Data Processing addendum

Data Processing ADDENDUM

THIS DATA PROCESSING ADDENDUM (“DPA”) is made on the date of the MSA between Zerve AI Limited (the “Provider”) and the Customer.

BACKGROUND

1. The Provider provides the Services to the Customer.

2. In the course of providing services to the Customer, the Provider shall or may have access to or process personal data on behalf of the Customer.

3. The parties are entering into this DPA in order to meet their obligations under Data Protection Law regarding the sharing and international transfer of personal data as part of the provision of the Services.

IT IS AGREED as follows by the Provider (in consideration of the agreement of the Customer to procure the Services and for such purposes provide the Provider with access to its information, and for other good and valuable consideration, the receipt and sufficiency of all of which is acknowledged by the Provider):

1. Interpretation

2. 1. Terms Defined in MSA: Capitalised terms used in this DPA shall, unless otherwise defined herein or the context otherwise requires, have the meaning given to them in Clause 2.1 of the MSA. This DPA constitutes the “Data Processing Addendum” as such term is defined in the MSA.

   2. GDPR Terms: The terms ‘personal data’, ‘processor’, ‘controller’, ‘data subject’, ‘processing’ and other terminology and definitions as used in the GDPR shall have the meanings given to them in the GDPR, unless otherwise defined herein.

   3. Other Defined Terms: In this DPA:

“Appropriate Security Measures” means appropriate security measures required by Data Protection Law to protect against unauthorised access to, alteration, disclosure or destruction of Protected Data and against its accidental loss or destruction and, in particular, where the processing involves the transmission of Protected Data over a network, it shall mean having regard to the state of technological development and the cost of implementing the measures, and ensuring that the measures provide a level of security appropriate to:

1. the risks that are presented by the processing;

2. the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of or damage to the Protected Data concerned, and

3. the nature of the Protected Data,

and shall include the measures set out in in Appendix 2 to this DPA;

“Protected Data” means the personal data processed by the Provider on behalf of the Customer in connection with the Services (whether part of the Customer Data or otherwise);

“Data Protection Law” means all legislation and regulations relating to or the protection of personal data processed under the terms of this Agreement and to which the Provider is subject including (without limitation) the Data Protection Acts 1988-2018 of Ireland, the GDPR and all other industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by the DPC relating to the processing of personal data or privacy or any amendments and re-enactments thereof;

“DPC” means the Data Protection Commission of Ireland;

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

“MSA” means the master services agreement, and any individual Order Forms, entered into between the Customer and the Provider relating to the Services;

“Permitted Third-Party Service Provider” means a third-party service provider required to be engaged by the Provider for the purposes of providing the Services, to include providers within the following categories: cloud storage providers [ ];

“personal data” means personal data and special categories of data as defined in Data Protection Law;

“Personnel” means, in relation to a person, that person’s servants, officers, employees, agents or contractors, but excludes Affiliates; and

“SCCs” means the standard contractual clauses approved by the EU Commission by Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries.

1. Data Protection

2. 1. Status of Parties: The parties acknowledge that, in relation to Protected Data, and for the purposes of the Data Protection Law, the Customer is the controller and the Provider is a processor.

   2. Data Processor’s Obligations: The Provider agrees with the Customer that:

   3. 1. it shall only process:

      2. 1. Protected Data in accordance with the instructions of the Customer, which instructions shall be documented in writing by way of this DPA, any Order Form or such other manner as may be agreed between the Customer and the Provider from time to time;

         2. Protected Data in accordance with the nature and purpose of the processing set out in Appendix 2;

      3. it shall ensure that any processing of Protected Data by it shall be carried out in compliance with Data Protection Law;

      4. it shall inform the Customer as soon as practicable if, in its opinion, it receives an instruction from the Customer which infringes Data Protection Law;

      5. it shall disclose Protected Data only to those members of its Personnel to whom such disclosure is necessary for the exercise of its rights, and performance of its obligations, under this DPA and the MSA, and shall procure that such persons are made aware of, and agree in writing to observe the obligations of confidentiality and security in the MSA and this DPA;

      6. subject to the other provisions of this DPA, it shall not sell, transfer, disclose or otherwise allow access to any Protected Data to any party other than its Personnel, save where the prior written approval of the Customer has been obtained (which approval may be given by way of this DPA);

      7. it shall not copy or maintain any Protected Data on any other systems, application or other medium other than as required for the provision of the Services;

      8. it shall not transfer any Protected Data outside the European Economic Area without the Customer’s prior written consent (which consent may be given by way of this DPA);

      9. without prejudice to Clause 7 of this DPA, it shall not sub-contract or delegate or purport to transfer any of its obligations to the Customer from time to time to any third party without the prior written consent of the Customer and, any consent if given by the Customer shall, be subject to the pre-condition that the Provider shall have in place a contract with the proposed third party providing the same or a higher level of protection of Protected Data as is set out in this DPA;

      10. it shall, at the Customer’s cost, make available to the Customer all information necessary to demonstrate its compliance with the obligations set out in Data Protection Law and shall allow and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer to the extent necessary to enable it to verify the Provider’s compliance with Data Protection Law and its obligations under this DPA; and

      11. at the Customer’s cost (save in respect of any data breach (as defined at Clause 4.1 below) caused by the Provider), promptly assist the Customer in complying with its obligations under Articles 32 to 36 of the GDPR;

      12. [with respect to any transfer of Protected Data pursuant to the SCCs, it shall:

      13. 1. notify the Customer promptly if, during the Term, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph 14(a) of the SCCs, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in that paragraph 14(a);

          2. notify the Customer if it:

          3. 1. receives a legally binding request from a public authority, including judicial authorities, under the laws of a country of destination for the disclosure of Protected Data transferred pursuant to the SCCs; such notification shall include information about the Protected Data requested, the requesting authority, the legal basis for the request and the response provided; or

             2. becomes aware of any direct access by public authorities to Protected Data transferred pursuant to the SCCs in accordance with the laws of the country of destination; such notification shall include all information available to the Provider;

          4. where permissible under the laws of a country of destination, provide the Customer, at regular intervals for the Term, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.);

          5. document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of a country of destination, make the documentation available to the Customer and to the DPC on request;

          6. inform any public authority ordering disclosure of Protected Data of the incompatibility of the order with the safeguards contained in the SCCs and the resulting conflict of obligations for the Provider;

          7. notify simultaneously and as soon as possible the Provider and/or the the DPC insofar as possible under the order referred to at (v) above;

          8. to the extent possible, assist any data subject whose personal data forms part of the Protected Data in exercising his or her rights in the third country jurisdiction; and

          9. ensure that responsibility for handling formal or informal requests from public authorities to access the Protected Data shall be assigned to identified individuals within the Provider.]

   4. Processing Details: Each of the parties acknowledges and agrees that Appendix 1 is an accurate description of the Data Protection Particulars.

3. Security

The Provider shall implement Appropriate Security Measures to prevent accidental or unauthorised, loss, destruction, damage, alteration, disclosure or unlawful or unauthorised access to any Protected Data in the custody of the Provider, and the Provider shall ensure that its Personnel are aware of and comply with those measures.

1. Data Breach

2. 1. Notification: The Provider shall without undue delay upon becoming aware of it notify the Customer of any unauthorised access to, or unauthorised use, alteration, disclosure, accidental loss or destruction of, any Protected Data in the custody of the Provider (each a “data breach”).

   2. Actions: In the event of any data breach, the Provider shall:

   3. 1. take action on the instruction of the Customer to mitigate any potential damage and remedy the cause of the data breach;

      2. take action on the instruction of the Customer to investigate said data breach and, upon the Customer’s request, share the results of such investigation and its remediation plan with the Customer; and

      3. upon the Customer’s request, provide the Customer with all information required to fulfil its obligations, as data controller, under all Data Protection Law.

3. Data Subject Requests and Complaints

4. 1. Notification: The Provider shall immediately notify the Customer of any request from a data subject to exercise any of his or her rights under Data Protection Law or any complaint from any data subject.

   2. Accession: The Provider shall not accede to any such request or deal with any complaint except on the written instructions of the Customer.

   3. Assistance: The Provider shall, on request of the Customer, taking into account the nature of the processing, and at the Customer’s cost, assist the Customer by appropriate technical and organisational measures, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Law.

5. Destruction And Delivery of Data

The Provider shall, at the choice of the Customer, delete or return all Protected Data to it after the end of the provision of Services, and shall delete existing copies unless Data Protection Law or other applicable law requires storage of such Protected Data.

1. Permitted Third Party Service Provider

2. 1. Consent: Without prejudice to the pre-condition specified in Clause 2.2(i) of this DPA, the Provider shall be permitted to sub-contract processing of Protected Data to a Permitted Third-Party Service Provider provided that:

   2. 1. the same data protection obligations as set out in this DPA shall be imposed on that Permitted Third-Party Service Provider by way of a data sub-processing agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR; and

      2. The Provider shall remain responsible for all acts and omissions of Permitted Third-Party Service Provider and the acts and omissions of those employed or engaged by the Permitted Third-Party Service Provider as if they were its own. An obligation on the Provider to do, or to refrain from doing, any act or thing shall include an obligation on the Provider to procure that its Personnel and the Personnel of each Permitted Third-Party Service Provider also do, or refrain from doing, such act or thing.

   3. Consent to Transfer to Third Countries: Further to Clause 2.2(g) above, the Customer hereby consents to the transfer of Protected Data to such Permitted Third-Party Service Provider as may be located outside of the European Economic Area.

   4. Changes: The Provider shall inform the Customer of any intended changes concerning the addition or replacement of other Permitted Third-Party Service Provider, thereby giving the Customer the opportunity to object to such changes.

3. Term and Termination

This DPA shall continue in full force and effect until the termination or expiry of the MSA (including all Order Forms made thereunder), whereupon the Provider’s authority to process Protected Data in accordance with this Agreement shall terminate automatically, unless otherwise agreed between the parties in writing.

1. Customer confirmations

The Customer represents and warrants to the Provider, on a continuing basis for the duration of the Agreement that:

1. it shall ensure that personal data contained within Customer Data shall be limited to that which is strictly necessary in order for it to obtain its desired results from the Services, and it shall not upload to the Platform any additional, unnecessary or excessive personal data;

2. all consents, if required, for the processing of all the Protected Data by the Provider in the manner contemplated by this DPA have been validly obtained and are in full force and effect; and

3. the Customer has complied with all of its obligations (however arising) in respect of all the Protected Data.

4. General

5. 1. Agreement: This DPA forms part of the MSA. In the event of any conflict between this DPA and any other term of the MSA relating to data protection or Data Protection Law, the terms of this DPA shall prevail.

   2. Severability: If the whole or any part of a provision of this DPA is or becomes illegal, invalid or unenforceable, that will not affect the legality, validity or enforceability of the remainder of the provision in question or any other provision of this DPA.

   3. Binding on Successors: This DPA and all of its provisions shall be binding upon and inure to the benefit of the parties and their respective heirs, executors, administrators, successors and permitted assigns.

   4. Survival of Obligations: The provisions of this DPA shall, as necessary, survive the termination of the provision of Services by the Provider however it arises, and shall continue to bind the parties or the relevant party (as applicable) without limit in time.

APPENDIX 1

DATA PROTECTION PARTICULARS