Background
The Customer (the Controller) and Push Security Ltd (the Processor) entered into an agreement/terms (Agreement) that may require the Processor to process Personal Data on behalf of the Controller.
This Data Processing Agreement (DPA) sets out the terms, requirements and conditions on which the Processor will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and, if applicable, processors and the UK Addendum to the SCC’s.
Agreed terms
The following definitions and rules of interpretation apply in this DPA.
Affiliates: any entity that directly or indirectly controls, is controlled by, or is under common control with another entity.
Business Purposes: the services described in the Agreement.
Data Subject: an individual who is the subject of Personal Data.
Personal Data: any information relating to an identified or identifiable natural person that is processed by the Processor as a result of the provision of services under the Agreement; an identifiable natural person is one who can be identified.
Processing, processes and process: any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process.
Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Privacy Policy: the Processor’s privacy policy, located here.
Standard Contractual Clauses (SCC): the European Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries, adopted by the European Commission by virtue of Commission Decision 2021/914/EU, a copy of which comprises ANNEX A, in all cases incorporating the SCC Amendments (as defined below in this DPA) and each as published on the European Union’s webpage.
SCC Amendments: the Standard Contractual Clauses (with MODULE TWO language), subject to the following amendments:
MODULES ONE and THREE and FOUR language is not applied;
in clause 9(a) of MODULE TWO, the parties agree to select OPTION 2 and the specified time period is thirty days;
the optional part of clause 11 (‘Redress’) shall not be applied;
in clause 17 and 18 of MODULE TWO, the parties agree to select OPTION 1 and the governing law shall be as stipulated in the Agreement unless prohibited by mandatory Data Protection Legislation, then the governing law shall be the laws of England and Wales;
in Annex I.A. (‘List of Parties’), MODULE TWO, the identity of each of the data exporter and data importer is populated with either Controller or Processor, depending on the facts;
Annex I.B. (‘Description of Transfer’), MODULE TWO shall incorporate the description of processing in ANNEX A;
Annex I.C. (‘Competent Supervisory Authority’), with regard to MODULE TWO the competent supervisory authority is detailed in ANNEX A to this DPA;
Annex II (‘Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of Data’), MODULE TWO shall incorporate the technical and organizational measures in the Privacy Policy;
Annex III (‘List of Sub-Processors’) MODULE TWO shall incorporate the list of Sub-Processors for data where Push acts as the Data Processor on the Push website;
to the extent any part of the Standard Contractual Clauses referred to is replaced in any amended, replacement or subsequently approved Standard Contractual Clauses, then the relevant parts of this definition shall include any similar provisions or clauses in such amended, replacement or subsequently approved Standard Contractual Clauses.
This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.
The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA.
A reference to writing or written includes email.
In the case of conflict or ambiguity between:
any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail;
any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail.
Personal data types and processing purposes
The Controller and the Processor acknowledge that for the purpose of the Data Protection Legislation, the Controller is the data controller and the Processor is the data processor.
The Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.
The subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Processor may process to fulfill the Business Purposes shall be outlined in the Agreement and the Privacy Policy.
Processor's obligations
The Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Privacy Policy. The Processor will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Processor must promptly notify the Controller if, in its opinion, the Controller's instruction would not comply with the Data Protection Legislation.
The Processor must promptly comply with any Controller request or instruction requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
The Processor will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Controller or this DPA specifically authorizes the disclosure, or as required by law.
The Processor will reasonably assist the Controller with meeting the Controller's compliance obligations under the Data Protection Legislation.
The Processor shall promptly notify the Controller of any changes to Data Protection Legislation that may adversely affect the Processor's performance of the Agreement.
Notwithstanding the foregoing the Processor shall have the right, within law, to use the data generated in connection with its use of services to (i) analyze and improve services, and (ii) for statistical purposes, provided that no individual person can be recognized from the results.
Processor's employees
The Processor will ensure that all employees:
are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
are aware of the Processor's duties and their personal duties under the Data Protection Legislation and this DPA.
The Processor will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable law on all of the Processor's employees with access to the Personal Data.
Security
Security The Processor must at all times implement appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
The Processor shall implement measures to ensure a level of security appropriate to the risk involved, including as appropriate:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident on its own systems; and
a process for regularly testing, assessing and evaluating the effectiveness of security measures.
Personal Data Breach
The Processor will without undue delay notify the Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.
Following an unlawful Personal Data Breach, the parties will coordinate with each other to investigate the matter. The Processor will reasonably cooperate with the Controller in the Controller's handling of the matter.
The Processor agrees that the Controller has the sole right to determine:
whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, or others, as required by law or regulation or in the Controller's discretion; and
whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
Cross-border transfers of personal data
Processor has the right to transfer data inside EEA and the UK to an extent necessary for efficient provisioning of the Services. Unless otherwise agreed in writing, Processor may also transfer or access personal data outside EEA. In case of transfer of personal data from European Union to destinations other than EEA countries and UK or countries which are recognized by the European Union with adequate level of legislation protecting Personal Data, Processor shall on behalf of the Controller implement proper safeguards and ensure that such transfers are subject to (i) the appropriate Module of the European Union Standard Contractual Clauses for The Transfer of Personal Data to Third Countries, version 2021 (attached as ANNEX A) or as superseded by European Commission implementing decision (“SCC”); or (ii) other appropriate transfer mechanisms that provide an adequate level of data protection in compliance with applicable data protection legislation.
Where the Processor relies on SCC’s for the purposes of justifying the transfer, the Processor will incorporate the mandatory part of the applicable Module of the SCC’s as set out in ANNEX A.
Subcontractors
Processor may make use of Sub-processors in providing the Services. This is outlined on the Push website. Processor will ensure that processing by its Sub-processors is always aligned with the purposes of the Agreement, this DPA, the Privacy Policy and any additional instructions agreed to by the parties.
Processor undertakes diligent vetting when choosing new Sub-processors. Processor’s Sub-processors are required to abide by the same level of data protection and security as Processor under this DPA. Processor has in place measures that are appropriate to the nature of the personal data and risks represented by the processing.
Term and termination
Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Agreement, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within six (6) months, they may terminate the Agreement on written notice to the other party.
Data return and destruction
At the Controller's request, the Processor will give the Controller a copy of or access to all or part of the Controller's Personal Data in its possession or control in the format and on media that is in accordance with standard industry practice.
On termination of the Agreement for any reason or expiry of its term, the Processor will securely delete or destroy or, if directed in writing by the Controller, return and not retain, all or any Personal Data related to this DPA in its possession or control, except for one copy that it may retain and use for as long as reasonably required for audit purposes only.
The Processor may retain any documents or materials where required to do so under any law, regulation, or government or regulatory body.
The Processor will certify in writing that it has destroyed the Personal Data following a written request from Controller.
Records
The Processor will keep accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Controller, including but not limited to, the access, control and security of the Personal Data, approved subcontractors and affiliates, the processing purposes and the technical and organizational security measures referred to in clause 5.1 (Records).
The Processor will ensure that the Records are sufficient to enable the Controller to verify the Processor's compliance with its obligations under this DPA and the Processor will provide the Controller with copies of the Records upon request.
The Controller and the Processor shall review the information listed in the Annexes to this DPA from time-to-time to confirm its current accuracy and update it when required to reflect current practices.
Audit
During the validity of the Agreement, the Controller is permitted to audit Processor’s processes that are involved in processing personal data on behalf of the Controller. Any such audit shall be carried out via independent third party auditors reasonably acceptable to Processor and no more frequently than once every 12 months.
Any audit shall be conducted during regular business hours at Processor’s facilities and shall not unreasonably interfere with Processor’s business activities. The Controller needs to provide a minimum of thirty (30) day notice prior to the audit. The Controller or the auditor shall further provide an audit plan in advance to Processor. Processor shall provide the auditor with such cooperation and access to documents/records, properties and staff used in the performance of the Services as is reasonably necessary for an effective and efficient execution of the audit, and also subject to Processor’s right to refuse access to commercially or technically sensitive information, personal data, information regarding its customers or information that would be unlawful to disclose. Processor has the right of rejection to such portions of the plan that could potentially endanger Processor’s obligations to third parties or disrupt systems servicing other parties.
Controller will bear all of the costs of audit (including but not limited to costs of the auditor and costs arising from availability of requested Processor’s personnel). The Controller shall be liable for any and all damages caused by itself, or its third party auditor, when conducting the audit.
Warranties
The Processor warrants that:
its employees, subcontractors, agents and any other person or persons accessing Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation relating to the Personal Data;
it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation;
it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data.
The Controller warrants that the Processor's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Controller will comply with the Data Protection Legislation.
Notice
Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to:
For the Controller: The Customer point of contact who subscribes to the Service.
For the Processor: Please contact us through our web form or via email (privacy@pushsecurity.com) .
Clause 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
A notice given under this agreement is not valid if sent by email.
This Data Processing Agreement has been entered into on the date of the Agreement.
Annex A - Standard Contractual Clauses (“SCC”)
Annex B - UK Addendum to the EU SCC’s
COVER LETTER TO THE SCC
This cover letter to the SCC sets out the Parties agreement to the applicable Module of SCC and the contents of Annexes I, II, and III to the SCC.
Applicable modules
The Parties agree that the Processor is located within the EEA or a country which is recognized by the European Union with adequate level of legislation protecting Personal Data, and that the Processor has been given authorisation by the Controller to transfer Personal Data to its Affiliate located outside the EEA or a country which is recognized by the European Union with adequate level of legislation protecting Personal Data. The Parties further agree and understand that the Controller acts as the data exporter and the Processor acts as the data importer within the meaning of and as set out below in this ANNEX A.
For the sake of clarity it is stated that the Parties have agreed that the applicable module of the SCC shall be the mandatory clause of MODULE TWO (Controller – Processor) excluding optional part of Clause 7 (‘Docking clause’) and Clause 11 (‘Redress’).
MODULE TWO: Transfer controller to processor
Data exporter(s):
Name and address: The Customer, as set out in the Parties section to the Agreement. Contact person’s name, position and contact details: As outlined in the Notices section (clause 14).
Activities relevant to the data transferred under these Clauses: as outlined in the Agreement.
Role (controller/processor): Controller.
Data importer(s):
Name and address: Push Security Ltd, as set out in the Parties section to the Agreement.
Contact person’s name, position and contact details: As outlined in the Notices section (clause 14)
Activities relevant to the data transferred under these Clauses: As outlined in the Agreement.
Role (controller/processor): Processor.
Name and address: Push Security Inc.
Contact person’s name, position and contact details: As outlined in the Notices section (clause 14)
Activities relevant to the data transferred under these Clauses: As outlined in the Agreement.
Role (controller/processor): Processor.
The subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Processor may process and transfer personal data to fulfill the Business Purposes of the Agreement shall be outlined in the Privacy Policy.
C – Competent Supervisory Authority
The competent supervisory authority is the Data Ombudsman of England.
Annex II – Technical and Organizational Measures including Technical and Organizational Measures to ensure the Security of the Data: As outlined in the Privacy Policy:
Annex III – List of Sub-Processors
A list of Sub-processors for delivery of the Service is here:
This document contains the Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018 in the form of the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (VERSION B1.0, in force 21 March 2022). The Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
| Start date | The Go Live Date, as outlined in the Order Form. | |
| The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
| Parties’ details | Full legal name: Push Security Ltd Main address: 2 Kingdom Street, 6th Floor, London, UK, W2 6BD Company number: 12309408 | Full legal name: As outlined in the Agreement br Main address: As outlined in the Agreement Registration number: As outlined in the Agreement |
| Key Contact | Full Name: Jacques Louw Contact: Jacques.Louw@PushSecurity.com | Full Name (optional): Contact details: |
Table 2: Selected SCCs, Modules and Selected Clauses
| Addendum EU SCCs | The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
| Module 1 | Module 2 | Module 3 | Module 4 | |
|---|---|---|---|---|
| Module in operation | No | Yes | No | No |
| Clause 7 (Docking Clause) | N/A | No | N/A | N/A |
| Clause 11 (Option) | N/A | No | N/A | N/A |
| Clause 9a (Prior Authorisation or General Authorisation) | N/A | OPTION 2 (General) | N/A | N/A |
| Clause 9a (Time period) | N/A | 90 days | N/A | N/A |
| Is personal data received from the Importer combined with personal data collected by the Exporter? | N/A | No | N/A | N/A |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: The identity of the data exporter and data importer is populated with either Controller (the Client), Processor (Push Security Limited) and their contact details are set out in the DPA and this Addendum.
Annex 1B: Description of Transfer: MODULE TWO shall incorporate the description of processing in ANNEX A to the DPA.
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: MODULE TWO shall incorporate the technical and organisational measures detailed in the DPA.
Annex III: List of Sub processors: MODULE TWO shall incorporate the list of Sub-Processors in the DPA.
Table 4: Ending this Addendum when the Approved Addendum Changes
| Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: Importer Exporter |
Part 2: Mandatory Clauses
Entering into this Addendum
Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
| Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
| Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
| Appendix Information | As set out in Table 3. |
| Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
| Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
| Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
| ICO | The Information Commissioner. |
| Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
| UK | The United Kingdom of Great Britain and Northern Ireland. |
| UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
| UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and
If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
References to Regulation (EU) 2018/1725 are removed;
References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
Clause 13(a) and Part C of Annex I are not used;
The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.