Related to the services rendered by Vercom with the use of a sub-processor located outside the European Economic Area, i.e.: Cloudflare, Inc., please be informed of the following:

• Vercom uses the services of Cloudflare, Inc. („Cloudflare”) in order to increase the level of security of the services rendered to your account.

• Vercom takes due care to protect all information (including, in particular, the content of messages sent through Vercom’s services, as well as personal data entrusted to Vercom for processing) to remain confidential and be processed exclusively within the European Economic Area.

• The above relates also to the services rendered by Cloudflare. Taking into account the interests of our Customers, Vercom has taken special care for relevant contract provisions to be in place, which guarantee, in particular: a) covering the services with the Data Localisation Suite (DLS) – thanks to this feature, information processed by Vercom in the course of rendering the services, shall remain in the territory of the European Union;| b) covering the services with the EU Customer Metadata Boundary feature – by doing so, all data processed by Vercom, shall not be transferred outside the European Union.

We are aware of your doubts related to transferring of personal data to the United States. We are also aware that the fact that we use the services of a vendor located outside the European Economic Area („EEA”) – notwithstanding the above presented information, may affect your decision to start cooperation with us.

Therefore, we inform you hereby that on the 10th of July, 2023, the European Commission has adopted the adequacy decision based on which an adequate level of protection of personal data is guaranteed by the EU-U.S. Data Privacy Framework (“DPF”).

• The aforementioned decision is the result of concluding that the legislative changes implemented by the United States, guarantee an adequate level of protection of personal data transferred by entities from the EEA to organizations located in the United States, which adhere to comply with the DPF.

• The list of organizations that have adhered to the DPF, is available here.

• Cloudflare participates in the DPF adhering to both, i.e., the EU-U.S. DPF principles, as well as Swiss – U.S. DPF principles (jointly hereinafter referred to in as the “Principles”) – please, see more here.

• You can learn more about the Data Privacy Framework Program by visiting its official website.

• The Principles, to which Cloudflare has adhered to, are available here: (i) EU-U.S. DPF Principles –here, (ii) Swiss- U.S. DPF Principles – here.

• You can also learn more about the DPF on the official website of the European Commission.

• According to the Regulation of the European Parliament and of the Council (UE) 2016/679 („GDPR”), the transfer of personal data from the EEA to organizations, which have adhered to the DPF and have been placed on the DPF list, is possible without the need to obtain any further, additional permissions or applying other transfer mechanisms, such as, for example, standard contractual clauses or binding corporate rules. In the event that a given organization participates in the DPF and remains listed on the DPF list, there is no further need to perform a data transfer impact assessment, i.e., TIA.

• Application of the DPF Principles is obligatory and enforceable by the supervisory authorities competent for the entity participating in the DPF; for Cloudflare, this is the Federal Trade Commission.

• Organizations that infringe on their commitments deriving from the participation in the DPF will be removed from the DPF list, and the information on removal shall be made public by the International Trade Administration, together with indicating reasons for the removal – the above stands not only for a reputational sanction for the organization but also constitutes a motivating factor to comply with the obligations related to the participation in the DPF.

Should you have any questions, we remain at your disposal.