Data Protection Agreement

This Data Processing Agreement ("DPA"), forms part of, and is subject to, Procys Terms of Service other written or electronic master agreement ("Agreement") between Procys B.V. (as defined below) and the Customer that references this DPA and is effective as of the same date of the Agreement.

This DPA applies where, and to the extent that, Procys processes Personal Data on behalf of the Customer when providing Services under the Agreement. The parties agree that this DPA shall replace any existing DPA or other data protection provisions the parties may have previously entered into in connection with the Services (as defined in the Agreement). Any capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

Definitions

"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity. For purposes of this definition, "Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.

"California Personal Information" means Personal Data that is subject to the protection of the CCPA (as defined below) and any later amendments thereto, including by not limited to the California Privacy Rights Act of 2020.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018) and any later amendments thereto, including by not limited to the California Privacy Rights Act of 2020 ("CPRA").

"Customer Data" means any Personal Data that is uploaded for storage or hosting that Procys processes on behalf of the Customer in the course of providing the Services.

"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.

"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.

"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement.

"EEA" means the European Economic Area.

"EU Data Protection Laws" means all current data protection and privacy laws applicable to the processing of Personal Data under the Agreement including but not limited to (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive"); (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Data Protection Act; and (v) any national data protection laws made under or pursuant to (i) and (ii).

"Procys" means Procys B.V. or its Affiliate that is a party to the Agreement.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" has the meaning set forth under the GDPR and also includes any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms "Process," "Processes" and "Processed" will be construed accordingly.

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.

"Sell" or "Sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, Customer Data to a third party for monetary or valuable consideration.

"Services" has the meaning set forth in the Agreement.

"Standard Contractual Clauses" means, as applicable:

• in the respect of data relating to Data Subjects based in the European Union, the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries as set out in the Annex to Commission Implementing Decision 2021/91 which (i) in instances where the Customer acts as Data Controller and Procys acts as Data Processor, and (ii) in instances where the Customer acts as Data Processor and Procys also acts as Data Processor, or any successor clauses as may be approved by the EU Commission from time to time; or
• in the respect of data relating to Data Subjects based in the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0 or any subsequent version) issued by the UK Information Commissioner's Office or such successor clauses as may be approved by UK law from time to time.

"Subprocessor" has the meaning that is set forth under the GDPR and includes any Data Processor engaged by Procys or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Subprocessors may include third parties or Affiliates of Procys.

"UK Data Protection Laws" means all current data protection and privacy laws applicable to the processing of Personal Data under the Agreement in the UK including without limitation the UK GDPR, the UK Data Protection Act 2018 and regulations made thereunder.

"UK GDPR" has the meaning given to it in section 310 (as supplemented by section 205(4) of the UK Data Protection Act 2018.

1. Roles and Scope of Processing

1.1 Role of the Parties

As between Procys and the Customer, the Customer is the Data Controller of Customer Data and Procys will process Customer Data only as a Data Processor, except when the Customer is the Data Processor of Customer Data and Procys is a Subprocessor, acting on behalf of Customer.

1.2 Customer Processing of Customer Data

The Customer agrees that (i) it will comply with its obligations under Data Protection Laws in respect to its processing of Customer Data and any processing instructions it issues to Procys; and (ii) it has provided notice, obtained or will obtain all consents and has established the required legal basis necessary for Procys to process Customer Data pursuant to the Agreement and this DPA.

1.3 Procys Processing of Customer Data

Procys will process Customer Data only (i) for the purpose of providing the Services and in accordance with the Customer's documented lawful instructions as set forth in the Agreement and this DPA; (ii) as part of the direct business relationship between the Customer and Procys; (iii) on behalf of the Customer, to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity; or (iv) as required by law, provided Procys will inform the Customer of such legal requirement prior to commencing such processing unless prohibited by law. The parties agree that the Customer's complete and final instructions with regard to the nature and purposes of the processing are set out in this DPA, which can be amended from time to time, by an addendum to this DPA signed between the parties.

2. Subprocessing

2.1 Authorized Subprocessors

The Customer approves the grant of third party access for all current Procys Subprocessors as of the last date of execution of this DPA. Procys may, in respect of Personal Data that is provided under this Agreement, only authorize a new Subprocessor to process such Personal Data if the Customer is provided with the opportunity to object to the appointment of each Subprocessor to process such Personal Data within 7 working days after Procys supplies the Customer with full details in writing regarding such Subprocessor.

2.2 Subprocessor Obligations

Where Procys authorizes any Subprocessor:

• Procys will restrict the Subprocessor's access to Customer Data solely to what is necessary to assist Procys in providing or maintaining the Services and will prohibit the Subprocessor from accessing Customer Data for any other purpose;
• Procys will enter or has already entered into a written agreement with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Customer Data to the standard required by applicable Data Protection Laws and;
• Procys will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Procys to breach any of its obligations under this DPA.

3. Technical and Organizational Measures and Security Incident Response

3.1 Technical and Organizational Measures

Procys has implemented and will maintain appropriate technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data ("Technical and Organizational Measures").

3.2 Updates to the Technical and Organizational Measures

The Customer acknowledges that the Technical and Organizational Measures are subject to technical progress and development and that Procys may update or modify the Technical and Organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

3.3 Personnel

Procys restricts its personnel from processing Customer Data without authorization by Procys as set forth in the Technical and Organizational Measures and shall ensure that any individual who is authorized by Procys to process Customer Data is bound under appropriate obligations of confidentiality and non-use.

3.4 Customer Responsibilities

The Customer agrees that, except as provided by this DPA, the Customer is responsible for its secure use of the Services. The Customer may elect to implement technical or organizational measures in relation to Customer Data, which may include (i) protecting account authentication credentials; (ii) protecting the security of Customer Data when in transit to and from the Services; (iii) implementing measures to allow the Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and (iv) taking any appropriate steps to securely encrypt or pseudonymise any Customer Data uploaded to the Services.

3.5 Security Incident Response

Upon becoming aware of a Security Incident, Procys will notify the Customer without undue delay and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by the Customer. Procys will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.

4. Customer Audits

4.1 Reports

Upon request, Procys will supply a summary copy of security audit report(s) ("Report") to the Customer in accordance with the Technical and Organizational Measures, which reports shall be subject to the confidentiality provisions of the Agreement. Procys will also respond to any reasonable written audit questions submitted to it by the Customer to review Procys's compliance with Data Protection Laws, provided that the Customer shall not exercise this right more than once per year.

4.2 Customer Audits

Procys will permit the Customer and its third-party representatives to audit the Procys's compliance with its Agreement obligations, on at least 60 days' notice, during the term of the Agreement. Procys will give the Customer and its third-party representatives all necessary assistance to conduct such audits. Such audits shall be limited to once per year.

5. International Transfers

5.1 Data Center Locations

Procys may transfer and process Customer Data anywhere in the world where Procys, its Affiliates or its Subprocessors maintain data processing operations. Procys will at all times provide an appropriate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws.

5.2 Transfers outside the EEA and/or UK

Procys may only process, or permit the processing, of Personal Data outside the EEA and/or United Kingdom under the following conditions:

• Procys is processing Personal Data, or permitting the processing of Personal Data in a territory which is subject to adequacy regulations under the EU Data Protection Laws and/or UK Data Protection Laws (as applicable) that the territory provides adequate protection for the privacy rights of individuals; or
• Procys, its Affiliates and/or its Subprocessors (as applicable) enter into applicable Standard Contractual Clauses so that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR.

If any Personal Data transfer between the Customer and Procys requires execution of Standard Contractual Clauses in order to comply with the EU Data Protection Laws and/or UK Data Protection Laws where the Customer is the entity exporting Personal Data relating to EU and/or UK based individuals to Procys outside the EEA and/or UK), the Standard Contractual Clauses are incorporated by reference and form part of this DPA. To the extent there is any ambiguity between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail unless this DPA offers a Data Subject a greater level of protection in which case and only in respect of the greater protection that is offered this DPA shall prevail.

5.3 Alternative Data Export Solutions

Notwithstanding the foregoing, the parties agree that in the event Procys adopts another alternative data export solution (as recognized under EU Data Protection Laws and/or UK Data Protection Laws (as applicable)), then the alternative data export solution shall apply instead of the Standard Contractual Clauses. In the event that the alternative data export solution is later determined to not constitute an adequate level of data protection under EU Data Protection Laws, the Standard Contractual Clauses shall apply as the data export solution; similarly, should such alternative data export solution later be determined not to constitute an adequate level of data protection under UK Data Protection Laws, the Standard Contractual Clauses (or any equivalent recognized by Data Protection Laws) shall apply.

6. Return or Deletion of Data

6.1 General

Upon termination or expiration of the Agreement, Procys will, at the Customer's election, delete or return to the Customer all Customer Data in its possession or control within one month of the expiry or termination of the Agreement, as applicable. If the Customer requires storage for a longer period, Procys may provide such storage at an additional cost, without assuming any liability.

6.2 Exception

This requirement will not apply where (i) to the extent Procys is required by applicable law to retain some or all of the Customer Data; (ii) to the Customer Data it has archived on back-up systems, which Customer Data Procys will securely isolate and protect from any further processing, except to the extent required by law or (iii) financial transaction history that might be required for regulatory audits.

7. Cooperation

7.1 Access to Customer Data

To the extent that the Customer is unable to independently access the relevant Customer Data within the Services and provided that the Customer has configured the Services in accordance with Procys's recommendations, Procys will, at the Customer's expense, provide reasonable cooperation to assist the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement when the Customer is required to respond to such requests under applicable Data Protection Laws. In the event that any such request is made directly to Procys, Procys will not respond to such communication directly without the Customer's prior authorization, unless legally compelled to do so. If Procys is required to respond to such a request, Procys will promptly notify the Customer and provide it with a copy of the request unless legally prohibited from doing so.

7.2 Law Enforcement Request

If a law enforcement agency sends Procys a demand for Customer Data (for example, through a subpoena or court order), Procys will attempt to redirect the law enforcement agency to request that data directly from the Customer. As part of this effort, Procys may provide the Customer's basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Procys will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy unless Procys is legally prohibited from doing so.

7.3 Legal Compliance

To the extent Procys is required under Data Protection Law, Procys will, at the Customer's expense, provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments and prior consultations with data protection authorities as required by law.

8. Additional Provisions for California Personal Information

8.1 Roles of the Parties

When processing California Personal Information in accordance with Customer's instructions, the parties acknowledge and agree that the Customer is a "Business" and Procys is a "Service Provider" for the purposes of, and as those terms are defined in, the CCPA.

8.2 Responsibilities

The parties agree that Procys will Process California Personal Information as a "Service Provider" (as defined in the CCPA) strictly for the purpose of performing the Services under the Agreement or as otherwise permitted under the CCPA. Procys shall provide commercially reasonable assistance to cooperate with the Customer's efforts to comply with applicable consumers' rights. Procys shall, in accordance with the Agreement, not sell personal information and not retain, use, or disclose personal information for any purpose other than those specified in this Agreement. Procys certifies that it understands the restrictions of this section 8.2 and will comply with these restrictions.

9. General

9.1 Limitation of Liability

For the avoidance of doubt, any claim or remedies the Customer may have against Procys, any of its Affiliates and their respective employees, agents and Subprocessors arising under or in connection with this DPA, including: (i) for breach of this DPA; (ii) as a result of fines (administrative, regulatory or otherwise) imposed upon the Customer; and (iii) under applicable Data Protection Laws, including any claims relating to damages paid to a data subject, will be subject to any limitation of liability provisions (including any agreed aggregate financial cap) that apply under the Agreement. The Customer further agrees that any regulatory penalties incurred by Procys in relation to the Customer Data that arise as a result of, or in connection with, the Customer's failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Procys's liability under the Agreement as if it were liability to the Customer under the Agreement. Notwithstanding the foregoing, in no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.

9.2 Responsible Entity

Any claims against Procys or its Affiliates under this DPA shall be brought solely against the entity that is a party to the Agreement. No one other than a party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.

9.3 Compliance

To the extent reasonably necessary to comply with changes to applicable Data Protection Laws or in response to guidance or mandates issued by any court, regulatory body, or supervisory authority with jurisdiction over Procys, Procys may modify, amend, or supplement the terms of this DPA. Procys will provide prior written notice of any such changes to the Customer by posting a notice on Procys's website.

9.4 Governing Law

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

9.5 Permitted Disclosure

The Customer acknowledges that Procys may disclose the privacy provisions in this DPA to the U.S. Department of Commerce, the Federal Trade Commission, a European Union supervisory authority, or any other U.S. or EEA (including UK) judicial or regulatory body upon their lawful request.

9.6 Precedence

If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict. If there is any conflict between this DPA and the Standard Contractual Clauses, then to the extent this DPA affords a data subject greater rights and protections than afforded under the Standard Contractual Clauses, this DPA shall prevail; in all other situations (i.e. where the data subject is afforded equal or lesser rights and protections under this DPA), the Standard Contractual Clauses shall prevail.

9.7 Severability

The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA shall remain in full force and effect.

‍