Buffer: Data Processing Addendum

DATA PROCESSING ADDENDUM TO BUFFER TERMS OF SERVICE

This Data Processing Addendum (“Addendum”) completes and forms part of the Buffer Terms of Service available at

https://buffer.com/terms, as updated from time to time, or other agreement between Customer and Service Provider

(together the “Parties”) governing Customer’s use of the Service (altogether “Terms of Service”). This Addendum is

concluded between Buffer Inc., and its affiliates, subsidiaries and branches (“Service Provider”) and the customer

specified below (“Customer”).

This Addendum regulates the Processing of Personal Data subject to EU Data Protection Law for the Purposes (as

defined in Section 3) by the Parties in the context of Buffer, Inc. (the “Service”). The terms used in this Addendum have

the meaning set forth in this Addendum. Capitalized terms not otherwise defined herein have the meaning given to them

in the Terms of Service. Except as modified below, the Terms of Service remain in full force and effect. Appendices 1

and 2 form an integral part of this Addendum.

The Parties agree that the terms set out below are added as an Addendum to the Terms of Service.

How to Execute this Addendum. This Addendum has been pre-signed on behalf of Buffer. To complete this

Addendum, Customer must complete the information in the signature box and sign. Upon receipt of the validly

completed and signed Addendum by Buffer, this Addendum will become legally binding.

1. Definitions. The following terms have the meanings set out below for this Addendum:

1.1. “Controller” means the entity which alone or jointly with others determines the purposes and the means of

the Processing of Personal Data.

1.2. “Data Subject” means a natural person whose Personal Data are processed in the context of this Addendum.

1.3. “EU Data Protection Law” means the EU General Data Protection Regulation 2016/679, the e-Privacy

Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementing legislations; the

Swiss Federal Data Protection Act, the UK 2018 Data Protection Act, the UK General Data Protection

Regulation, and the Data Protection Acts of the EEA countries (all as amended and replaced from time to

time).

1.4. “Europe” means the European Economic Area (“EEA”), the United Kingdom and Switzerland.

1.5. “International Data Transfer” means any disclosure of Personal Data by an organization subject to EU Data

Protection Law to another organization located outside Europe.

1.6. “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable

natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier

such as a name, an identification number, location data, an online identifier or to one or more factors specific

to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1.7. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss,

alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

1.8. “Processor” means the entity which processes Personal Data on behalf of a Controller.

1.9. “Processing of Personal Data” (or “Processing/Process”) means any operation or set of operations which is

performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as

collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,

disclosure by transmission, dissemination or otherwise making available, alignment or combination,

restriction, erasure or destruction.

1.10. “Standard Contractual Clauses” (or “SCCs”) means the clauses annexed to EU Commission Decision

2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries

pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021,

p. 31-61), as amended from time to time.

1.11. “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under

Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

1.12. “Sub-Processor” means the entity engaged by the Processor of any further sub-contractor to Process Personal

Data on behalf of and under the instructions of the Controller.

Buffer_ Data Processing Addendum – July_2023