Block - Legal - Data Privacy Schedule

Data Privacy Schedule

Last updated: February 21, 2025

This Data Privacy Schedule (“Schedule”) shall supplement and form part of the Services Agreement or other written or electronic agreement (the "Agreement") between Block, Inc., with offices located at 1955 Broadway, Suite 600, Oakland, CA 94612, or any of its subsidiaries or affiliates as specified in the signature block of the Agreement (“Block”), and the Vendor for the provision of certain Services by Vendor to Block. In the event of a conflict or inconsistency between this Schedule and the Agreement, this Schedule shall control with respect to any data protection or privacy conflicts or inconsistencies. Each capitalized term used but not defined in this Schedule shall have the meaning set forth in the Agreement.

1. Definitions.

For the purposes of this Schedule, the following terms shall have the meanings given below:

“Applicable Data Protection Laws” means all applicable national, federal, state and local laws, statutes, ordinances, rules and regulations of any applicable jurisdiction and any applicable court order or settlement agreement governing the processing of Personal Data, including, but not limited to: (i) the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.); (ii) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and EU Directive 2002/58/EC; (iii) UK Data Protection Law; (iv) any implementing, derivative or related legislation, rule or regulation of the European Union, a European Union member state or the United Kingdom with respect to Personal Data; (v) Canada’s Personal Data Protection and Electronic Documents Act (S.C. 2000, c. 5) and comparable privacy laws of any Canadian province; (vi) Australia’s Privacy Act 1988 (Cth); and (vii) (where applicable) any Jurisdiction Specific Requirements; in each case, as amended or updated from time to time.
“Data Security Breach” means any (a) Processing of Personal Data, not expressly permitted by Block, the Agreement or this Schedule, including any accidental or unlawful loss, misuse, or unauthorized access, disclosure, alteration, destruction or acquisition of Personal Data; (b) reasonably suspected breach or compromise of Personal Data, or of Vendor’s computer systems or networks that directly or indirectly support Personal Data Processed under or in connection with the Agreement; or (c) any reasonably suspected violation of Applicable Data Protection Laws by Vendor in relation to the Personal Data Processed under or in connection with the Agreement.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Deidentified Data” means data created using Personal Data that cannot reasonably be linked to a Data Subject, directly or indirectly.
“EEA” means the European Economic Area.
“Jurisdiction Specific Requirements” means any applicable jurisdiction-specific requirements for the cross-border transfer and processing of Personal Data, as set out in Appendix 1 and Appendix 2 to this Schedule.
“Personal Data” means any information Processed by, or on behalf of, Vendor in connection with providing the Services to Block (i) that identifies or can be used to identify, contact or precisely locate the individual person to whom such information pertains; (ii) from which identification of or contact information for an individual person can be derived; or (iii) any other “personal information”, “personally identifiable information”, “protected health information” or substantially analogous concepts, the Processing of which is otherwise subject to or governed by Applicable Data Protection Laws. Additionally, to the extent any other information is associated or combined with Personal Data, such information also will be considered Personal Data for purposes of the Agreement.
“Processing” or “Process” means any operation or set of operations that is performed upon Personal Data whether or not by automatic means, including, but not limited to, collection, recording, organization, storage, access, receipt, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, transmitting, transporting, alignment, combination, blocking, deleting, erasure, destruction or otherwise handling.
“Processor” shall have the meaning given to this term and substantially equivalent terms, including “Service Provider,” in Applicable Data Protection Laws.
“Sub-processor” any Processor or sub-contractor engaged by Vendor or its Affiliates to perform some or all of the Services as envisaged under this Schedule, and who may Process Personal Data in connection with providing the Services.
“Third Party Request” means a written request from a third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulation.
“UK Data Protection Law” means the UK Data Protection Act 2018 and the UK GDPR.
“UK GDPR” shall have the meaning given to this term in section 3 of the UK Data Protection Act 2018.

2. General.

2.1. Roles of the Parties. The parties acknowledge that, in connection with the Vendor's provision of Services to Block pursuant to the Agreement, Vendor (as Processor) will Process Personal Data on behalf of Block (as Controller).

2.2. Details of Processing. The parties agree that the subject matter, purpose, nature and duration of Vendor’s Processing of Personal Data; the types of Personal Data; and the categories of Data Subjects involved in such Processing, are as described in Exhibit B to the Agreement.

3. General Obligations.

3.1. Compliance with Applicable Data Protection Laws. Vendor will (i) process Personal Data in compliance with all Applicable Data Protection Laws, as applicable; and (ii) not do or permit to be done any act or omission that will cause Block to be in violation of any Applicable Data Protection Laws.

3.2. Permitted Processing. Vendor shall: (i) only Process Personal Data to the extent required to provide the Services or otherwise in accordance with the documented instructions of Block; (ii) unless prohibited by applicable law, notify Block immediately (and in any event within 24 hours) if it reasonably considers that it is required by applicable law to act other than in accordance with the terms of this Agreement or Block’s documented instructions; (iii) limit access to Personal Data to those staff members of Vendor (“Personnel”) and its Sub-processors who have a strict business need to access Personal Data in connection with the provision of the Services and who have entered into an appropriate confidentiality agreement with the Vendor; (iv) not sell Personal Data or any dataset derived from Personal Data to any third party or share Personal Data or any dataset derived from Personal Data with any third party for cross-context behavioural advertising purposes (for the avoidance of doubt, Block and Vendor have entered into the Agreement solely for the provision of the Services, and Block is not making available any Personal Data to Vendor for any consideration, and any such provision of Personal Data to Vendor shall not constitute a “sale” under any Applicable Data Protection Laws); and/or (v) not combine Personal Data under the Agreement with Personal Data the Processor receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject except as otherwise permitted by Applicable Data Protection Laws; and/or (vi) not otherwise retain, use, modify, amend, disclose (or permit the disclosure of), or otherwise Process Personal Data for any other purpose or in a manner that is outside of the direct business relationship between the parties, unless authorised in writing by Block to do so.

3.3. Restricted Transfers and Offshore Processing. Vendor shall not transfer Personal Data (including to its Personnel or Sub-processor(s)) to any location outside the country where the Personal Data originated unless permitted under this Schedule (including the Jurisdiction Specific Requirements) or otherwise agreed to in advance in writing by Block. Vendor shall not transfer, or otherwise make available or provide access to, Personal Data to any party in a manner that would qualify as a “covered data transaction” as defined in the US Department of Justice Rule on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons, 28 CFR Part 202 (“DOJ Rule”). Vendor further represents and warrants that Vendor is not a “covered person” or “country of concern” as defined in the DOJ Rule.

3.4. Data Subject Rights Requests. Vendor shall notify Block as soon as reasonably practicable and in any event within 48 hours of its receipt of a request from a Data Subject to exercise any of the Data Subject’s rights under Applicable Data Protection Laws (“Data Subject Request”). Vendor shall not respond to or disclose any Personal Data in response to any Data Subject Request without Block’s prior written consent. Vendor shall provide all information and assistance reasonably requested by Block to enable Block to comply with any Data Subject Request.

3.5. Destruction of Personal Data. Subject to the requirements of applicable law, Vendor shall, and shall cause its Personnel and Sub-processors to, return or, at the request of Block, securely destroy Personal Data, as soon as reasonably practicable (and in any event within 30 days) upon the occurrence of the earliest of the following events: (i) when Personal Data is no longer needed by Vendor to fulfil its obligations under the Agreement; (ii) following termination or expiration of the Agreement; or (iii) on Block’s written request. Upon Block’s request, Vendor shall provide to Block written certification of its compliance with the requirements of this paragraph 3.5.

3.6. Warranties. Vendor represents and warrants that it will not provide any Personal Data to Block save where Vendor has provided sufficient information on behalf of Block to relevant Data Subjects so as to ensure that such Personal Data may be Processed fairly, lawfully and in a transparent manner by Block.

3.7. Sub-processors. Block authorises the engagement by Vendor of the Sub-processors listed in the Agreement (the “Approved Sub-processors”) who may Process Personal Data in connection with the provision of the Services provided that Vendor ensures that each Approved Sub-processor is subject to a written agreement with Vendor that imposes on the Approved Sub-processor obligations at least as equivalent to those imposed on Vendor in this Schedule. Vendor may subcontract the Processing of Personal Data to additional Sub-processors provided that: (i) Vendor provides Block with reasonable prior notice in writing (at least 21 days) in advance of the commencement of the services and/or any Sub-processor appointment (and, for these purposes, Block agrees that such notice may be provided in writing to Block); (ii) If Block objects to the Sub-processor appointment, then either (a) Vendor will not appoint the proposed Sub-processor, or (b) if Vendor intends to proceed with the Sub-processor appointment anyway, it will immediately notify Block and Block may terminate the Agreement or applicable Services immediately without penalty; (iii) If Block does not object to the Sub-processor appointment, then Vendor may proceed to appoint the Sub-processor provided that: (a) the Sub-processor will Process the Personal Data strictly for the purposes of set out in this Schedule; and (b) Vendor imposes data protection terms on the Sub-processor that protect the Personal Data at minimum to the same standard provided for by this Schedule. Vendor remains fully liable for any breach of this Schedule that is caused by an act, error or omission of any Sub-processor (including the personnel of such Sub-processor).

3.8. Deidentified Data. If Vendor receives Deidentified Data from or on behalf of Block, then Vendor will: (i) take reasonable measures to ensure the information is not and cannot be directly or indirectly associated with a Data Subject; (ii) publicly commit to Process the Deidentified Data solely in deidentified form and not to attempt to reidentify the information; and (iii) contractually obligate any recipients of the Deidentified Data to comply with the foregoing requirements and Applicable Data Protection Laws.

4. Data Security.

4.1. General. Vendor shall, and shall contractually require its Personnel and Sub-processors to, implement and maintain appropriate technical and organisational measures, to protect Personal Data against a Data Security Breach. The security measures to be implemented and maintained by Vendor shall comply with best industry practice and Applicable Data Protection Laws. Such technical and organisational methods employed by Vendor and its Sub-processors shall be at least equivalent to those set out in Exhibit 2 to Appendix 2 of this Schedule.

4.2. Data Protection Impact Assessment. Vendor shall provide Block with all assistance and information reasonably requested by Block in respect of any (i) data protection impact assessments; and (ii) prior consultations with data protection regulators, which Block reasonably considers are required for Block to discharge its duties pursuant to Articles 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, which arise out of or in connection with the Agreement or the Services.

4.3. Assistance. Vendor shall use all reasonable endeavours to assist Block in complying with its obligations under Applicable Data Protection Laws relating to security of Processing, engagement with competent authorities and/or notifications to competent authorities and/or Data Subjects.

4.4. Overview of Security Measures. Without prejudice to any other provision of this Schedule, Block may, on reasonable notice, request a written description of the technical and organisational methods employed by Vendor and its Sub-processors for Processing of Personal Data and Vendor shall deliver such description within 10 days of Block’s request and ensure it has sufficient detail to enable Block to determine whether Vendor is satisfying its obligations relating to security of Processing.

5. Data Security Breach.

5.1. Notice. In the event Vendor becomes aware of a Data Security Breach, Vendor shall, in the most expedient time possible, but in no event later than forty-eight (48) hours after Vendor becomes so aware, notify Block of the Data Security Breach by email to

breachnotifications@block.xyz

or such other e-mail address as Block may notify to Vendor from time to time. Where Applicable Data Protection Laws require a shorter notification period than 48 hours, that shorter timeframe shall apply to this paragraph 5.1.

5.2. Response. Vendor shall promptly initiate an investigation into any Data Security Breach, and keep Block informed about all material developments relating to the Data Security Breach, including providing Block with a report on the investigation to include details on how the Data Security Breach occurred, the approximate number of affected Data Subjects and the Personal Data concerned. Vendor shall also provide such other information relating to the Data Security Breach as may be requested by Block. Where required, Block shall be the party to notify the competent authorities and/or Data Subjects of such Data Security Breach (as applicable) and Vendor shall, at no additional cost to Block, provide Block with all resources and assistance to support such notification. Vendor shall take all steps reasonably required to mitigate the adverse effects of a Data Security Breach and to prevent reoccurrence of a similar type of incident (including all steps reasonably requested by Block).Vendor shall not inform any third parties about any Data Security Breach without Block's consent, other than, (i) its professional advisors and insurers, subject to a strict duty of confidence; and (ii) where and to the extent necessary to comply with Applicable Data Protection Laws.

5.3. Notwithstanding any provisions of the Agreement or this Schedule to the contrary, including but not limited to the limitation of liability set forth in the Agreement, where Vendor caused or contributed (in whole or in part) to the Data Security Breach, Vendor shall be responsible for paying for or reimbursing Block for the reasonable costs of providing notice of any Data Security Breach to the competent authorities and/or to any Data Subjects (as applicable), and for any other reasonable costs of Block related to such Data Security Breach, as required by Applicable Data Protection Laws and industry standards.

6. Audits.

6.1. Vendor Data Protection Audit. Vendor shall procure annual (1) penetration testing, and (2) independent third-party security audits of Vendor’s computer systems, networks and other infrastructure that Process Personal Data. Upon request, Vendor shall provide Block with the results of each such test and audit within five days of such request. If any such test or audit reveals one or more material vulnerabilities, Vendor undertakes to correct each such vulnerability at its sole cost and expense within a reasonable time period (and within 30 days for high and critical security defects) and shall certify in writing to Block that it has corrected all such vulnerabilities. Block shall have the right to terminate the Agreement with a refund of unused fees if Vendor fails to correct any such material vulnerability within 30 days of discovery.

6.2. Block’s Data Protection Audit Rights. Without prejudice to Vendor obligations under paragraph 6.1, Vendor shall, on request, make available to Block (and/or its representatives, including its appointed auditors) all information reasonably necessary to demonstrate compliance with Vendor’s obligations under this Schedule and Applicable Data Protection Laws and allow for, and contribute to, audits by, or on behalf of, Block by providing reasonable access to: (a) all records, information, security policies and procedures and other practices relating to Vendor’s Processing of Personal Data; (b) Vendor’s business location(s) and systems from which the Services are provided; and (c) Personnel and Sub-processors engaged in providing the Services.

7. Miscellaneous.

7.1. Requests for Information. If Vendor is served with a Third Party Request compelling disclosure of Personal Data, it will, to the extent allowed under applicable laws: (i) provide Block with immediate written notice thereof; (ii) provide Block with a reasonable opportunity to oppose disclosure; (iii) cooperate in good faith with Block in the event Block opposes disclosure; and (iv) limit the scope of such disclosure to what is strictly required by applicable laws.

7.2. Discovery and Notifications of Non-Compliance: Vendor shall notify Block promptly (and in any event, within 24 hours of becoming aware thereof) if, in Vendor’s reasonable opinion, any instruction or direction from Block infringes Applicable Data Protection Laws or Vendor determines it can no longer meet its obligations under this Schedule or Applicable Data Protection Laws. In the event of such a notice or otherwise upon discovery of Vendor’s non-compliance with this Schedule or Applicable Data Protection Laws, Block reserves the right, in addition and without limitation to any other remedy available under this Schedule or the Agreement, to immediately suspend Vendor’s processing of Personal Data.

7.3. Record of Processing: Vendor shall maintain a written record of its Processing activities conducted for and on behalf of Block. Such a record shall comply with the requirements of Applicable Data Protection Laws. Vendor, shall promptly upon request, provide a copy of this record to Block.

7.4. Governmental Body Correspondence and Complaints. Vendor shall notify Block immediately (and in any event within 24 hours) by email if Vendor receives any correspondence from any competent authority, or any complaint from a Data Subject, relating to Personal Data. Vendor shall not respond to such correspondence or complaint without Block’s prior written consent and shall provide Block with all resources and assistance as are required by Block in order to adequately respond to the correspondence or complaint and to deal with any related assessment, inquiry or investigation. Such assistance shall be at Block’s sole expense, except where such correspondence, complaint, assessment, enquiry or investigation arose due to Vendor’s acts or omissions, in which case such assistance shall be at Vendor’s sole expense.

7.5. Contact Person. Vendor shall identify to Block a named individual within Vendor’s organisation to act as a point of contact for any enquiries from Block relating to Personal Data and such person shall cooperate with Block promptly and in good faith in relation to such enquiries. Such individual is listed in Exhibit B to the Agreement, unless Vendor notifies Block otherwise in writing.

7.6. Survival. Any provision of the Schedule that expressly or by implication should come into or continue in force on or after termination of the Agreement to protect the Personal Data will remain in full force and effect.

Appendix 1: Jurisdiction Specific Requirements - Australia

1. Applicability

This Appendix 1 applies where the Vendor is incorporated in Australia, or carrying on business in Australia where any Personal Data subject to Processing under the Agreement was collected or held in Australia.

2. Conflict

In the event of a conflict or inconsistency between the requirements of the Agreement and any applicable requirements of this Appendix 1, the requirements of this Appendix 1 shall take precedence to the extent of the conflict or inconsistency.

3. Definitions

In this Appendix 1:

(a) “Australian Personal Data” means any Personal Data which is Processed by, or on behalf of, the Vendor in connection with providing the Services to Block in Australia under the Agreement.

(b) “Australian Privacy Laws” means the Privacy Act 1988 (Cth) and the Australian Privacy Principles in Schedule 1 to the Privacy Act 1988 (Cth), as amended from time to time, and any other applicable laws or regulations in Australia regulating the collection, use, storage, or disclosure of Australian Personal Data.

(c) “Transfer” means any transfer, transmission, or disclosure of Australian Personal Data to another party, or providing another party with access to Australian Personal Data, and “Transferred” shall have a corresponding meaning.

4. Vendor Requirements

The Vendor must:

(a) do all things required under Australian Privacy Laws (including obtaining all required consents and providing all required notices) to lawfully Process any Australian Personal Data as contemplated in the Agreement;

(b) take reasonable steps to protect any Australian Personal Data in its possession or control from:

(i) misuse, interference, and loss; and
(ii) unauthorised access, modification, or disclosure;

(c) take reasonable steps to ensure that any overseas third party to whom the Vendor may Transfer the Australian Personal Data does not breach the Australian Privacy Laws in relation to that Australian Personal Data.

Appendix 2: Jurisdiction Specific Requirements – EEA, UK and Switzerland

1. Applicability

This Appendix 2 applies where Block is (a) established in the EEA (or is otherwise subject to the GDPR); (b) established in the UK (or is otherwise subject to UK Data Protection Law); (c) is subject to the Swiss Federal Act on Data Protection (as amended or superseded); or (d) or is listed in the DPF List (as defined below).

2. Conflict

In the event of a conflict or inconsistency between the requirements of the Agreement (including this Data Privacy Schedule) and any applicable requirements of this Appendix 2, the requirements of this Appendix 2 shall take precedence to the extent of the conflict or inconsistency.

3. Definitions

In this Appendix 2:

“DPF List” means the "Data Privacy Framework List", "DPF List" or equivalent term in: (a) Commission Implementing Decision C(2023) 4745 on the adequate level of protection of personal data under the EU-US Data Privacy Framework; and (b) the Swiss Federal Office of Justice "Assessment of Adequacy – United States" dated 30 April 2024 ((a) and (b), collectively, the “US Adequacy Decisions”).

“DPF Principles” means the "EU-US Data Privacy Framework Principles" or "Principles" as defined in the applicable US Adequacy Decision.

“SCCs” means, (i) where the GDPR or Swiss FADP applies, Module Two of the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR issued by the European Commission in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021¹ and as amended or replaced from time to time by a competent authority under the relevant Applicable Data Protection Laws (the “EU SCCs”); and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers as issued by the Information Commissioner’s Office (“ICO”) under s.119A of the Data Protection Act 2018 (the “UK Addendum”).

“Restricted International Transfer” means (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission (an “EU Restricted Transfer”); (ii) where UK Data Protection Law applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to or based on adequacy regulations pursuant to Section 17A of the UK Data Protection Act 2018 (a “UK Restricted Transfer”); (iii) where the Swiss FADP applies, a transfer of Personal Data from Switzerland to any other country which is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner or Federal Council (as applicable) (a “Swiss Restricted Transfer”).

4. Transfer Impact Assessment

Where required by Applicable Data Protection Laws, Vendor will make available to Block its documented transfer impact assessment(s) (the “TIA”) applicable to its processing of Personal Data hereunder for the purpose of Clause 14 of the SCCs. Vendor shall evidence adoption of any supplementary measures that the completed TIA identifies, if requested to do so by Block.

5. Restricted International Transfer Mechanism

To the extent that Block is listed in the DPF List, Vendor agrees that it (a) will receive and Process Personal Data only for the limited and specified purposes set out in the Agreement; (b) will provide at least the same level of privacy protection for Personal Data as is required by the DPF Principles; (c) agrees that Block may take reasonable and appropriate steps to ensure that Vendor effectively Processes the Personal Data in a manner consistent with Block’s obligations under the DPF Principles; (d) will notify Block if Vendor makes a determination that it can no longer meet its obligation to provide the same level of protection for the Personal Data as is required by the DPF Principles; (e) agrees that upon notice (including following a notice from Vendor pursuant to sub-clause (d) above), Block may take reasonable and appropriate steps to require Vendor to stop and remediate unauthorized Processing; and (e) agrees that Block may provide a summary or a representative copy of this DPA to the Department of Commerce upon request.

Without prejudice to the foregoing, to the extent that any transfer of Personal Data from Block (as “data exporter”) to Vendor (as “data importer”), is a Restricted International Transfer, the parties hereby enter into and agree to be bound by the SCCs as incorporated into this Appendix 2 (and the Agreement) by reference and subject to the additional information and clarifications in respect of the SCCs set out in Exhibit 1 to this Appendix 2 (the “Agreed SCCs”). Block and Vendor agree that the execution of the Agreement by the parties shall constitute the execution of the Agreed SCCs by the parties.

6. Additional or Alternative Safeguards

If, at any time, a competent authority or a court with competent jurisdiction over Block or Vendor mandates that the SCCs do not provide an adequate level of protection for Personal Data that is subject to a Restricted International Transfer and such Personal Data is not covered by an alternative framework recognised by the relevant authority or court as providing an adequate level of protection for such Personal Data, the parties shall implement such safeguards and enter into such form of agreement as reasonably required by Block to ensure that such Personal Data is subject to an adequate level of protection in accordance with Applicable Data Protection Laws.

In the event that the form of SCCs in place as at the date of execution of the Agreement is amended or replaced by the applicable competent authority under the relevant Applicable Data Protection Laws, the parties agree that Exhibits 1 and 2 to this Appendix 2 and Exhibit B to the Agreement shall apply to such amended or replaced SCCs subject to any amendments communicated in writing by Block to the Vendor, to form the Agreed SCCs.

Exhibit 1 to Appendix 2

Additional Terms and Information Applying to the SCCs

1. Where the Restricted Transfer is an EU Restricted Transfer, the EU SCCs will apply between Block (as “data exporter”) and Vendor (as “data importer”) as follows:

(a) Clause 7 (Docking clause) shall not apply.

(b) Option 2 of Clause 9(a) (Use of sub-processors) shall apply in relation to the data exporter’s authorisation of the use of sub-processors and 30 business days’ prior written notice before any change of a sub-processor is required.

(d) The first option (Where the data exporter is established in an EU Member State) provided for in Clause 13(a) (Supervision) shall apply.

(e) Option 1 of Clause 17 (Governing law) shall apply and the governing law shall be the law of (i) the jurisdiction where the data exporter is established where the data exporter is established in the European Union (the “EU”); or (ii) the law of Ireland where the data exporter is established outside of the EU.

(f) In accordance with Clause 18(b) (Choice of forum and jurisdiction), any dispute arising from the SCCs shall be resolved by the courts of Ireland where the SCCs are governed by the laws of Ireland or the courts of the other relevant EU Member State where the SCCs are governed by the laws of such other EU Member State pursuant to Clause 17 (Governing law).

(g) The information set out in Exhibit B to the Agreement and Exhibit 2 to this Appendix 2 will be deemed populated into Annexes 1 and 2 of the SCCs respectively.

2. Where the Restricted Transfer is a UK Restricted Transfer, the UK Addendum will apply between Block and Vendor as follows:

(a) the EU SCCs, completed as set out in paragraph 1 above, shall apply between Block and Vendor, and shall be modified by the UK Addendum, completed in accordance with sub-clause (b) immediately below;

(b) tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs completed as set out in paragraph 1 above, and the options “Exporter” and “Importer” shall be deemed checked in table 4, The start date of the UK Addendum (as set out in table 1) shall be the effective date of the Agreement.

3. Where the Restricted Transfer is a Swiss Restricted Transfer, the EU SCCs shall apply between Block and Vendor as set out in paragraph 2 above and as amended as follows:

(a) references to the GDPR in the SCCs will be deemed to refer to the Swiss FADP;

(b) references to specific articles of the GDPR will be deemed replaced with the equivalent article or section of the Swiss FADP;

(c) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State Law’ will be deemed replaced with ‘Switzerland’ or ‘Swiss Law’ (as applicable);

(d) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable);

(e) in Clause 17 (Governing Law), the SCCs will be governed by the laws of Switzerland; and

(f) in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the competent courts of Switzerland.

Exhibit 2 to Appendix 2

TECHNICAL AND ORGANISATIONAL MEASURES

1. FRAMEWORK: The data importer has put in place a variety of technical and organisational security measures to protect Personal Data.

2. POLICIES: The data importer is subject to data security requirements set forth in its policies, procedures, standards and guidelines that define various aspects of required protection for personal data, including Information Security Policy, Computer and Network Security Policy, Data Classification Policy, Document Management Policy, and IT Infrastructure Physical Security Policy.

3. STAFF EDUCATION, TRAINING AND RESPONSIBILITIES: The data importer provides continuous data privacy and information security education for all relevant employees upon hire.

4. INCIDENT MANAGEMENT: The data importer maintains documented Business Continuity, Disaster Recovery and Incident Response policies and procedures to respond to, and document responses to, relevant disruptions and events. The data importer performs testing of these procedures and provides education to relevant staff at least annually.

5. USER ACCESS TO INFORMATION SYSTEMS: The data importer maintains password-based, badge-based, and/or multi-factor authentication mechanisms. The data importer employs role-based access controls and grants the least privilege necessary for job function.

6. PHYSICAL ACCESS CONTROL: The data importer maintains badge-based and role-based physical access controls for all offices and data center locations that house sensitive information. The data importer maintains role-based access controls and full-disk encryption on portable IT assets such as laptops.

7. IT SYSTEM SECURITY: It is the data importer’s policy that business units implement various controls, processes and standards for safeguarding IT systems, which may include: controls for the prevention, detection and removal of malicious code, including malware, using approved automated and manual monitoring solutions and countermeasures; processes for identification of technical vulnerabilities and resolution where identified; minimum security requirements in network services agreements; standards for audit trails / logs that record system administrator activity, significant exceptions and information security events; processes for monitoring key systems for potentially unusual or suspicious activity and investigating exceptions; processes for the timely reporting of information security events or suspected security weaknesses and the development and execution of corrective action plans; system access controls that include user authentication, use of unique identifiers (user ID) and, for remote access, two-factor authentication; and procedures to control the installation of software on operational systems.

8. DATA LEAKAGE/MEDIA HANDLING/CRYPTOGRAPHIC CONTROLS: The data importer maintains a Data Classification Policy which defines acceptable use and required protection mechanisms for various types of sensitive data. The data importer employs data encryption, role-based access controls, network segmentation via firewalls, log/event monitoring, and automated 24/7 incident alerting to minimize the risk of data leakage.

9. THIRD PARTY SERVICE PROVIDERS: The data importer vets all third party service providers to ensure that the processing of data by such providers meets the data importer’s vendor security guidelines. Third party service providers are subject to agreements governing the handling and processing of personal data on behalf of the data importer.

10. STORAGE OF PERSONAL DATA: Personal Data is to be kept only for as long as is necessary in accordance with the data importer’s Data Policy and relevant local laws and regulations.

11. DISPOSAL OF PERSONAL DATA: When Personal Data is no longer required for business, legal or regulatory obligations, the data importer securely destroys the data. Hard-copy materials are destroyed by: cross-cut shredding, pulping, incineration or other methods with reasonable assurance that the material cannot be reconstructed. Sensitive data on electronic media must be rendered unrecoverable (e.g., via a secure wipe program in accordance with industry-accepted standards for secure deletion, or by physically destroying the media).

1. (the full text of which is available at

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en

)

Last updated: February 21, 2025

1. Definitions.

For the purposes of this Schedule, the following terms shall have the meanings given below:

“Applicable Data Protection Laws” means all applicable national, federal, state and local laws, statutes, ordinances, rules and regulations of any applicable jurisdiction and any applicable court order or settlement agreement governing the processing of Personal Data, including, but not limited to: (i) the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.); (ii) Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and EU Directive 2002/58/EC; (iii) UK Data Protection Law; (iv) any implementing, derivative or related legislation, rule or regulation of the European Union, a European Union member state or the United Kingdom with respect to Personal Data; (v) Canada’s Personal Data Protection and Electronic Documents Act (S.C. 2000, c. 5) and comparable privacy laws of any Canadian province; (vi) Australia’s Privacy Act 1988 (Cth); and (vii) (where applicable) any Jurisdiction Specific Requirements; in each case, as amended or updated from time to time.
“Data Security Breach” means any (a) Processing of Personal Data, not expressly permitted by Block, the Agreement or this Schedule, including any accidental or unlawful loss, misuse, or unauthorized access, disclosure, alteration, destruction or acquisition of Personal Data; (b) reasonably suspected breach or compromise of Personal Data, or of Vendor’s computer systems or networks that directly or indirectly support Personal Data Processed under or in connection with the Agreement; or (c) any reasonably suspected violation of Applicable Data Protection Laws by Vendor in relation to the Personal Data Processed under or in connection with the Agreement.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“Deidentified Data” means data created using Personal Data that cannot reasonably be linked to a Data Subject, directly or indirectly.
“EEA” means the European Economic Area.
“Jurisdiction Specific Requirements” means any applicable jurisdiction-specific requirements for the cross-border transfer and processing of Personal Data, as set out in Appendix 1 and Appendix 2 to this Schedule.
“Personal Data” means any information Processed by, or on behalf of, Vendor in connection with providing the Services to Block (i) that identifies or can be used to identify, contact or precisely locate the individual person to whom such information pertains; (ii) from which identification of or contact information for an individual person can be derived; or (iii) any other “personal information”, “personally identifiable information”, “protected health information” or substantially analogous concepts, the Processing of which is otherwise subject to or governed by Applicable Data Protection Laws. Additionally, to the extent any other information is associated or combined with Personal Data, such information also will be considered Personal Data for purposes of the Agreement.
“Processing” or “Process” means any operation or set of operations that is performed upon Personal Data whether or not by automatic means, including, but not limited to, collection, recording, organization, storage, access, receipt, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, transmitting, transporting, alignment, combination, blocking, deleting, erasure, destruction or otherwise handling.
“Processor” shall have the meaning given to this term and substantially equivalent terms, including “Service Provider,” in Applicable Data Protection Laws.
“Sub-processor” any Processor or sub-contractor engaged by Vendor or its Affiliates to perform some or all of the Services as envisaged under this Schedule, and who may Process Personal Data in connection with providing the Services.
“Third Party Request” means a written request from a third party for disclosure of Personal Data where compliance with such request is required or purported to be required by law or regulation.
“UK Data Protection Law” means the UK Data Protection Act 2018 and the UK GDPR.
“UK GDPR” shall have the meaning given to this term in section 3 of the UK Data Protection Act 2018.

2. General.

3. General Obligations.

4. Data Security.

5. Data Security Breach.

breachnotifications@block.xyz

6. Audits.

7. Miscellaneous.

Appendix 1: Jurisdiction Specific Requirements - Australia

1. Applicability

2. Conflict

3. Definitions

In this Appendix 1:

(a) “Australian Personal Data” means any Personal Data which is Processed by, or on behalf of, the Vendor in connection with providing the Services to Block in Australia under the Agreement.

4. Vendor Requirements

The Vendor must:

(b) take reasonable steps to protect any Australian Personal Data in its possession or control from:

(i) misuse, interference, and loss; and
(ii) unauthorised access, modification, or disclosure;