorisation from the data exporter. The data importer shall assist the data exporter in ensuring compliance with the obligations pursuant to Articles 32 to 36 of Regulation (EU) 2016/679. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete or return all personal data processed on behalf of the data exporter.

Clause 9 — Use of sub-processors. The data importer has the data exporter's general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list (addition or replacement of sub-processors) at least 15 calendar days in advance, giving the data exporter sufficient time to object to such changes before the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to exercise the right to object.

Clause 10 — Data subject rights. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

Clause 11 — Redress. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12 — Liability. Each party shall be liable to the other party/ies for any damages it causes the other party/ies by any breach of these Clauses. The Parties agree that if one party is held liable for a violation of these Clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Clause 13 — Supervision. The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Section III — Local Laws and Obligations

Clause 14 — Local laws and practices affecting compliance with the Clauses.

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.

(b) The data importer warrants that, in carrying out the assessment under paragraph (a), it has taken due account of the specific circumstances of the transfer, and the applicable laws and practices of the third country of destination.

Clause 15 — Obligations of the data importer in case of access by public authorities. The data importer shall use its best efforts to notify the data exporter and, where possible, the data subject if it receives a legally binding request from a public authority for disclosure of personal data relating to the transfer. The data importer shall not disclose personal data to a public authority except where required to do so under applicable law.

Section IV — Final Provisions

Clause 16 — Non-compliance with the Clauses and termination.

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses.

(b) In the event of material or persistent non-compliance, the data exporter may suspend the transfer of personal data to the data importer for as long as compliance is not restored or the contract is terminated.

Clause 17 — Governing law. These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where the data exporter is not established in an EU Member State, these Clauses shall be governed by the law of the EU Member State with the competent supervisory authority.

Clause 18 — Choice of forum and jurisdiction. Any dispute arising from these Clauses shall be resolved by the courts of the EU Member State in which the data exporter is established. Where the data exporter is not established in an EU Member State, disputes shall be resolved by the courts of the EU Member State with the competent supervisory authority.

ANNEX E - UK International Data Transfer Addendum

This Annex sets out the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office (version B1.0, in force 21 March 2022). This Addendum applies to Restricted Transfers of Personal Data from the United Kingdom to a third country and is entered into by the Customer (as Exporter) and Feezy (as Importer) as a supplement to the SCCs in Annex D.

Part 1: Tables

Table 1: Parties

Field	Details
Exporter	The Customer, as identified in the Principal Agreement between the Customer and Feezy.
Importer	Feezy Pty Ltd (ACN 661 267 385) of 81–83 Campbell Street, Surry Hills NSW 2001, Australia.
Key Contact (Exporter)	As set out in the Principal Agreement.
Key Contact (Importer)	legal@feezy.io / legal@hecomply.com

Table 2: Selected SCCs, Modules and Selected Clauses

Field	Details
Approved EU SCCs	The Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
Selected Module	Module Two: Controller to Processor
Selected Clauses	Clause 7 (Docking clause): included. Clause 11 (Redress): optional text not included. Clause 17 (Governing law): law of Ireland. Clause 18(b) (Choice of forum): courts of Ireland.

Table 3: Appendix Information

"Appendix Information" for this Addendum is as set out in Annexes A (Processing Particulars), B (Security Measures), and C (Subprocessor List) of this Agreement.

Table 4: Ending this Addendum when the Approved Addendum Changes

Party	May end this Addendum as set out in Section 19 of this Addendum?
Exporter (Customer)	Yes
Importer (Feezy)	Yes

Part 2: Mandatory Clauses

The mandatory clauses of the ICO-issued International Data Transfer Addendum (version B1.0, 21 March 2022) are incorporated into this Agreement by reference and form part of this Addendum. These clauses operate to modify and supplement the SCCs in Annex D for the purpose of UK Restricted Transfers. In the event of any inconsistency between this Addendum and the SCCs, this Addendum prevails to the extent required by applicable UK Data Protection Laws.

In summary, this Addendum: (a) amends the SCCs so that they operate for transfers subject to UK Data Protection Laws; (b) replaces references to "Regulation (EU) 2016/679" with references to "UK Data Protection Laws"; (c) replaces references to "Member State" and "EU" with references to the "UK"; (d) replaces supervisory authority references with the "Information Commissioner"; (e) provides that the Addendum is governed by the laws of England and Wales; and (f) provides that disputes shall be resolved by the courts of England and Wales.

The full text of the Approved Addendum is available at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-data-transfer-agreement-and-guidance/

Effective: March 2026