DATA PROCESSING ADDENDUM

Other than the terms defined in the body of this DPA or in the Agreement, these terms have the following meaning:

"Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Provider under this DPA.

"Data Protection Legislation" means, as applicable to a party and its Processing of Personal Data, the EU Data Protection Law and any other law applicable for the provision of the Services.

"EU Data Protection Laws" mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR") and the EU e-Privacy Directive (Directive 2002/58/EC). The terms "Controller", "Processor", "Process", "Processing", and "Data Subject" shall have the same meanings given to them under the GDPR.

"Personal Data" means any information that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by the Provider on behalf of the Client in the course of providing the Services, as more particularly described in Annex A of this DPA.

"Sub-processor" means any third party engaged by the Provider to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as a Processor.

"Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCCs").

3.1 Roles.
For the purposes of this DPA, the Client (or a third party on whose behalf the Client is authorized to instruct the Provider) is the Controller of the Personal Data, and the Provider shall Process Personal Data as a Processor (or Sub-processor, as applicable to the Client's use of the Services).
‍
3.2 Permitted Purposes.
The Provider shall Process Personal Data for the purposes described in Annex A and in accordance with Client's documented lawful instructions ("Permitted Purposes"), except where otherwise required by the Data Protection Legislation. To the extent required by Data Protection Legislation, this Section 3.2 constitutes the certification from the Provider to the Processing instructions herein. The Provider is obliged at all times to Process Personal Data in compliance with Data Protection Legislation and fulfil all its obligations arising out of Data Protection Legislation.

3.3 Processing Instructions.
The Provider shall immediately inform the Client if it becomes aware that the Client's Processing instructions infringe Data Protection Legislation. If the Provider is unable to Process Personal Data in accordance with the Client's documented lawful instructions, the Provider is obliged to promptly notify the Client of its inability to comply.

3.4 Security Measures.
The Provider shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data from Data Breaches and preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

3.5 Access and Confidentiality.
The Provider shall ensure that any person it authorizes to Process the Personal Data (including Provider's staff, agents and Sub-processors) ("Personnel") are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received proper training, and are informed about the confidential nature of the Personal Data, their obligations related to it, and have access to Personal Data only on a need-to-know basis. The Provider shall ensure that Personnel Process the Personal Data only as necessary for the Permitted Purposes.

3.6 Data Returns and Deletion.
Upon termination or expiration of the Agreement, the Provider must delete or return to the Client all Personal Data in its possession or control except for one copy for archival and compliance purposes.

5.1 Client's Processing of Personal Data.
The Client shall, in its use of the Services, Process Personal Data in accordance with Data Protection Legislation. The Client shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and how the Client acquired Personal Data.

5.2 Client's Compliance.
The Client agrees that (i) it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to the Provider; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorizations (as applicable) under Data Protection Legislation for the Provider to Process Personal Data for the Permitted Purposes; (iii) it shall be responsible for providing any notices required by Data Protection Legislation to the relevant data subjects with respect to sharing their Personal Data with the Provider; (iv) it has fulfilled (or shall fulfil) all registration or notification obligations to which the Client is subject under the Data Protection Legislation; and (v) it is responsible for its own Processing of Personal Data, including integrity, security, maintenance, and appropriate protection of Personal Data under the Client's control.

5.3 Technical and Organizational Measures.
The Client is responsible for its secure use of the Services, protecting the security of Personal Data when in transit to and from the Services, and taking any appropriate technical, organizational, and security measures to securely encrypt or backup any Personal Data uploaded to the Services. The Client is also responsible for the use of the Services by any person authorized by the Client to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if the Client did not authorize such use. The Client agrees to notify the Provider immediately upon becoming aware of any unauthorized use of the Services or any other breach of security involving the Services.

Data Processing Addendum

Annex A
Description of the Processing Activities / Transfer

Annex B
Technical and Organisational Measures

Annex C
Approved Sub-processors