JetPack Data Privacy Addendum

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A
Data Processing Addendum

Subject to our Terms of Service https://wordpress.com/tos/1 (“Terms of Service” or “Agreement”), we (the folks at Automattic) process Personal Data on behalf of the users of those services (“You” or “User”), for which we act as the processor under applicable Data Protection Laws and our users act as the controllers. That Personal Data is referred to as “Controller Data,” as further described below.
“Data Protection Laws” means any and all privacy, security and data protection laws and regulations that apply to the Personal Data processed by processor under the Agreement, including, as applicable, the GDPR, Member State laws implementing the GDPR, and the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), each as amended.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Personal Data” means any information relating to an identified or identifiable natural person or that is otherwise
deemed personal information or personal data (or similar variations of those terms) under Data Protection Laws.
This Data Processing Addendum (“Addendum”) to our Terms of Service explains our data protection obligations and rights as a processor of the Controller Data, as well as those of our Users as the controllers. Other than the data protection obligations and rights in this Addendum, the Agreement You have with Automattic will cover everything else.
Please see below to determine which entity your Agreement is with, which depends on where you reside and which Services (as defined in the Terms of Service) you use. We use the term “Designated Countries” to refer to Australia, Canada, Japan, Mexico, New Zealand, Russia, and all countries located in Europe.
All Automattic Services (excluding WooCommerce)

● If you reside outside of the Designated Countries: Automattic Inc.
● If you reside in the Designated Countries: Aut O’Mattic A8C Ireland Ltd.
WooCommerce Services (such as WooCommerce, WooCommerce Payments, WooCommerce Shipping, MailPoet, and any products or services purchased from WooCommerce.com.)
● If you reside outside of the Designated Countries: WooCommerce, Inc.
● If you reside in the Designated Countries: WooCommerce Ireland Ltd. Each of the above is referred to as “Automattic” or “we” in this Addendum.
1. Role of the Parties

With regard to the processing of the Controller Data, Automattic is the processor and the User is the controller. For purposes of this DPA, references to “processor” and “controller” shall be replaced with any corresponding terms with analogous meanings defined under Data Protection Laws (for example, “service provider” and “business” under the CCPA).
2. Scope of the Processing
2.1. Automattic shall process the Controller Data on behalf of and in accordance with the instructions of the User as specified in Section 2.4. If Automattic is legally required to process Controller Data for another purpose, Automattic will inform the User of that legal requirement unless the law



1 If you use our Crowdsignal service, the Crowdsignal Terms and Conditions at https://crowdsignal.com/terms also apply. If you use Akismet, the Akismet Terms of Use at https://akismet.com/tos/ also apply. If you use Day One, the Day One Terms of Use at https://dayoneapp.com/terms-of-use/ also apply. If you use Pocket Casts, the Pocket Casts Terms of Use at https://support.pocketcasts.com/article/terms-of-use-overview/ also apply. If you use Frontity, the Frontity Terms of Use at https://frontity.org/legal/ also apply.

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A

prohibits Automattic from doing so.
2.2. Automattic certifies that it will not: (a) collect, retain, use, disclose or otherwise process the Controller Data for any purpose other than as necessary for the specific purpose of performing the services on behalf of the User; (b) collect, retain, use or disclose the Controller Data for a commercial purpose other than providing the services on behalf of the User; (c) process the Controller Data outside of the direct business relationship between User and Automattic; (d) combine the Controller Data with any other Personal Data Automattic collects (directly or via any third party) other than as expressly permitted for processors under Data Protection Laws; or (e) “sell” or “share” (each as defined by the CCPA) the Controller Data.
2.3. Automattic processes Controller Data for the purpose of providing Automattic’s website creation and management services to our Users. Controller Data is comprised exclusively of Personal Data relating to data subjects who use a User’s website, which may include a User’s customers, subscribers, followers, employees or other administrative users. Controller Data does not include content or Personal Data collected by Automattic about any of the foregoing persons in that person’s capacity as a user of WordPress.com or another service provided directly to the person by Automattic (including as specified in Section 2.7 and 2.8 below).

The type of Controller Data processed by Automattic depends on the services and features that the User decides to implement for the User’s website, and may include username and credentials; name; contact information, such as e-mail address, physical address, and telephone number; billing information, such as credit card data and billing address; website usage information, IP address, and other technical data such as browser type, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information; approximate location data (from IP address); personal information discussed in the content of the site or any content you upload, information regarding interactions with the website, such as “comments,” poll responses, “ratings,” and “likes”; and other information directly provided to the User’s website by a visitor to the website, such as contact form submissions.
The duration of processing corresponds to the duration of the Agreement, which is described in the Terms of Service.
2.4. The instructions of the User are in principle conclusively stipulated and documented in the provisions of this Addendum. Individual instructions which deviate from the stipulations of this Addendum or which impose additional requirements shall require Automattic’s written agreement. Automattic will immediately inform the User if, in Automattic’s opinion, an instruction from the User infringes applicable data protection law.
2.5. User shall comply with its obligations under Data Protection Laws. The User is responsible for the lawfulness of the processing of the Controller Data. In case third parties assert a claim against Automattic based on the unlawfulness of processing Controller Data or any other violation of Data Protection Law by User, the User shall release Automattic from any and all such claims.
2.6. User agrees that Automattic may depersonalise (including through deidentification) the Controller Data or aggregate data in a way which does not permit the identification of a natural person, as well as use the data in this form for purposes of designing, further developing, optimizing, and providing its services to the User as well as to other users of the service, provided that if such data is “deidentified” (as defined under Data Protection Law), Automattic will take reasonable measures designed to ensure such data cannot be associated with a natural person and will commit to maintain this data in deidentified form and not attempt to reidentify this data except to assess the sufficiency of the deidentification. The parties agree that the Controller Data rendered depersonalised or aggregated as above-mentioned are no longer classified as Controller Data in terms of this Addendum and that Automattic is instructed by User to depersonalise Controller Data in accordance with this clause.

2.7. Automattic has the right to collect, use, and disclose any User data (“User Data”) which is distinct
from Controller Data in accordance with the Automattic privacy policy, which is available at

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A

https://automattic.com/privacy/. User Data includes any information collected by Automattic from or about a visitor to User’s website (including any contributor or editor), while that visitor is logged into a WordPress.com account. The parties agree that Automattic’s processing of User Data is independent of the services that Automattic provides directly to the User for the User’s website, and is not subject to this Addendum.
2.8. The parties further agree that Automattic’s processing of data to deliver interest- based ads to the User’s website, when such ads are enabled for free WordPress.com websites or on a website through WordAds or Jetpack Ads, is not subject to this Addendum.
3. Automattic’s Personnel Requirements
3.1. Automattic shall require all personnel engaged in the processing of Controller Data to treat

Controller Data as confidential.
3.2. Automattic shall ensure that natural persons acting under Automattic’s authority who have access to Controller Data shall process such data only on Automattic’s instructions.
4. Security of Processing
4.1. Automattic shall implement security measures designed to protect Controller Data in accordance with requirements under Data Protection Law. Automattic implements appropriate technical and organisational measures, taking into account the state of the art, the implementation costs, and the nature, the scope, circumstances, and purposes of the processing of Controller Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subject, in order to ensure a level of protection appropriate to the risk of Controller Data.

4.2. In particular, Automattic shall establish prior to the beginning of the processing of Controller Data and maintain throughout the term the technical and organisational measures as specified in Appendix 1 to this Addendum and implement measures designed to ensure that the processing of Controller Data is carried out in accordance with those measures.
4.3. Automattic shall have the right to modify technical and organisational measures during the term of the Agreement, as long as they continue to comply with the requirements under Data Protection Law.
5. Sub-processors
5.1. The User hereby authorizes Automattic to engage sub-processors in a general manner in order to provide its services to the User. For Users whose Agreement is with Aut O’Mattic Ltd. (Ireland), the sub-processors currently engaged by Aut O’Mattic Ltd. (Ireland) include its affiliate companies Automattic Inc. (US) and Pressable Inc. (US). For Users whose Agreement is with WooCommerce Ireland Ltd., the sub-processors currently engaged by WooCommerce Ireland Ltd., include its affiliate companies WooCommerce, Inc. and Automattic Inc. In general, no authorization is required for contractual relationships with service providers that are not actively processing Controller Data but are only concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Controller Data cannot be excluded, as long as Automattic takes reasonable steps to protect the confidentiality of the Controller Data.

5.2. Automattic shall make available to the User the current list of sub-processors at the following link: https://automattic.com/subprocessor-list/. User should check this website regularly for updates. Through this link, Automattic shall provide notice to the User of any intended changes concerning the addition or replacement of sub-processors. The User is entitled to object to any intended change. An objection may only be raised by the User for important reasons which have to be proven to Automattic. Insofar as the User does not object within 14 days after the notification date, the User’s right to object to the corresponding engagement lapses. If the User objects, Automattic is entitled to terminate the Agreement on reasonable notice.

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A

The agreement between Automattic and sub-processors must impose the same obligations on the latter as those incumbent upon Automattic under this Addendum. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this Addendum and if the obligations laid down in applicable data protection laws are imposed on the sub- processor. In case Automattic engages a sub-processor outside of the European Economic Area, the User hereby instructs and authorises Automattic to conclude an agreement with another processor on behalf of the User based on the Standard Contractual Clauses (as defined below) for the transfer of Personal Data to processors in third countries. As the case may be, where the Controller Data requires additional protection under the Standard Contractual Clauses in order to provide for appropriate safeguards according to applicable data protection laws, Automattic shall ensure any sub-processor it engages is bound by the Standard Contractual Clauses (processor to processor Standard Contractual Clauses). Notwithstanding, Automattic may safeguard an adequate level of protection in a third country also by other means including binding corporate rules and other appropriate safeguards.
6. Support Obligations
6.1. Automattic shall provide assistance to the User pursuant to its obligations as a processor under

Data Protection Laws, including, as applicable, Article 28 of the GDPR.
6.2. User will inform Automattic of any request to exercise data subjects’ rights that Automattic must comply with and provide the information necessary for Automattic to comply. Upon receiving such notice and information, Automattic shall to a reasonable extent support the User with technical and organisational measures in fulfilling the User’s obligation to respond to requests for exercising data subjects’ rights.
6.3. Automattic shall notify the User without undue delay after becoming aware of any breach of the security of Controller Data that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Controller Data (each, a “Security Incident”). The notification shall contain a description of the following if and to the extent known by Automattic:

a) the nature of the breach of Controller Data, indicating, as far as possible, the categories and the approximate number of affected data subjects, the categories and the approximate number of affected Personal Data sets;

b) the likely consequences of the breach of Controller Data; and

c) the measures taken or proposed by Automattic to remedy the breach of Controller Data and, where appropriate, measures to mitigate their potential adverse effects.
6.4. The above details may be provided in multiple notifications as the information becomes available.

In the event that the User is obligated to inform the supervisory authorities and/or data subjects
of a Security Incident, Automattic shall, at the request of the User, assist the User to comply with these obligations.
6.5. Automattic will take appropriate steps to remediate the cause of any Security Incident and will use commercially reasonable efforts to cooperate with the User with respect to the investigation and remediation of such Security Incident, which may include providing assistance to enable User to notify and cure an alleged violation of Data Protection Law related to a Security Incident. Automattic will not engage in any action or inaction that unreasonably prevents the User from curing an alleged violation of Data Protection Law.
7. Deletion and Return of Controller Data

Upon termination of the Terms of Service Automattic shall delete all Controller Data, unless Automattic is obligated by law to further store Controller Data.

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A
8. Evidence and Audits

User has the right to take reasonable and appropriate steps to help to ensure that Automattic processes the
Controller Data in accordance with requirements of this Addendum as specified in this Section 8.
8.1. Automattic shall ensure that the processing of Controller Data is consistent with this Addendum, comply with all obligations applicable to it as a processor under Data Protection Law, and provide the same level of privacy protection as is required by Data Protection Law. Automattic shall notify User within five business days after making a determination that it cannot meet its obligations under the CCPA.
8.2. Automattic shall document the implementations of the obligations under this Addendum in an appropriate manner and provide the User with appropriate evidence at the latter’s reasonable request.
8.3. At the User’s reasonable request, Automattic shall demonstrate compliance with the obligations under this Addendum by submitting an opinion or report from an independent authority (e.g. an auditor) or a suitable certification by IT security or data protection audit relating to an inspection carried out in relation to Automattic’s data processing systems (“audit report”).
9. Transfer of Controller Data

In processing the Controller Data as part of the Agreement, Automattic may have to transfer the Controller Data outside of the European Union, the United Kingdom, or Switzerland. When Automattic does such a transfer, it will do so via the applicable mechanism outlined below.
9.1. For Controller Data Transferred Outside of the European Union

For any Controller Data that is transferred outside of the European Union to a Third Country , the parties agree to be bound by the Standard Contractual Clauses” as further shown in Appendix 2.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors in third countries according to Decision (EU) 2021/914 of the EU Commission of 4 June 2021.
“Third Country” means a country that the EU has not recognized as providing an equivalent level of protection for personal data as the EU.
9.2. For Controller Data Transferred Outside of the United Kingdom

For any Controller Data subject to the UK GDPR that is transferred outside of the United Kingdom to a Third Country, the parties agree to be bound by the UK Addendum as outlined in Appendix 2.
“UK Addendum” means the Addendum to the Standard Contractual Clauses issued by the UK
Information Commissioner, in force 21 March 2022.
“UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act
2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced). For purposes of any Controller Data subject to the UK GDPR, references to the GDPR in this DPA will be replaced with references to the UK GDPR.
9.3. For Controller Data Transferred Outside of Switzerland

For any Controller Data subject to Swiss DP Law that is transferred outside of Switzerland to a
Third Country, the parties agree to be bound by Swiss SCCs as outlined in Appendix 2.
“Swiss DP Law” means the Swiss Federal Act on Data Protection 1992 (as updated from time to

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A

time). For purposes of any Controller Data subject to Swiss DP Law, references to the GDPR in this
DPA will be replaced with references to Swiss DP Law.
“Swiss SCCs” means the applicable standard data protection clauses issued, approved or

otherwise recognized by the Swiss Federal Data Protection and Information Commissioner.
USER

Name: Address: Email: Date:
AUTOMATTIC

Signatory Name: Jordan Hinkes
Title: Associate General Counsel of Automattic Inc., WooCommerce, Inc., Aut O’Mattic A8C Ireland Ltd., and WooCommerce Ireland Ltd.
Date: August 14, 2024

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A
Appendix 1

Automattic maintains safeguards designed to protect Controller Data from unauthorised access, use and disclosure. Automattic currently abides by the security standards below. Automattic may update or modify these security standards from time to time, provided that such updates and modifications will not result in a degradation of the overall security of Automattic’s services during the term of the User’s Agreement with Automattic.
1. Information Security Organisational Measures
1.1. Automattic has a dedicated security team committed to protecting Controller Data which works with our product teams to address potential security risks.
1.2. Automattic performs regular internal security testing and engages with third parties to perform application and network vulnerability assessments.
1.3. Automattic requires all employees with access to Controller Data to observe the confidentiality of that data, and trains employees on confidentiality and security.
1.4. Automattic uses commercially reasonable measures for software, services, and application development, including routine dynamic testing and training personnel on coding techniques that

promote security.
2. Physical Security
2.1. Automattic’s servers are co-located in data centers designed to meet the regulatory demands of multiple industries. All servers are housed in dedicated cages to separate our equipment from other tenants.
2.2. Automattic’s data centers currently meet the International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification, Standards for Attestation Engagements (SSAE) No. 18 (SOC1) and SOC2 Type 2, and ongoing surveillance reviews.
2.3. Automattic limits access to facilities where information systems that process Controller Data are located to identified, authorized individuals via measures which may include identity cards, security locks, key restrictions, logging of access, security alarm systems, and surveillance cameras.
3. Access Controls
3.1. Automattic runs network firewalls and host based firewalls (if applicable) and has real time processes designed to provide alerts for unauthorized access attempts. Automattic also has commercially reasonable security measures in place to help protect against denial of service (DDos) attacks.
3.2. Automattic maintains commercially reasonable access control procedures designed to limit access to Controller Data, including processes addressing password and account management for employees with access to Controller Data, virus scanning, and logging access to Controller Data.
3.3. Automattic encrypts (serve over SSL) all WordPress.com websites, including custom domains hosted on

WordPress.com.
4. Data Backup and Recovery

Automattic uses industry standard systems to help protect against loss of Controller Data due to power supply failure or line interference, which may include fire protection and warning measures, emergency power generators, and data recovery procedures.

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A
Appendix 2: Standard Contractual Clauses (processors) For Controller Data transferred outside of the European Union:

For transfers outside of the European Union, the parties agree to be bound by the Standard Contractual Clauses. The
Standard Contractual Clauses (linked below) are incorporated into this Data Processing Addendum: https://eur- lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN



There are certain sections of the Standard Contractual Clauses that require population or selection which are outlined in the following table for simplicity:

Section Reference


Concept


Selection by the Parties

Clause 7


Docking Clause


The option under clause 7 shall not apply

Section II, Clause 9


Approval of Subprocessors


Option 2: GENERAL WRITTEN AUTHORIZATION

Section IV, Clause 17


Governing law


The laws of Ireland

Section IV, Clause 18 (b)


Choice of forum and jurisdiction


The courts of Ireland

Annex I.A


List of Parties


See Annex I Section A of this Agreement below

Annex I.B


Description of Transfer


See Annex I Section B of this Agreement below

Annex I.C


Competent Supervisory

Authority


Irish Data Protection Commissioner

Annex II


Technical and Organisational

Measures


See Annex II of this Agreement

Annex III


List of Subprocessors


See Annex III of this Agreement

Further, if the Standard Contractual Clauses are implemented, adopted, or recognized as a legitimate data transfer mechanism in countries other than the EEA countries, then Automattic shall apply the Standard Contractual Clauses to the transfer of Personal Data originating from such country(-ies).
For Controller Data Transferred Outside of Switzerland:



For transfers outside of Switzerland, the parties are able to use the Standard Contractual Clauses outlined above, with modifications to account for Swiss law. So, in addition to the above table, the parties agree as follows:

Amended provision/interpretation


Modification

Clause 13 and Annex 1.C of the Standard

Contractual Clauses


The Federal Data Protection and Information Commissioner will be the competent supervisory authority

Processing standard


The parties agree to abide by the GDPR standard in relation to all processing of Controller Data that is governed by the Swiss DP Law

Interpretation of the term ‘Member State’


The term ‘Member State’ in the Standard Contractual Clauses will

not be interpreted to exclude data subjects who habitually reside

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A


in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the Standard Contractual Clauses

References to the ‘GDPR’


References to the ‘GDPR’ in the Standard Contractual Clauses will be understood as references to the Swiss Federal Act on Data Protection insofar as the transfer of Controller Data is subject to the Swiss Federal Act on Data Protection
For Controller Data to be transferred outside of the United Kingdom.

For transfers outside of the United Kingdom, the parties are able to use a UK Addendum. The UK Addendum (linked below) is incorporated into this Data Processing Addendum:
https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf



In using the UK Addendum, similar to the Standard Contractual Clauses, there are certain sections of the UK Addendum that require population or selection and are outlined in the following table for simplicity:

Section Reference


Concept


Selection by the Parties

Clause 7


Docking Clause


The option under clause 7 shall not apply

Clause 11


Redress


The option under clause 11 shall not apply

Section II, Clause 9(a)


Approval of Sub processors


Option 2: GENERAL WRITTEN AUTHORIZATION

Section IV, Clause 17


Governing law


The laws of England and Wales insofar as transfers are governed by UK Data Protection Laws

Section IV, Clause 18 (b)


Choice of forum and jurisdiction


The courts of England and Wales shall have exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this UK Addendum

Annex I.A


List of Parties


See Annex I Section A of this Agreement

Annex I.B


Description of Transfer


See Annex I Section B of this Agreement

Annex I.C


Competent Supervisory

Authority


the UK’s Information Commissioner

Annex II


Technical and Organisational

Measures


See Appendix 1 of this Agreement

Annex III


List of Subprocessors


See Annex III of this Agreement

Section 19 0f UK Addendum


End of UK Addendum when the Approved Addendum changes


Neither party may end this UK Addendum per Section 19 of the UK Addendum, except as set forth in the Agreement

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A
ANNEX I

Data exporter:
A. LIST OF PARTIES
Name, Address, Contact details: As set out in the signature block above.
Activities relevant to the data transferred under these Clauses: Data exporter’s use of data importer’s services and data exporter’s customers’ websites and services.
Role: Controller

Data importer:
Name: Automattic
Address: 60 29th St, #343 San Francisco, CA 94110, United States
Contact person’s name, position and contact details: Jordan Hinkes; Associate General Counsel of Automattic Inc., WooCommerce, Inc., Aut O’Mattic A8C Ireland Ltd., and WooCommerce Ireland Ltd.; privacypolicyupdates@automattic.com
Activities relevant to the data transferred under these Clauses: The data processing provided for by these standard contractual clauses is executed for the purpose of providing the services described in the Terms of Service.
Role: Processor
B. DESCRIPTION OF TRANSFER Categories of data subjects whose personal data is transferred

End-users who use a customer of Automattic’s website or service, which may include those customers’ customers,
subscribers, followers, employees or other administrative users and who are located in the Designated Countries;
data subjects discussed in the contents of User’s websites.
Categories of personal data transferred

The type of data processed by data importer depends on the services and features that the data exporter uses, and may include personal data contained in content (text and media); username and credentials, such as password hashes; name; contact information, such as e-mail address, physical address, and telephone number; billing information, such as credit card data and billing address; website usage information, IP address, and other technical data such as browser type, unique device identifiers, language preference, referring site, the date and time of access, operating system, and mobile network information; approximate location data (from IP address); information regarding interactions with the website, such as “comments,” poll responses, “ratings,” and “likes”; and other information directly provided by data exporter to a website, such as contact form submissions.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures

None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous.
Nature of the processing

Collection, use, organisation, and storage.
Purpose(s) of the data transfer and further processing

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A

The data processing provided for by these standard contractual clauses is executed for the purpose of providing the services described in the Terms of Service.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Subject to any legal requirement to keep personal data, we discard personal data when no longer needed for the purposes described in the Terms of Service, Privacy Policy, and Privacy Notice.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Amazon Web Services - the above categories and data subjects. For encrypted offsite back-ups only and for as long as the services agreement is in effect between controller and processor.
For Users whose Agreement is with Aut O’Mattic Ltd. (Ireland), the sub-processors currently engaged by Aut O’Mattic Ltd. (Ireland) include its affiliate companies Automattic Inc. (US) and Pressable Inc. (US) - the above categories and data subjects.
For Users whose Agreement is with WooCommerce Ireland Ltd., the sub-processors currently engaged by WooCommerce Ireland Ltd., include its affiliate companies WooCommerce, Inc. and Automattic Inc - the above categories and data subjects.
Subprocessors listed at https://automattic.com/subprocessor-list/

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

See Appendix 1 to the Data Protection Addendum.

Docusign Envelope ID: 2F00C677-1326-4B4D-A873-8B9468E26B3A
ANNEX III
LIST OF SUB PROCESSORS

The Sub Processors listed on https://automattic.com/subprocessor-list/