Annex III — International Data Transfers (SCCs, UK Addendum, Swiss Addendum)

Last updated: 2026-04-23

This Annex governs the transfer of Personal Data from the European Economic Area, the United Kingdom or Switzerland to third countries where an adequacy decision does not apply. It incorporates the Standard Contractual Clauses ("SCCs") adopted by Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Addendum, and Swiss-specific adaptations, into the Clubtrack DPA.

In the event of conflict between this Annex and the main DPA or the Agreement, this Annex prevails with respect to international transfers.

Part A — EU Standard Contractual Clauses

A.1 Incorporation

The SCCs are hereby incorporated into and form part of the DPA, and are deemed executed between the Parties with effect as of the Effective Date, in the versions and modules set out below.

A.2 Applicable modules

The Parties agree to the following elections:

• Module 1 (C2C): Not applicable

• Module 2 (C2P): Applicable — where the Controller (data exporter) in the EEA transfers Personal Data to Clubtrack (data importer) acting as Processor established outside the EEA.

• Module 3 (P2P): Applicable — for onward transfers from Clubtrack (as importing Processor) to Sub-processors in third countries.

• Module 4 (P2C): Not applicable

A.3 Clause-by-clause elections

• Clause 7 — Docking clause: Included. New parties may accede by executing the accession document.

• Clause 9 — Sub-processors: Option 2 (General written authorisation). Notice period: 30 calendar days, as per DPA Clause 7.3.

• Clause 11(a) — Redress: Optional wording NOT included (independent dispute resolution body not selected).

• Clause 17 — Governing law: Irish law (a law allowing for third-party beneficiary rights).

• Clause 18(b) — Forum and jurisdiction: Courts of Ireland.

A.4 Annexes to the SCCs

The Annexes to the SCCs are completed as follows:

SCC Annex I — Parties, description of transfer, competent authority

I.A. List of Parties

• Data Exporter(s): The Customer, as identified in the Agreement and in its account with Clubtrack. Contact person for data protection: as designated in the Customer's account. Activities relevant to the transfer: use of the Clubtrack Services as described in the Agreement. Role: Controller (Module 2) or Processor (Module 3).

• Data Importer: Clubtrack, Inc., 131 Continental Dr, Suite 305, Newark, DE 19713, USA. Contact: hello@clubtrack.io. Role: Processor (Module 2) or Sub-processor (Module 3).

I.B. Description of Transfer — completed by Annex I of the DPA.

I.C. Competent Supervisory Authority

For Module 2 transfers, the competent Supervisory Authority is determined in accordance with Clause 13 of the SCCs:

• If the Data Exporter is established in an EU Member State, the Supervisory Authority of that Member State.

• If the Data Exporter is not established in the EU but has designated an EU Representative, the Supervisory Authority of the Member State where the Representative is established.

• Otherwise, the Supervisory Authority of the Member State where most Data Subjects affected by the transfer are located. Where not determinable, the Agencia Española de Protección de Datos (AEPD) acts by default, given Clubtrack's designated EU Representative.

SCC Annex II — Technical and Organisational Measures

Completed by Annex II of the DPA (TOM), which is incorporated by reference.

SCC Annex III — List of Sub-processors

Completed by the current version of the Sub-processor List at clubtrack.io/subprocessors.

Part B — UK International Data Transfer Addendum

B.1 Incorporation

The International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (version B1.0, in force 21 March 2022) (the "UK Addendum") is hereby incorporated into and forms part of the DPA for transfers of UK Personal Data.

B.2 UK Addendum Tables

Table 1 — Parties:

• Exporter — Start date: Effective date of DPA

• Exporter — Parties: Customer as in Agreement

• Exporter — Key contact: As in Customer account

• Importer — Start date: Effective date of DPA

• Importer — Parties: Clubtrack, Inc.

• Importer — Key contact: support@clubtrack.io

Table 2 — Selected SCCs, Modules and selected clauses:

• The Addendum is attached to the version of the EU SCCs set out in Part A of this Annex III, as amended and completed by the DPA.

• Module 2 and/or Module 3 as applicable.

• Clause 7 docking clause: included.

• Clause 9 Option 2 (general authorisation, 30 days).

• Clause 11(a): optional wording not included.

• Clause 17: Irish law.

• Clause 18(b): courts of Ireland.

• Annex 1A, 1B, II, III: as in Part A above.

Table 3 — Appendix Information:

• Annex 1A: as above (List of Parties).

• Annex 1B: as above (Description of Transfer).

• Annex II: TOM (Annex II of DPA).

• Annex III: Sub-processor List.

Table 4 — Ending this Addendum when the Approved Addendum Changes:

Neither party may end the Addendum upon changes approved by the ICO.

B.3 Application of UK GDPR

References in the SCCs to the GDPR, EU law and EU Supervisory Authorities are, to the extent the Addendum governs the transfer, to be read as references to the UK GDPR and the UK Information Commissioner's Office.

Part C — Swiss transfers

For Personal Data transferred from Switzerland subject to the Swiss Federal Act on Data Protection ("FADP"), the Parties agree that:

1. The SCCs in Part A apply with the following adaptations:

   • References to the GDPR are read as references to the FADP.

   • The "supervisory authority" means the Swiss Federal Data Protection and Information Commissioner (FDPIC).

   • Data subjects in Switzerland may invoke the SCCs as third-party beneficiaries where provided.

   • The terms apply also to the Personal Data of Swiss legal entities until the revised FADP regime of 1 September 2023 fully excludes such data.

2. Governing law under Clause 17 may be interpreted as Swiss law for the portion of processing governed exclusively by the FADP, at the Data Exporter's election.

Part D — Transfer Impact Assessment (TIA)

D.1 Commitment

The Parties acknowledge that the SCCs alone may not suffice where the importer is subject to third-country laws that undermine the effectiveness of the SCCs (Schrems II, TJUE C-311/18).

Clubtrack has conducted a Transfer Impact Assessment for all transfers identified in Annex IV of the DPA. The TIA considers:

• The legal framework of the destination country, in particular surveillance laws (e.g. in the US: FISA 702, EO 12333, CLOUD Act; in other jurisdictions: relevant laws of the importer country).

• The practical likelihood of government access to the specific Personal Data at issue (volume, sensitivity, nature of the importer's activity).

• Supplementary measures adopted to mitigate risk (encryption, access control, contractual measures, organisational measures).

• Ongoing monitoring of legal and jurisprudential developments (e.g. DPF adequacy decision July 2023; any future Schrems III).

D.2 Supplementary measures implemented

For all transfers outside the EEA/UK/Switzerland, Clubtrack implements:

• Technical: AES-256 encryption at rest; TLS 1.2+ in transit; strict network isolation; application-level encryption for sensitive fields.

• Contractual: SCCs with full commitments; obligations on sub-processors; commitment to challenge unlawful government requests; notification obligations.

• Organisational: limitation of access to non-EEA personnel via JIT with management approval and audit logging; periodic training; transparency reports; policy of public challenge of overbroad government access requests; data minimisation in what is accessible abroad.

D.3 Review

TIAs are reviewed at least annually and upon:

• Addition of a new sub-processor in a non-adequate country.

• Material change in the legal framework of a destination country.

• Notification of a substantial government access request.

A summary of the TIA is available to Controllers on request under NDA.

Part E — Government access requests

Clubtrack commits to:

1. Review each government access request it receives for validity under applicable law and for compatibility with EU law.

2. Challenge requests it reasonably believes to be unlawful, overbroad or inconsistent with EU fundamental rights, through available legal remedies.

3. Notify the affected Controller without undue delay unless legally prohibited; if prohibited, to make best efforts to waive the prohibition.

4. Minimise disclosure to what is legally required.

5. Publish annual transparency reports on the number and type of requests (when volume makes it meaningful).

6. Maintain a register of government access requests and make it available to Controllers and Supervisory Authorities on request.

Controllers are encouraged to contact hello@clubtrack.io for any concern in this regard.

Part F — EU-US Data Privacy Framework

Where a US-based sub-processor is certified under the EU-US Data Privacy Framework (adequacy decision of 10 July 2023, Commission Implementing Decision (EU) 2023/1795), transfers to that sub-processor may rely on the DPF as adequate protection, without the need for SCCs.

Clubtrack monitors the DPF certification status of its sub-processors and will revert to SCCs immediately if certification lapses or the DPF is invalidated by CJEU judgment or otherwise.

The list of DPF-certified sub-processors is maintained in Annex IV of the DPA.

Part G — Effectiveness and termination

1. This Annex comes into effect on the date of the DPA and remains in force for as long as Personal Data is transferred under the Agreement.

2. The SCCs, UK Addendum and Swiss adaptations may only be terminated in accordance with their own terms.

3. In case of invalidation of any transfer mechanism by a competent authority or court (e.g. "Schrems III"), the Parties will negotiate in good faith an alternative, and the Controller may suspend affected transfers during negotiation.