AWS NEW ZEALAND NOTIFIABLE DATA BREACH ADDENDUM

THIS AWS NEW ZEALAND NOTIFIABLE DATA BREACH ADDENDUM (this “Addendum”) is an agreement between the
applicable Amazon Web Services contracting party under the Agreement (“AWS”) and you or the entity you represent
(“you” or “your”), and is an addendum to the AWS Customer Agreement available at
http://aws.amazon.com/agreement (as updated from time to time) by and between you and AWS, or other
agreement between you and AWS governing your use of the Services (the “Agreement”). This Addendum takes effect
with respect to the NZNDB Account (as defined below) on the date when you click an “Accept AWS New Zealand
Notifiable Data Breach Addendum for this Account” button (or other electronic means made available by AWS for
such purpose) presented with this Addendum (the “Addendum Effective Date”). You represent to AWS that you are
lawfully able to enter into contracts (e.g., you are not a minor). If you are entering into this Addendum for an entity,
such as the company you work for, you represent to AWS that you have legal authority to bind that entity.
The parties hereby agree as follows:
1. Applicability and Definitions. This Addendum applies only (a) to the NZNDB Account, (b) when you are subject
to the New Zealand Privacy Act 2020 (the “Privacy Law”), and (c) to “personal information” (as defined in the
Privacy Law) held by AWS (the “Customer Data”). The “NZNDB Account” means the AWS account under the
Agreement that you used to log in to AWS Artifact (or any successor Service offered by AWS) to accept this
Addendum. You acknowledge and agree that this Addendum does not apply to any other AWS accounts you may
have now or in the future, and that if you have any other AWS accounts they must either have a separate AWS
New Zealand Notifiable Data Breach Addendum or be joined as member accounts in an organization using AWS
Organizations (or any successor service offered by AWS) for which there is an applicable AWS Organizations New
Zealand Notifiable Data Breach Addendum in effect. Unless otherwise expressly defined in this Addendum, all
capitalized terms in this Addendum will have the meanings set forth in the Agreement.
2. Security Breach Notification.
2.1. If AWS becomes aware of either (a) any unlawful access to any Customer Data stored on AWS equipment or in
AWS facilities, or (b) any unauthorized access to such equipment or facilities, where in either case such access results
in loss, disclosure, or alteration of Customer Data (each a “Security Event”), AWS will promptly (i) notify you of the
Security Event, and (ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the
Security Event.
2.2. You agree that:
(a) an unsuccessful Security Event will not be subject to this Section. An unsuccessful Security Event is
one that results in no unauthorized access to, or disclosure of, Customer Data or to any of AWS’s
equipment or facilities storing Customer Data, and may include, without limitation, pings and other
broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of
service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in
access beyond IP addresses or headers) or similar incidents; and
(b) AWS’s obligation to report or respond to a Security Event under this Section is not and will not be
construed as an acknowledgement by AWS of any fault or liability of AWS with respect to the
Security Event.
2.3. Notification(s) of Security Events, if any, will be delivered to one or more of your administrators by any means
AWS selects, including via email. It is your sole responsibility to ensure your administrators maintain accurate
contact information on the AWS management console at all times.
2.4. Following notification by AWS to you of a Security Event under Section 2.1, you must (a) determine if the
Security Event has caused, or is likely to cause, serious harm to any person within the meaning of the Privacy
Law, including by carrying out your own internal assessment to make that determination, and (b) fulfill all notice
requirements, and take any other action in relation to the Security Event as required by the Privacy Law. You
acknowledge that the parties together intend that you will fulfill all notice obligations under the Privacy Law in
relation to a Security Event.

AWS New Zealand Notifiable Data Breach Addendum Page 1 of 3

AMAZON CONFIDENTIAL
2.5. If you have additional AWS accounts that need to be covered under an AWS New Zealand Notifiable Data
Breach Addendum, you must either (a) log in to AWS Artifact (or any successor Service offered by AWS) under each
of those other AWS accounts and accept a separate AWS New Zealand Notifiable Data Breach Addendum, or (b)
join such AWS accounts as member accounts in an organization using AWS Organizations (or any successor service
offered by AWS) for which there is an applicable AWS Organizations New Zealand Notifiable Data Breach
Addendum (“AWS Organizations NZNDB Addendum”) in effect. You affirm that the only AWS account(s) that
includes Customer Data that is subject to the Privacy Law are the AWS account(s) for which you have taken the
steps described in Section 2.5(a) or (b), and no other AWS account(s) of yours includes Customer Data that is
subject to the Privacy Law.
3. Term and Termination
3.1. Term. The term of this Addendum will commence on the Addendum Effective Date and will remain in effect
with respect to the NZNDB Account until the earlier of (a) the termination of the Agreement, (b) termination of
this Addendum by you as set forth in Section 3.2 below, or (c) termination of this Addendum by AWS on notice to
you if AWS includes security breach notification terms in the Service Terms to help you comply with the Privacy
Law. A material breach of this Addendum will be treated as a material breach of the Agreement.
3.2. Termination. You have the right to terminate this Addendum for any reason upon notice to AWS by logging
in to AWS Artifact (or any successor Service offered by AWS) under the NZNDB Account and clicking a “Terminate
the AWS New Zealand Notifiable Data Breach Addendum for this Account” button (or other electronic means
made available by AWS for such purpose).
4. Notice. AWS may provide notice to you under this Addendum by (a) facsimile transmission, (b) by personal
delivery, overnight courier or registered or certified mail, (c) sending a message to an email address then
associated with the NZNDB Account, or (d) posting a notice on the AWS Site. Notices provided by personal
delivery will be effective immediately. Notices provided by facsimile transmission or overnight courier will be
effective one business day after they are sent. Notices provided by registered or certified mail will be effective
three business days after they are sent. Any notices provided by posting on the AWS Site will be effective upon
posting and notices provided by email will be effective when AWS sends the email.
5. No Agency Relationship. As set forth in the Agreement, nothing in this Addendum is intended to make either
party an agent of the other. Nothing in this Addendum is intended to confer upon you the right or authority to
control AWS’s conduct in the course of AWS complying with the Agreement and Addendum.
6. Nondisclosure. You agree that the terms of this Addendum are not publicly known and constitute AWS
Confidential Information under the Agreement.
7. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and
effect. This Addendum, together with the Agreement as amended by this Addendum (a) is intended by the parties
as a final, complete and exclusive expression of the terms of their agreement, and (b) supersedes all prior
agreements and understandings (whether oral or written) between the parties with respect to the subject matter
hereof, except that if the NZNDB Account is joined as a member account in an organization using AWS
Organizations (or any successor service offered by AWS) for which there is an applicable AWS Organizations NZNDB
Addendum in place, then this Addendum will not supersede such AWS Organizations NZNDB Addendum. While an
AWS Organizations NZNDB Addendum is in effect with respect to the NZNDB Account, it will apply to the NZNDB
Account instead of this Addendum. If there is a conflict between the Agreement, this Addendum, or any other
amendment or addendum to the Agreement or this Addendum, the document later in time will prevail, except that
while an AWS Organizations NZNDB Addendum is in effect with respect to the NZNDB Account, it will control over
this Addendum. AWS will not be bound by, and specifically objects to, any term, condition or other provision which
is different from or in addition to the provisions of this Addendum (whether or not it would materially alter this
Addendum) and which is submitted by you in any order, receipt, acceptance, confirmation, correspondence or
other document.
8. Modification. From time to time, AWS may modify the terms of the AWS New Zealand Notifiable Data Breach
Addendum that it offers to its customers, but no modification or amendment of any portion of this Addendum will

AWS New Zealand Notifiable Data Breach Addendum Page 2 of 3

AMAZON CONFIDENTIAL
be effective unless in writing and accepted by you and by AWS, which acceptance may be made electronically
through AWS Artifact (or any successor Service offered by AWS) or through other electronic means made available
by AWS for such purpose.

[Remainder of Page Intentionally Left Blank]

AWS New Zealand Notifiable Data Breach Addendum Page 3 of 3

AMAZON CONFIDENTIAL