Last Updated: August 29, 2025 

GDPR and State Privacy Laws Data Processing Terms

1.1 Applicability

These Data Processing Terms (“Data Processing Terms”) apply to Sword if Sword Processes any Personal Information in connection with Sword’s performance of the Client Services (as such terms are defined below). These Data Processing Terms are incorporated by reference into the Master Services Agreement (“MSA”) and Order Form applicable to Client’s use of the Sword Services. Capitalized terms used herein that are not defined herein have the meanings given to them in the MSA or Order Form.

1.2 Definitions

For the purposes of these Data Processing Terms, the following definitions shall apply.  All other capitalized terms not otherwise defined shall have meaning ascribed to such terms in the MSA. 

1. “Applicable Law” means all applicable laws (including those arising under common law), statutes, ordinances, regulations, directives, treaties, codes and other pronouncements having the effect of law of the United States, any foreign country or any domestic or foreign state, county, city or other political subdivision, including those promulgated or enforced by any governmental authority, as amended or supplemented.
2. “Data Transfer” means the access of Personal Information by a Person, or transfer, delivery, or disclosure of Personal Information to a Person, where such Person is located in a country other than the country from which the Personal Information originated.
3. “EEA” means collectively, the member states of the European Union and Switzerland.
4. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended or supplemented.
5. “Personal Information Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored, or otherwise Processed by Sword in connection with the provision of the Services; provided that “Personal Information Breach” does not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.  
6. “Personal Information” means any information relating to an identified or identifiable natural person, or any information that identifies, relates to, describes or could reasonably be linked with a particular natural person or household, which Sword accesses or acquires from Client or a vendor of Client an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Information includes, without limitation: (a) name; (b) mailing address; (c) telephone or fax number; (d) email address; and (e) government identification number. Personal Information also includes any Personal Information, Personally Identifiable Information or similar terms as defined under Privacy Laws.
7. “Privacy Laws” means all Applicable Laws relating to the privacy, confidentiality, retention or security of Personal Information, including the GDPR, the UK GDPR, the California Consumer Privacy Act of 2018, as amended (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), provincial privacy laws (including those in British Columbia, Alberta, and Quebec), and Canadian anti-spam law; the Controlling the Assault of Non- Solicited Pornography and Marketing Act (CAN-SPAM); the FTC Disposal of Consumer Report Information and Records Rule, 16 C.F.R. § 682 (2005); the Federal “Privacy of Consumer Financial Information” Regulation (12 CFR Part 30) issued pursuant to Section 504 of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. §6801, et seq.); HIPAA and the HITECH Act, and all other similar international, federal, state, provincial, and local requirements. 
8. “Process” or “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, alignment or combination, restriction, adaptation, retrieval, consultation, destruction, disposal, or other use of Personal Information.
9. “UK GDPR” means the UK’s implementation of GDPR into national law, as defined in section 3(10) and section 205(4) of the Data Protection Act 2018.

1.3 Limitation on Use

1. Scope of the Processing. Sword will Process Personal Information in connection with the Services described in the MSA and during the term of such MSA. The type of Personal Information Processed by Sword is described in the MSA. The Sword will not retain, Process, or disclose the Personal Information for its own commercial purposes, outside the direct business relationship with the Client, or for any purpose other than providing the Services.
2. Processing Pursuant to Client’s Instructions. Sword acknowledges that, with respect to the Personal Information, Client is the controller and Sword is a data processor as defined under applicable Privacy Laws. Sword will Process Personal Information only on behalf of Client as necessary to provide the Services in accordance with the MSA (including these Data Processing Terms) and in accordance with Client’s instructions issued from time to time in writing (collectively, the “Instructions”). Sword will Process the Personal Information and perform the Services at all times in compliance with applicable Privacy Laws. Sword may not: (1) use Personal Information for any purpose other than as provided in Section 1.3.a; (2) sell, assign or lease to third parties any Personal Information; (3) share any Personal Information with third parties for the purposes of cross-context behavioral advertising; or (4) commercially exploit Personal Information or otherwise Process Personal Information for Sword’s own purposes. If Applicable Law requires Sword to conduct Processing that is or could be construed as inconsistent with the Instructions, then Sword must notify Client immediately and prior to commencing the Processing, unless Applicable Law prohibits such notice on important grounds of public interest. Sword will notify Client immediately if Sword believes that any Instruction from Client violates or would result in Processing in violation of Applicable Law.

1.4 Limitation on Disclosure

Sword will not disclose Personal Information to any third party without first obtaining Client’s written consent, except as provided in Section 1.7 (Data Subject Requests) or Section 1.11 (Production Requests). Sword will impose enforceable written obligations on all employees, contractors and agents that Process Personal Information on Sword’s behalf to protect the confidentiality of the Personal Information.

1.5 Security Requirements

Sword shall comply with the security requirements set forth in the Security Exhibit. 

1.6 Subcontracting

Sword may subcontract the Processing of Personal Information to a subcontractor (each, a “Subcontractor”), provided that Sword shall notify Client of any intended changes concerning the addition or replacement of Subcontractors.  Prior to any disclosure of Personal Information to a Subcontractor or other Processing of Personal Information by a Subcontractor, Sword must have entered into an agreement that requires the Subcontractor to comply with Privacy Laws and the same obligations and restrictions as provided in these Data Processing Terms. Sword will provide the agreement to Client promptly upon request. Sword will remain accountable and responsible for the Processing of Personal Information by, and for all actions and omissions of, such Subcontractors.

1.7 Data Subject Requests

Sword will promptly notify Client in writing if Sword receives: (1) any requests from an individual with respect to Personal Information Processed, including opt-out requests, requests for access, rectification, erasure, restriction or data portability, requests involving an objection to Processing or automated decision-making, and all similar requests; or (2) any complaint, inquiry or notice of investigation under Applicable Law relating to the Processing of Personal Information including, but not limited to, allegations that the Processing infringes an individual’s rights under Applicable Law. Sword will reasonably assist Client in responding to such requests or complaints from individuals. Sword may respond to any such request if required by Applicable Law or after consulting Client.

1.8 Personal Information Breaches

1. Sword shall promptly notify Client in writing whenever Sword reasonably believes that there has been a Personal Information Breach. Sword’s notice to Client of a Personal Information Breach must contain the following: (1) a description of the categories and approximate number of data subjects, as well as the categories and approximate number of Personal Information records affected by the Personal Information Breach; (2) the name and contact details of any Data Protection Officer appointed by Sword; (3) Sword’s assessment, developed through reasonable diligence, of the likely consequences of the Personal Information Breach with respect to the affected Personal Information and data subjects; and (4) any additional information required pursuant to Privacy Laws applicable to Sword or Client.
2. In the event of any Personal Information Breach, Sword will investigate the Personal Information Breach, take all necessary steps to eliminate or contain the exposure of Personal Information, and keep Client advised of the status of the Personal Information Breach and Sword’s investigation and steps taken to remedy same. 
3. If Client determines in good faith that any Personal Information Breach must be disclosed to a third party, including but not limited to, data subjects, governmental authorities, or data protection authorities, then Sword shall reasonably cooperate with and assist Client in fulfilling Client’s reporting and disclosure obligations. 

1.9 Information Return or Deletion

Upon termination or expiration of the MSA for any reason, Sword shall within 20 calendar days return, in a manner and format reasonably requested by Client, or, at Client’s direction, destroy, all Personal Information in Sword’s possession or control, except to the extent otherwise required by Applicable Law. If Sword has a legal obligation to retain Personal Information beyond the period otherwise specified by the MSA, Sword will notify Client in writing of that obligation (unless precluded from doing so pursuant to Applicable Law), and will return or destroy Personal Information in accordance with these Data Processing Terms as soon as possible after that legally required retention period has ended. 

1.10 Investigations

Upon notice to Sword, Sword shall assist and support Client in the event of an investigation by any regulator, including a data protection regulator or similar authority, if and to the extent such investigation relates to Personal Information handled by Sword on behalf of Client. Such assistance shall be at Client’s expense, except where such investigation was required due to Sword’s acts or omissions, in which case such assistance shall be at Sword’s sole expense.

1.11 Certification

Sword hereby certifies that Sword understands, and will comply with, the restrictions set forth in these Data Processing Terms with respect to Personal Information.

2. AUDITS

Upon the reasonable request of Client not more frequently than once every six (6) months, Sword will provide to Client, or an independent third party chosen by Client and reasonably acceptable to Sword, on reasonable notice off-site access to Sword’s information and records for the purpose of Client’s audit of Sword’s compliance with these Data Processing Terms.  Client agrees that any third-party auditor or security firm must enter into a written agreement with Sword and Client that requires such firm to (1) use any Sword confidential information solely for purposes of the inspection or audit, and (2) keep Sword’s confidential information confidential in accordance with any applicable provisions of the MSA. 

3. CROSS-BORDER TRANSFERS

Data Transfers made pursuant to the MSA or the Services must comply with this Section 3. If any Data Transfer mechanism identified herein is invalidated or repealed by a court of competent jurisdiction or competent governmental authority, then Sword must immediately adopt and comply with one of the other Data Transfer mechanisms set forth below.

Prior to engaging in Data Transfers with respect to Personal Information, a party must comply with the requirements set forth in the Data Privacy Framework Program, including self-certification and annual re-certification.

4. ADDITIONAL OBLIGATIONS

4.1       Sword represents, warrants and covenants that no Personal Information has been collected by Sword or transferred by Sword to third parties in violation of any Privacy Laws. There are no notices, claims, investigations or proceedings pending, or, to the knowledge of Sword, threatened, by state or federal agencies, or private parties involving notice or information to individuals that Personal Information held or stored by Sword has been compromised, lost, taken, accessed or misused. Sword has not received any notice regarding any violation of any Privacy Laws, and Sword has no reason to believe that the security of any Personal Information Processed by Sword has been breached or potentially breached.

4.2       Sword agrees to comply with the provisions of Appendix 1 where Client Personal Information is subject to the Privacy Laws of the following jurisdictions: Australia, the People's Republic of China, Hong Kong, Japan, the Republic of Korea, Malaysia, New Zealand, the Philippines, Singapore, and Taiwan.

5. SURVIVAL; THIRD-PARTY BENEFICIARIES; FURTHER ASSURANCES; VALIDITY

5.1 Survival

Sword’s obligations under these Data Processing Terms will survive the termination or expiration of its Services or any related agreements and will continue for so long as Sword, or any of its affiliates or subcontractors retain or have access to Personal Information. 

5.2 Further Assurances

Sword shall comply with the Privacy Laws throughout the term of this MSA. If Sword makes a determination that it can no longer meet its obligations under any Privacy Laws, it shall immediately notify Client of such determination. Sword at any time may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information, including suspending access to or disclosure of Personal Information until such unauthorized use is remedied. Sword will provide relevant information and assistance requested by Client to demonstrate Sword’s compliance with its obligations under these Data Processing Terms and Privacy Laws and to assist Client in meeting Client’s obligations under applicable Privacy Laws with respect to Sword’s Processing of Personal Information. If any change in Processing is required by a modification in Privacy Laws, or to ensure ongoing compliance with Privacy Laws, then Client will have the right to require Sword to implement the requested change.

5.3 Validity

If any part of these Data Processing Terms are held unenforceable, the validity of all remaining parts will not be affected.

Appendix 1

Asia-Pacific Data Protection

Sword agrees to comply with the provisions below where Client Personal Information is subject to the Privacy Laws of the following jurisdictions: Australia, the People's Republic of China, Hong Kong, Japan, the Republic of Korea, Malaysia, New Zealand, the Philippines, Singapore, and Taiwan. 

1.             Obligations of Client

(a)   Subject to Sword's compliance with its obligations under the MSA, Client may from time to time disclose to Sword Personal Information which Sword shall process in accordance with the MSA.

(b)   Client shall collect Personal Information in accordance with the Privacy Laws applicable to it in Client's jurisdiction.

2.             Obligations of Sword

(a)   Sword shall:

(i)    process Personal Information solely for the purpose set forth in the MSA (“Purpose”) and will not create or maintain data derived from the Personal Information except as required for the Purpose;

(ii)   process Personal Information in accordance with: (i) the Privacy Laws applicable to it, and (ii) Client's instructions from time to time; provided to the extent there is any conflict between (i) and (ii), (i) shall take precedence;

(iii)  ensure that Personal Information is accessible only to those of its personnel who need to have access to the Personal Information in order to carry out the Purpose;

(iv)  not disclose, transfer or grant access to Personal Information to any other person other than its Subcontractors, except as required by Applicable Laws and in such case, to the extent permitted by applicable laws, it will (i) notify Client prior to any such disclosure, transfer or grant of access; and (ii) minimise the applicable disclosure, transfer or grant of access;

(v)   procure legally-binding undertakings from its Subcontractors or ensure there are other assurances in place sufficient to ensure Sword's compliance with its obligations under this Exhibit in respect of any processing of Personal Information by such Subcontractors;

(vi)  not disclose, transfer or grant access to Personal Information to any person located outside Client's jurisdiction (including to its personnel, affiliates or Permitted Subcontractors) without the prior written consent of Client;

(vii) promptly notify Client of any request by a data subject to access or correct his or her Personal Information, or if Sword receives any other request, complaint, notice or other communication relating to Personal Information;

(viii)  subject to any applicable laws, notify Client as soon as reasonably practicable of any court order or other legal process or any request or demand by any regulator, official or other government ministry, authority or agent to obtain or access any Personal Information; and

(ix)  subject to any applicable laws, notify Client as soon as reasonably practicable no later than 24 hours after becoming aware, of a privacy incident;

(x)    immediately rectify, erase or return the Personal Information on receiving instructions to do so from Client; and

(xi)  not retain Personal Information any longer than is necessary for the fulfilment of the Purpose.

(b)   In addition to the general provisions above, Sword agrees to the following when applicable:

(i)     Where Sword Processes Personal Information from the Republic of Korea in connection with the MSA, Sword agrees to comply with the provisions set out in Attachment 1.

(ii)    Where Sword Processes Personal Information from the Philippines in connection with the MSA, Sword agrees to comply with the Philippines Data Protection Requirements and the provisions set out in Attachment 2.

Attachment 1 to Appendix 1 (Republic of Korea)

Where Sword Processes Personal Information from Republic of Korea in connection with the MSA, Sword agrees to comply with the provisions set forth below.

1.         Sword SHALL ESTABLISH AND IMPLEMENT technical and administrative measures for the protection and secure handling of the Personal Information, including the following:

(a)        establishment/implementation of internal administrative procedures covering organization/operation of personnel for protection of Personal Information (including (i) appointment of a Personal Information protection officer and (ii) provision of regular training for relevant personnel);

(b)        installation/operation of control system for the prevention of illegal access to Personal Information (including (i) establishment and implementation of guidelines for granting, modification, and cancellation of authority to access Personal Information processing system/database, (ii) installation/operation of a system for prevention/detection of unauthorized access to Personal Information processing system/database, (iii) establishment/operation of guidelines for creation/periodic change of password for Personal Information processing personnel and (iv) other necessary measures for the control of access to Personal Information);

(c)        measures for the prevention of falsification/alteration of access log (including (i) retention of access log/processing details and on-going monitoring/supervision related thereto and (ii) backup of access log in separate storage devices);

(d)        use of encryption technology and secure server for secure storage and transmission of Personal Information including (i) storage of password by way of one-way encryption, (ii) encrypted storage of resident registration number, passport number, driver’s license number, alien registration number, credit card number, account number and bio information (namely, any information related to physical or behavioral features that can identify a specific individual, such as fingerprint, iris, voice, handwriting, etc.) by way of safe encryption algorithm and (iii) other security measures utilizing encryption technology; 

(e)        installation/updating of vaccine software for constant monitoring/cure of intrusion of computer virus, spyware or other malicious programs;

(f)         establishment/operation of access control procedures in respect of physical storage locations (such as data processing center, data storage room, etc.); and

(g)        other measures for the protection of Personal Information that may be required under relevant rules and regulations of Korean data protection law (as applicable to an overseas transferee of Personal Information) including (i) Articles 28 and 63 of the Act on the Promotion of Utilization of Information and Communications Networks and the Protection of Information (the “ICT Networks Act”), (ii) Articles 15 and 67 of the Enforcement Decree promulgated under the ICT Networks Act, (iii) the Guidelines for Technical and Administrative Measures for the Protection of Personal Information (issued by the Korea Communications Commission), (iv) Article 29 of the Personal Information Protection Act (the “PIPA”), (v) Article 30 of the Enforcement Decree promulgated under the PIPA and (vi) the Guidelines for Security Measures for the Safety of Personal Information (issued by the Ministry of Interior), as the foregoing may be amended and/or supplemented from time to time.

2.         Sword shall establish and implement appropriate procedures for (i) handling of complaints on privacy invasion and (ii) resolution of any disputes with data subjects.

3.         Sword may not disclose or transfer to any person or entity the Personal Information transferred under the MSA unless it obtains prior consent to such transfer from relevant data subjects in accordance with applicable provisions of Korean data protection laws and regulations.

4.         In the event that the Personal Information is transferred to Sword for the purpose of storage or other processing of the same on behalf of Client, Sword: (i) shall use such Personal Information only for the purpose of and within the scope of entrusted work; (ii) shall agree to be subject to the training and supervision by Client of Sword’s handling of entrusted Personal Information; and (iii) shall agree to be subject to the supervision and audit by relevant regulatory authorities.

5.         Upon termination or expiry of the MSA, Sword shall return or destroy all of the Personal Information received from Client to the satisfaction of Client.

6.         Any subcontracting by Sword of the processing of Personal Information to a person as agreed by Client in writing (a “Data Sub-transferee”) shall be subject to a written agreement, which shall address the following:

(a)        the purpose, scope and period of subcontracted works and details of Personal Information to be sub-delegated;

(b)        technical, physical and managerial security measures for the protection and safe management of Personal Information;

(c)        the destruction or return to Sword of Personal Information by the Data Sub-transferee as instructed by Sword following fulfilment of the Purpose; and

(d)        measures to ensure the management and supervision of the Data Sub-transferee by Sword and sanctions arising in the event of the Data Sub-transferee's failure to comply with its obligations under the subcontract.

7.         Sword shall submit to the supervision of Client in respect of the following matters, and shall provide such information and take such corrective action in respect of the following matters as may be requested by Client:

(a)        status of processing of Personal Information;

(b)        access and log-in records regarding Personal Information;

(c)        compliance with prohibitions on use of Personal Information pursuant to this MSA;

(d)        implementation of technical and administrative measures to secure safety of Personal Information; and

(e)        other matters necessary for the safe custody of Personal Information.

Sword shall conduct training for personnel processing Personal Information on its behalf at least once a year to prevent the occurrence of a privacy incident. 

Attachment 2 to Appendix 1 (Philippines)

Where Sword Processes Personal Information from the Philippines in connection with the MSA, Sword agrees to comply with the provisions set out forth below.

Sword shall:

(a)   Process the Personal Information only in accordance with this MSA and the documented instructions of Client;

(b)   not engage a Data Sub-transferee without the prior instruction from, or written consent of, Client, and only as permitted by law;

(c)    ensure that an obligation of confidentiality is imposed on persons authorised to process the Personal Information and ensure that any such arrangement shall ensure that the same obligations for data protection under this MSA and Client's instructions are implemented, taking into account the nature of the processing;

(d)   provide reasonable assistance to Client, by appropriate technical and organizational measures and to the extent possible, in fulfilling Client's obligation to respond to requests by Data Subjects in the exercise of their rights;

(e)   provide reasonable assistance to Client in enabling Client to comply with its obligations under the Data Privacy Act of 2012 ("DPA 2012"), the DPA Implementing Rules and Regulations ("DPA IRR"), and other relevant laws and issuances of the National Privacy Commission ("NPC"), taking into account the nature of processing and the information available to Sword;

(f)    implement appropriate security measures and comply with the DPA 2012, the DPA IRR, and other issuances of the NPC;

(g)   make available to Client all information reasonably required to demonstrate compliance with the obligations laid down in the DPA and this DPA 2012;

(h)   return or destroy all of the Personal Information received from Client on termination or expiry of the Master Services MSA to the satisfaction of Client;

(i)     notify Client as soon as reasonably practicable and no later than 24 hours after becoming aware, of a privacy incident; and

(j)     promptly notify Client if in Sword's opinion, any instruction received from Client in relation to the Personal Information will breach any Privacy Law.

Appendix 2

Data Protection Requirements in Argentina, Indonesia, Israel, and Russia

The following provisions will apply to Personal Information in the specific countries set forth below.

(A) Argentina:

Where Client or a Client affiliate in Argentina transfers Personal Information to Sword or any Sword subcontractors located outside Argentina, such transfers shall be governed by the Argentine Model Clauses (Controller to Processor) attached hereto, which are incorporated into this Exhibit and MSAs as if fully set forth herein. If the Argentine Model Clauses are applicable, then to the extent there is any conflict between the terms of this Exhibit and the terms of the Argentine Model Clauses, the Argentine Model Clauses shall control.

(B) Indonesia:

The following provision applies solely if Client is located in Indonesia or Client otherwise notifies Sword that this Section applies.  If a security incident occurs, Sword will provide Client with information about the cause of the security incident in the notice provided.  Further, if the security incident poses potential harm to the Individual, Sword may request that Client confirm its receipt of the security incident notification.

(C) Israel:

Sword will keep databases containing Personal Information obtained from Client separate from information obtained from any other third party.

Without derogating from anything stated in this Exhibit or the associated MSA, Sword will comply with any and all obligations set out under the Protection of Privacy Regulations (Information Security) with respect to "holder" of a database, to the extent applicable. 

(D) Russia:

The following provisions apply to Personal Information (a) Sword receives or accesses from a Client located in Russia; or (b) Client notifies Sword is subject to these requirements:

D.1.1.   Sword will maintain records specifying which media are used to store Personal Information.

D.1.2.   Only authorized staff can grant, modify or revoke access to information systems that use or houses Personal Information.

D.1.3.   Sword will maintain an audit log.

D.2.      Sword’s disaster recovery and business continuity plans will include processes to seek recovery of Personal Information that was modified or destroyed due to unauthorized access. 

_________________

End of Data Protection Terms