DATA PROTECTION ADDENDUM

This Data Protection Addendum was last updated on 10 March 2021

1. INTRODUCTION

1.1. The parties agree that this Data Protection Addendum (“DPA”) sets forth their obligations with respect to the processing of Customer Data by Briseide on behalf of the Customer in connection with the Services. This DPA is incorporated by reference into, and forms part of, the Terms and Conditions. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Terms and Conditions, the provisions of this DPA will prevail.

2. SCOPE AND DEFINITIONS

2.1. The following definitions and rules of interpretation apply in this DPA:

“Applicable Laws” means all applicable laws, statutes, and regulations from time to time in force in the United Kingdom.

“Customer Data” means any Personal Data Processed by Briseide for or on behalf of the Customer for the purposes of providing the Services under the Terms and Conditions.

“Data Protection Legislation” means collectively (i) the EU GDPR, (ii) the UK GDPR, (iii) the UK Data Protection Act 2018 (DPA 2018), and** (iv) any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“SCC” means the standard contractual clauses for Processors approved by the European Commission pursuant to Decision C (2010) 593 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection, or such other standard data protection clauses which may be adopted in future by the European Commission or a supervisory authority and deemed to be an appropriate safeguard for transfers of personal data to a third country.

“Services” means the subscription creation, optimization and integration tool for mobile apps provided to Customer as more particularly described under the Terms and Conditions.

“Sub-Processor” means any Processor engaged by Briseide that processes Customer Data.

“Third-Party Controller” means any third-party Controller on behalf of which Customer Processes Personal Data as a Processor.

“UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

The terms “Data Subjects”, “Processing (Process and Processes)”, “Personal Data”, “personal data breach”, “Controller” and “Processor” shall have the meaning given to them in the Data Protection Legislation.

2.2. This DPA is subject to the terms agreed between the parties in the Terms and Conditions.

2.3. The Annex forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annex.

3. PROCESSING OF PERSONAL DATA

3.1. Where Briseide Processes Personal Data on behalf of the Customer for the purpose of providing the Services under the Terms and Conditions, the provisions of this DPA shall apply. Both parties will comply with all applicable requirements of the Data Protection Legislation in performing their obligations under this DPA and the Terms and Conditions. This DPA is in addition to, and does not relieve, remove, or replace, a party’s obligations under the Data Protection Legislation.

3.2. Purpose and Nature of Processing. Briseide acknowledges that for the purposes of the Data Protection Legislation, in respect of Customer Data either a) the Customer is the Controller and Briseide is the Processor, or b) the Customer is the Processor acting on behalf of a Third-Party Controller and Briseide is the Sub-Processor. The Annex to this DPA sets out the scope, nature and purpose of Processing by Briseide, the duration of the Processing and the types of Personal Data and categories of Data Subject.

4. BRISEIDE’S OBLIGATIONS

4.1. When Briseide Processes Personal Data for or on behalf of the Customer, Briseide agrees to Process Personal Data solely to the extent necessary for the purpose of providing the Services and in accordance with the Customer’s documented instructions set out in the Terms and Conditions and this DPA. Briseide shall not permit the Processing of the Personal Data for any other purpose unless required by Applicable Laws, in such a case Briseide shall inform the Customer of that legal requirement before processing, unless that law prohibits the provision of such information. If Briseide believes the Customer’s instructions may conflict with the requirements of the Data Protection Legislation, Briseide shall immediately notify the Customer and shall be entitled to cease processing Customer Data until the infringing instruction is a) withdrawn, or b) amended to render it lawful.

4.2. Personnel. Briseide shall ensure that all personnel who have access to and/or Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Co-operation and Assistance. Briseide shall at the Customer’s expense provide reasonable co-operation and assistance in relation to the Customer’s obligations and rights under Data Protection Legislation, including: (1) in responding to any request from a Data Subject; and (2) in ensuring compliance with its obligations under the Data Protection Legislation, including, but not limited to, security, personal data breach notifications, impact assessments, and consultations with and requests from competent authorities or regulators.

4.4. Retention and Return of Personal Data. On termination of the Terms and Conditions, Briseide shall, at the Customer’s written request, delete or return all Personal Data and copies thereof to the Customer unless storage of the Personal Data is required by Applicable Laws (and, if so, Briseide shall inform the Customer of any such requirement).

4.5. Inspection and Audit Rights. Briseide shall a) make available to the Customer all information reasonably necessary to demonstrate Briseide’s compliance with this DPA, and b) subject to the provisions of clause 4.6 below, allow an inspection by Customer or an independent auditor mandated by the Customer (“Mandated Auditor”) of any premises where the Processing of Customer Data takes place solely for the purpose of assessing compliance with this DPA, and will permit reasonable access to relevant records, processes, and systems for this purpose.

4.6. The audit rights set out in Clause 4.5 are subject to the following conditions: a) audits may only occur once per calendar year and during normal business hours; b) before the commencement of an audit, Customer and Briseide will mutually agree upon the scope, timing (Briseide requires not less than 30 Business Days’ notice of audits), duration, control and evidence requirements, and Briseide’s fees for the audit, provided that this requirement to agree will not permit Briseide to unreasonably delay performance of the audit; c) audits will be conducted in a manner that does not have any adverse impact on Briseide’s normal business operations; d) Customer and/or the Mandated Auditor will comply with Briseide’s standard safety, confidentiality, and security policies and procedures in conducting any audits and shall not have access to any proprietary or third party information or data; and e) any records, data, or information accessed by the Customer and/or the Mandated Auditor in the performance of any audit will be deemed to be the confidential information of Briseide, and may be used for no other reason than to assess Briseide’s compliance with the terms of this DPA (in connection with the foregoing, Briseide may require the Customer and/or the Mandated Auditor to enter into a customary confidentiality agreement prior to the performance of any audit). Briseide may object to a Mandated Auditor if the auditor is, in Briseide’s reasonable opinion, not suitably qualified or independent, a competitor of Briseide, or otherwise manifestly unsuitable. Any such objection by Briseide will require the Customer to appoint an alternative auditor or conduct the audit itself in accordance with the terms of this Clause.

5. SUB-PROCESSORS

5.1. Customer hereby acknowledges and agrees that Briseide may engage Sub-processors in connection with the performance of the Services, including processing Customer Data. A list of Sub-processors engaged by Briseide at the date of this DPA is available at https://glassfy.io Sub-processors will be obliged under a written contract (a) to comply with Data Protection Legislation, and (b) to provide at least the same level of data protection as is required by this DPA. Any changes concerning the addition or replacement of Sub-processors will be published on https://glassfy.io. The Customer may object to Briseide’s use of a new Sub-processor by notifying Briseide in writing of its objective reasons within five (5) business days of notification. In the event that the Customer objects to a new Sub-processor, Briseide will use reasonable efforts to make available to the Customer a change in the Services to avoid processing of Customer Data by the objected-to Sub-processor. If Briseide is unable to make such a change within a reasonable period of time, the Customer may terminate the Terms and Conditions with respect only to those Services which cannot be provided by Briseide without the use of the objected-to Sub-processor by providing written notice to Briseide.

6. SECURITY

6.1. Briseide shall implement and maintain appropriate technical and organisational measures in relation to the Processing of Personal Data by Briseide under the Terms and Conditions.

7. PERSONAL DATA BREACHES

7.1. Briseide shall notify the Customer without undue delay if it becomes aware of a personal data breach. In addition, Briseide shall, in so far as it is possible, provide to the Customer details of the incident at issue and provide reasonable assistance to the Customer in investigating the incident and identifying actions designed to prevent recurrence.

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA

8.1. The Customer acknowledges and agrees that in the performance of the Services, Briseide may transfer Customer Data outside of the United Kingdom or the European Economic Area (as applicable). Where Customer Data is transferred outside of the United Kingdom or the European Economic Area (as applicable), Briseide will ensure that the following conditions are fulfilled:

8.1.1. Briseide and/or the Customer have provided appropriate safeguards in relation to the transfer;

8.1.2. the Data Subject has enforceable rights and effective legal remedies;

8.1.3. Briseide complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and

8.1.4. Briseide complies with reasonable instructions notified to it in advance by the Customer with respect to the Processing of the Personal Data.

8.2. If any Customer Data transfer between the Customer and Briseide requires execution of the SCCs in order to comply with the Data Protection Legislation (where the Customer is the entity exporting Personal Data to Briseide outside the UK or the EEA (as applicable)), the parties will separately complete all relevant details in, and execute, SCCs, and take all other actions required to legitimise the transfer.

9. CHANGES TO DATA PROTECTION LEGISLATION

9.1. In the event of any change in the Data Protection Legislation, the Customer and Briseide will work together to agree on such amendments to the DPA as may be reasonably requested by the Customer to ensure that the Processing of Personal Data under the Terms and Conditions continues to comply with the Data Protection Legislation.

10. TERM

10.1. This DPA will remain in full force and effect so long as the Terms and Conditions remains in effect.

List of subprocessors