Data Processing Addendum

This Data Processing Addendum ("DPA"), is incorporated into and forms part of the terms and conditions of the Fivetran Master Subscription Agreement or other agreement under which Fivetran Inc. ("Fivetran") provides services to Customer ("Agreement") executed between the party identified as the "Customer" and Fivetran. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Fivetran processes Personal Data on behalf of Customer in connection with Customer's use of Fivetran Products. If there is any conflict between the Agreement and this DPA, the terms of this DPA will prevail to the extent of such conflict. Any capitalized terms not defined in this DPA will have the meanings given to them in the Agreement.

1.     Definitions. For the purpose of this DPA:

1.1 "controller", "processor", "data subject", "personal data"and "processing" (and "process") will have the meanings given in Applicable Data Protection Law;

1.2 "Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including without limitation and where applicable, EU/EEA/UK Data Protection Law, US Data Protection Law, Canadian Data Protection Law, and the Swiss DPA;

1.3 “Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access to Personal Data that is in violation of Fivetran’s security obligations under this Agreement by Fivetran or its agents of which Fivetran becomes aware.  Breach will not include an unsuccessful Breach, which is one that results in no unauthorized access to Personal Data or to any Fivetran equipment or facilities storing the Personal Data, and could include (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents;

1.4 "Canadian Data Protection Law" means: (i) the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5; (ii) applicable provincial law; (iii) any and all applicable data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case as may be amended or superseded from time to time;

1.5 “Data Privacy Framework” means the EU-US Data Privacy Framework (“DPF”), the UK extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce;

1.6 “Data Privacy Principles” means the Data Privacy Framework principles (as supplemented by the Supplemental Principles, having the meaning given in the DPF (“Supplemental Principles”); in each case as may be amended or superseded from time to time;

1.7 "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;

1.8 "US Data Protection Law" means: (i) the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §1798.100 et seq., upon the CPRA’s enforcement date of July 1, 2023 (together with its implementing regulations) (“CPRA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Personal Data Privacy and Online Monitoring Act; (v) the Utah Consumer Privacy Act; (vi) the Iowa Consumer Data Protection Act; (vii) the Indiana Consumer Data Protection Act;  (viii) the Tennessee Information Protection Act; (ix) the Montana Consumer Data Privacy Act; (x) the Texas Data Privacy and Security Act; (xi) the Oregon Consumer Privacy Act; (xii) the Delaware Personal Data Privacy Act; and (xiii) any and all applicable comprehensive state data protection laws and regulations that are or are not yet in effect as of the Effective Date; in each case as may be amended or superseded from time to time;

1.9 "Standard Contractual Clauses" means: (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs"); and

1.10 "Swiss DPA" means the revised Swiss Federal Act on Data Protection enacted on September 25, 2020, and effective on September 1, 2023, as may be amended or superseded from time to time.  

2.     Relationship of the parties:  Customer instructs Fivetran to process the personal data described in Annex I (the "Personal Data") on its behalf.  In respect of such processing, Customer will be the controller (or, where Customer is instructing Fivetran on behalf of a third party controller, a processor on behalf of that controller) and Fivetran will be a processor (or, where Customer is a processor on behalf of a third party controller, Fivetran will be a subprocessor to Customer).  Each party will comply with its obligations under Applicable Data Protection Law.   Customer has provided, and will continue to provide, all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary for Fivetran and its subprocessors to lawfully process Customer’s Personal Data for the purposes contemplated by the Agreement (including this DPA).

3.     Purpose limitation; Processing instructions:  Fivetran will process Personal Data for the following purposes: (i) as described in Annex I hereto; (ii) in accordance with the documented reasonable instructions of Customer (which instructions, where Customer is a processor, will reflect the instructions of its controller) that are consistent with the terms of the Agreement, including this DPA and applicable Order Forms, and Applicable Data Protection Law; and (iii) to comply with Fivetran’s legal obligations under Applicable Data Protection Law.   The parties agree that the Agreement (including this DPA), and Customer's use of Fivetran Products in accordance with the Agreement, set out Customer's complete and final processing instructions and (if applicable) include and are consistent with all instructions from third party controllers. Any processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Fivetran. Customer shall ensure its instructions are lawful and that the processing of Personal Data in accordance with such instructions will not violate Applicable Data Protection Laws.  In no event will Fivetran process Personal Data for its own purposes or those of any third party.  Each party will promptly inform the other party (who, where Customer is a processor, will inform its controller) if it becomes aware that such processing instructions violate Applicable Data Protection Law.

4.     Cross border transfer mechanisms:  

4.1 Order of precedence:  To the extent Customer’s use of Fivetran Products requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction to Fivetran located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in this Section 4 will apply. The transfer of Personal Data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (i) the Data Privacy Framework as set forth in Section 4.2 of this DPA; (ii) Standard Contractual Clauses as set forth in Section 4.3 of this DPA; and, if neither (i) nor (ii) is applicable, then (iii) such other applicable Transfer Mechanisms permitted under Applicable Data Protection Law.  

4.2 Data Privacy Framework:  To the extent Fivetran processes any Personal Data via Fivetran Products subject to EU/UK Data Protection Law and/or Swiss DPA, Fivetran represents that it is self-certified under the Data Privacy Framework and complies with the Data Privacy Principles when processing any such Personal Data. To the extent that Customer is either located in the United States of America and is self-certified under the Data Privacy Framework or subject to EU/UK Data Protection Law and/or Swiss DPA, Fivetran further agrees to (i) provide at least the same level of protection to any Personal Data as required by the Data Privacy Principles; (ii) notify Customer in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated; and (iii) upon written notice, work with Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.  

4.3 Standard Contractual Clauses:  For cross border data transfers that are subject to Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

4a. in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i) Module Two will apply to the extent that Customer is a controller of Personal Data, and Module Three will apply to the extent that Customer is a processor of Personal Data on behalf of a third party controller;

(ii) in Clause 7, the optional docking clause will not apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Section 8 of this DPA;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Republic of Ireland law;

(vi) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;

(vii) Annex I of the EU SCCs will be deemed completed with the information set out in Annex I to this DPA;

(viii) Annex II of the EU SCCs will be deemed completed with the information set out in Annex II to this DPA; and

(ix) Annex III of the EU SCCs will be deemed completed with the information set out in Annex III to this DPA;

4b. in relation to Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:

(i)    for so long as Customer and Fivetran are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of the International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0)  “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, as it is revised under Section 18 therein, then:

(ii) if Customer and Fivetran are no longer permitted to rely on the EU SCCs and the UK Addendum, then the Customer and Fivetran will cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay;

4c. in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in Section 4.3(a) above, amended as follows:

(i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;

(ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA;

(iii) references to ‘EU’, ‘Union’, ‘Member State’, and ‘Member State Law’ will be deemed replaced with ‘Switzerland’ or “Swiss law”;

(iv) Clause 13(a) of the EU SCCs is not used and any references to the ‘competent supervisory authority’ and ‘competent courts’ (including in Part C of Annex I hereto) are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable);

(v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland, and

(vi) in Clause 18(b), disputes will be resolved before the competent courts of Switzerland; and

4d. in the event that any provision of the Agreement (including this DPA) contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

5.     Onward transfers:  Fivetran will not participate in (nor permit any subprocessor to participate in) any other cross border transfers of Personal Data (whether as an exporter or an importer of Personal Data) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.  Without prejudice to the foregoing, Customer consents to cross border transfers of Personal Data where Fivetran has implemented a transfer solution compliant with Applicable Data Protection Law.  

6.     Confidentiality of processing:  Fivetran will take appropriate measures to ensure the confidentiality of Personal Data as outlined in the Agreement.

7.     Security:

7.1 Security Measures. Fivetran will implement appropriate technical and organisational measures to protect the Personal Data from a Breach.  Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.  Such measures will include, as appropriate:

7.2 Customer Responsibilities. Notwithstanding the above, Customer is responsible for reviewing the information made available by Fivetran relating to data security and making an independent determination as to whether Fivetran Products meet Customer's requirements and legal obligations under Applicable Data Protection Laws. Customer further agrees that Customer is responsible for its secure use of Fivetran Products, including securing its account authentication credentials.

8.     Subprocessing:Customer provides general authorization to Fivetran to engage subprocessors to process Personal Data on Customer’s behalf, which authorization, where Customer is a processor, will reflect the instructions of its controller.  Notwithstanding this, Customer agrees to Fivetran engaging third party subprocessors to process the Personal Data provided that: (i) Fivetran provides at least 30 days' prior written notice of the addition or removal of any subprocessor (including details of the processing it performs or will perform), which will also include posting detail of such addition or removal at the following URL: https://fivetran.com/docs/trust/privacy#subprocessormanagement; and (ii) Fivetran imposes data protection terms on any subprocessor it appoints that protect the Personal Data, in substance, at least as protective as the standard provided for by this DPA. A list of approved subprocessors as of the date of this DPA is attached at Annex III, and Fivetran will maintain and provide updated copies of this list to Customer when it adds or removes subprocessors in accordance with this Section.   Customer may object in writing to Fivetran’s appointment of a new subprocessor on reasonable grounds relating to data protection (if making Personal Data available to the subprocessor would violate Applicable Data Protection Laws or weaken the protections for Customer Personal Data) by notifying Fivetran in writing to privacy@fivetran.com within thirty (30) days of receiving notification from Fivetran.  If Customer objects to Fivetran's appointment of a subprocessor, the parties shall discuss Customer's concerns in good faith with a view to achieving a mutually acceptable resolution.  If the parties cannot reach a mutually acceptable resolution within a reasonable time thereafter, then Fivetran will, in its sole discretion, either, not appoint the subprocessor or permit Customer to suspend or terminate the Agreement.

9.     Cooperation and data subjects' rights:  Fivetran will provide all reasonable and timely assistance to Customer (at Customer's expense) to enable Customer (or, where Customer is a processor, its controller) to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data.   In the event that any such request, correspondence, enquiry or complaint is made directly to Fivetran, Fivetran will (unless prohibited by applicable law) promptly inform Customer (who, where Customer is a processor, will in turn inform its controller) providing full details of the same.

10.     Data Protection Impact Assessment:  Fivetran will provide Customer with all such reasonable and timely assistance (at Customer’s expense where such assistance exceeds documentation generally made available by Fivetran to Customer) as Customer may require in order to enable it (or, where Customer is a processor, to enable its controller) to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, assistance to Customer (or, where Customer is a processor, its controller) to consult with its relevant data protection authority.

11.     Breach notification:  Upon becoming aware of a Breach, Fivetran will inform Customer (who, where Customer is a processor, will in turn inform its controller) without undue delay and will provide all such timely information and cooperation as Customer may require in order for Customer (or, where Customer is a processor, its controller) to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.  Fivetran will further take all such measures and actions as are necessary to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.  Fivetran’s notification of or response to a Breach in accordance with this Section will not be construed as an acknowledgment by Fivetran of any fault or liability with respect to the Breach.

12.     Deletion or return of Data:After a written request by Customer or the termination or expiration of the Agreement, Fivetran will destroy or return to Customer all Personal Data in its possession or control.  This requirement will not apply to the extent that Fivetran: (i) is required by any applicable law to retain some or all Personal Data; and/or (ii) retains Personal Data in its backup systems until the backups have been overwritten or expunged in accordance with Fivetran’s backup policy; provided that, in the event of either (i) or (ii), Fivetran will isolate and protect Personal Data from any further processing except to the extent required until deletion is possible. Until Personal Data is deleted or returned, Fivetran will continue to ensure compliance with its security and privacy obligations in the Agreement and this DPA.  The parties agree that the certification of deletion of Personal Data described in Clauses 8.5 and 16(d) of the EU SCCs shall be provided by Fivetran to Customer only upon Customer's written request.

13.     Audit:  Customer (and, where Customer is a processor, its controller) acknowledges that Fivetran is regularly audited against ISO 27001, SOC 1, and SOC 2 by independent third party auditors.  Upon request, Fivetran will supply a copy or summary copy of its audit report(s) to Customer (and, where Customer is a processor, its controller), which report(s) will be subject to the confidentiality provisions of the Agreement. Fivetran will also respond to any written audit questions submitted to it by Customer and meet by teleconference or in person (at Customer’s expense) to address follow up questions (and, where Customer is a processor, its controller), provided that Customer (and, where Customer is a processor, its controller) will not exercise this right more than once per year, except if and when required by instruction of a competent data protection authority.  Nothing herein shall be construed to require Fivetran to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate Fivetran’s confidentiality obligations, contractual obligations, or applicable law; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of Fivetran’s infrastructure, networks, systems, or data.

14.     Processing in accordance with US Data Protection law:  

14.1 Processing Of Personal Data: Customer appoints Fivetran as a processor (or, where Customer is a processor, Customer appoints Fivetran as a sub-processor) to process Personal Data only for the Business Purposes (as defined by CPRA) listed in Customer’s instructions under Annex I.  Processing by Fivetran is outlined in Annex I that sets out the processing instructions to which Fivetran is bound, including the nature and purpose of the processing, the type of Personal Data subject to the processing, and the duration of the processing.  Fivetran will adhere to Customer instructions as outlined in Section 3 and Annex I, and Fivetran will assist Customer in meeting its obligations under US Data Protection Law.  Fivetran will comply with all applicable sections of US Data Protection Law, including providing the same level of protection for Personal Data as US Data Protection Law requires Customer to provide.  Taking into account the nature of processing and the information available to Fivetran, Fivetran will assist Customer by:

(a) taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to data subject rights requests as outlined in Section 9;

(b) helping Customer meet its obligations in relation to the security of processing Personal Data and in relation to the notification of a breach of the security of the system as outlined in Section 7, Section 11, and Annex II;

(c) providing information to Customer necessary to enable Customer to conduct and document any data protection assessments as outlined in Section 10. Customer and Fivetran are each responsible for only the measures allocated to them;

(d) ensuring that each person processing Personal Data is subject to a duty of confidentiality with respect to Personal Data as outlined in Annex II; and

(e) after providing Customer an opportunity to object, engaging any subprocessor pursuant to a written contract in accordance with Section 8 that requires the subprocessor to meet the obligations of Fivetran with respect to Personal Data.

14.2 Security measures:  Taking into account the context of processing, Customer and Fivetran will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures as outlined in Annex II.

14.3 Deletion or return of Personal Data:  Fivetran will delete or return all Personal Data to Customer at the end of the provision of Fivetran Products as outlined in Section 12.

14.4 Audit rights:  Fivetran grants Customer the right to take reasonable and appropriate steps to help ensure that Fivetran uses Personal Data consistent with US Data Protection Law and to stop and remediate unauthorized use of Personal Data. Fivetran will, upon the reasonable request of Customer, make available to Customer all information in its possession necessary to demonstrate Fivetran's compliance as outlined in Section 13.  Fivetran will allow an audit of Fivetran's policies and technical and organizational measures in support of the obligations under US Data Protection Law and will provide a report of the audit to Customer upon request as outlined in Section 13.

14.5 Restrictions On Processing Personal Data:  Fivetran is prohibited from: (i) processing Personal Data for any purposes but for the Business Purposes unless otherwise expressly permitted by US Data Protection Law; (ii) processing Personal Data for any additional commercial purpose (other than the Business Purposes) including in the servicing of a different business unless otherwise expressly permitted by US Data Protection Law; (iii) processing Personal Data outside the direct business relationship between Customer and Fivetran unless otherwise expressly permitted by US Data Protection Law; (iv) Selling or Sharing (as both are defined by CPRA) Personal Data; (v) combining Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a data subject unless otherwise expressly permitted by US Data Protection Law; or (vi) processing the Personal Data for any other purpose except as permitted by this DPA.  

14.6 Inability To Comply With US Data Protection Law:  Fivetran shall notify Customer after Fivetran determines that it no longer can meet its obligations under this DPA or US Data Protection Law. In the event of Fivetran’s inability to meet its obligations, Customer may, in its discretion; (i) take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data; or (ii) terminate the Agreement.

14.7 Certification:  Fivetran certifies that it understands and will comply with the restrictions set forth in this Section 14.

15.     System Data. Notwithstanding anything to the contrary in this Agreement, Fivetran may collect System Data and use such data internally to develop, improve, support, and operate Fivetran Products.  Fivetran’s use of System Data will comply with Applicable Data Protection Law.  Fivetran may not share any System Data that includes Personal Data with a third party except to the extent the System Data is aggregated and anonymized such that Customer and Customer’s users cannot be identified.

16.     Personnel background checks:  Prior to engaging any employee who may receive access to Personal Data, Fivetran will conduct a background check, including to the extent permitted by applicable law, sanctions, criminal, ID/SSN, education, and employment checks.

17.     Construction; Interpretation:  This DPA is not a standalone agreement and is only effective if an Agreement is in effect between Fivetran and Customer. This DPA is part of the Agreement and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.

18.     Severability:  If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.

19.     Amendment; Enforcement of rights:  No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party. This DPA may not be construed to create any right or cause of action on behalf of a third party, except to the minimum extent required available to data subjects under Applicable Data Protection Law.  For the avoidance of doubt, Customer Affiliates shall be entitled to exercise their rights and remedies available under this DPA to the extent the Agreement applies and where required under Applicable Data Protection Laws; provided, however, if Applicable Data Protection Laws require the Affiliate to directly exercise a right or remedy against Fivetran directly by itself, the parties agree that to the extent permitted under applicable law: (i) only the Customer that is the contracting entity to the Agreement shall exercise any such right or seek any such remedy on behalf of the Affiliate; and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA in a combined manner for all of its Affiliates together, instead of doing so separately for each Affiliate. The Customer that is the contracting entity is responsible for coordinating all communication with Fivetran under this DPA and shall be entitled to make and receive any communication related to this DPA on behalf of its Affiliates.

20.     Assignment:  This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.

21.     Governing Law:  This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by EU/UK Data Protection Law or Applicable Data Protection Law, in which case this DPA will be governed by the laws outlined in the relevant section of this DPA.

22.     Counterparts:  This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

23.     Supplementary terms to Standard Contractual Clauses  (references in this Section to Clauses are to Clauses of the EU SCCs).

23.1     Documentation and compliance:  For the purposes of Clause 8.9 the review and audit provisions in this DPA will apply.

23.2     Notification and transparency:  For purposes of Clause 8.3 – Modules 2 and 3 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Fivetran to make the appropriate communications to data subjects and accordingly, Customer will (following notification by Fivetran) have the option to be the party who makes any communication to the data subject, and Fivetran will provide the level of assistance set out in this DPA.

23.3     Liability:  For the purposes of Clause 12(a), the liability of the parties will be limited in accordance with the limitation of liability provisions in the Agreement.

23.4     Signatories:Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without being signed directly, Fivetran and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the data exporter or data importer (as applicable) accordingly.