DATA PROCESSING ADDENDUM

This data processing Addendum (“DPA”), forms part of, and is subject to Terms of Service, Privacy Policy, or other written or electronic terms of service or Service agreement including Non-Disclosure Agreement, User Agreement, etc. between Xecurify or its Affiliate that is party to such agreement (“Xecurify”) and the Customer defined thereunder, together with all Customer Affiliates who are signatories on an Order Form for their own Service pursuant to such Agreement (such agreement, the “Agreement”).

WHEREAS

(A) Customer acts as a Data Controller. Xecurify offers a suite of Software-as-Service (SaaS) applications, products and services provided as Xecurify-hosted or Self Hosted Services.

(B) Customer wishes to contract certain Services, which may include processing of Customer’s Personal Data to Xecurify.

(C) This Data Processing Addendum (the “DPA”) explains Xecurify’s privacy and security commitments and enables it to demonstrate compliance with applicable Privacy Laws.

(D) The parties agree to comply with the following provisions with respect to Personal Data, each acting reasonably and in good faith.

1. Definitions and Interpretations

All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. a. "Affiliate" means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, "control" (including, with correlative meanings, the terms "controlling", "controlled by" and "under common control with") means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
2. b. “Authorized Employee” means an employee of Xecurify who has a need to know or otherwise access Personal Data to enable Xecurify to perform its obligations under this DPA or the Agreement.
3. c. “Authorized Individual” means an Authorized Employee or Subprocessor.
4. d. "EEA Personal Data” means that subset of Personal Data consisting of personal data (as defined in GDPR) pertaining to residents of the European Economic Area (EEA), Switzerland, and the United Kingdom.
5. e. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
6. f. "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states, applicable to the Processing of Personal Data under the Agreement.
7. g. “GDPR” means Regulation (EU) 2016/679 , the General Data Protection Regulation, and all issued implementing regulations, as and when effective.
8. h. “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
9. i. “Processing” (including its root word, “Process”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
10. k. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
11. l. “Processor” means the entity which Processes Personal Data on behalf of the Controller.
12. m. “Subprocessor” means an authorized third-party appointed by or on behalf of Xecurify to Process Personal Data.
13. n. “Standard Contractual Clauses” means the contract terms set forth in the annex to the European Commission’s decision 2021/914 of 4 June 2021 containing Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679
14. o. “Services” means all services that the Customer requests Xecurify to perform under the Agreement that involves Processing of Personal Data.
15. g. “Service Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Xecurify or its Subprocessors.

2. Customer Processing of Personal Data

1. 2.1 Customer Responsibilities:

   Customers shall, at all times Process Personal Data, and provide instructions for the Processing of Personal Data in compliance with the Data Privacy Laws. Customers shall ensure that its Instructions comply with all laws, rules and regulations applicable in relation to the Personal Data and that the Processing of Personal Data in accordance with Customer’s Instructions will not cause Xecurify to be in breach of the Data Privacy Laws. Customer is solely responsible for the accuracy, quality and legality of (i) Personal Data provided to Xecurify by or on behalf of Customer, (ii) the means by which Customer acquired any such personal Data, and (iii) the Instructions it provides to Xecurify regarding the Processing of such Personal Data. Customer shall not provide or make available to Xecurify any Personal Data in violation of the Agreement or which is otherwise inappropriate for the nature of the Service, and shall indemnify Xecurify from all claims and losses in connection therewith.




2. 2.2 Xecurify Responsibilities:

   Xecurify shall Process Personal Data only (i) for purposes set forth in the Agreement, (ii) in accordance with the terms and conditions set forth in this DPA and any other documented Instructions provided by Customer, and (iii) in compliance with the Directive and the GDPR. Customer hereby instructs Xecurify to Process Personal Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of Service.

3. Data Processing Detail

1. 3.1 Data Subjects:

   Customer may transfer Personal Data to Xecurify, the extent of which is determined in Customer’s sole discretion, and which may include Personal Data relating to: the following categories of Data Subjects: (i) the Customer's Authorized Individuals, employees, contractors or other Representatives, and (ii) Customer’s end users/customers.




2. 3.2 Processing Purpose:

   The Personal Information Customer provides is used for such purposes as answering questions, improving the content of the website,customizing the content, and communicating with the Visitors about Xecurify’s Services, including releases. This information helps to categorize the question, track potential problems and trends and customize Xecurify’s support responses to better serve the Customer. Xecurify shall keep Personal Data confidential and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Service; and (iii) Processing to comply with other documented, reasonable instructions provided by Customer (for example, via email) where such instructions are consistent with the terms of the Agreement.
   Xecurify shall not be required to comply with or observe Customer’s instructions if such instructions would violate the GDPR or other EU law or EU member state data protection provisions.




3. 3.3 Scope of Processing:

   The subject-matter of the Processing of Personal Data by Xecurify is the performance of the Service pursuant to the Agreement, Identity and access management and related services pursuant to the Agreement. The duration of the Processing shall be for the Term of the Agreement. Personal Data within the Service post-termination of the Agreement will be retained and deleted in accordance with the Documentation. Sub-processors may only Process Personal Data as necessary for the performance of the Service pursuant to the Agreement and for the duration of the Agreement.




4. 3.4 Categories of Data:

   The Customer may transfer the following types of Personal Data for the purposes set out in this DPA:

   1. a. Identification and contact data (e.g. name, address, GPS location, contact details);
   2. b. General organizational data (such as your department, job title, area of responsibility);
   3. c. IT data (IP addresses, cookies data and usage data);
   4. d. Device specific Information(e.g. hardware model, operating system, web browser version, as well as unique device identifiers);
   5. e. Connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number); and
   6. f. Other information voluntarily disclosed by Customer.

4. Data Subject Requests

To the extent legally permitted, Xecurify shall promptly notify Customer if Xecurify receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Factoring into account the nature of the Processing, Xecurify shall assist Customer by appropriate organizational and technical measures, in so far as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Service, does not have the ability to address a Data Subject Request, Xecurify shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent that Xecurify is legally authorized to do so, and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Xecurify’s provision of such assistance.

5. Authorized Employees/Xecurify Personnel

Xecurify shall use commercially reasonable measures to ensure the reliability and training of any employee, agent or contractor of any Authorized Employee or its personnel who may access the Personal Data. Xecurify shall ensure that Authorized Employees or its personnel are aware of the Confidential Information nature of the Personal Data and are bound by confidentiality agreements to Xecurify, during and after their engagement with Xecurify. Xecurify shall use commercial reasonable measures to limit access to Personal Data to only Authorized Individuals.

6. Subprocessor

1. 6.1: Customer acknowledges and agrees that Xecurify may (1) engage the Subprocessors mentioned below to this Agreement to access and Process Personal Data in connection with the Service and (2) continue to use those Subprocessors already engaged at the date of this Agreement, subject to Xecurify’s compliance with the obligations herein.
2. 6.2: Xecurify shall ensure that all Subprocessors have executed confidentiality agreements that prevent them from disclosing or otherwise Processing any Personal Data both during and after their engagement by Xecurify.
3. 6.3: Xecurify shall ensure that each Subprocessor is governed by a written contract that imposes data protection obligations at least as protective as this Agreement.

7. Xecurify’s Sub-processors

Customer acknowledges and agrees that (a) Xecurify’s Affiliates may be retained as Sub-processors; and (b) Xecurify and Xecurify’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Service. Xecurify shall provide notification of a new Sub-processor(s) before authorizing any new Subprocessor(s) to process Personal Data in connection with the provision of the applicable Service.
Xecurify’s Subprocessor : Amazon Web Service(AWS)

8. Right to object to a new Sub-processor

In order to exercise its right to object to Xecurify’s use of a new Sub-processor, Customer shall notify Xecurify promptly in writing within ten (10) business days after receipt of Xecurify’s notice in accordance with the mechanism set out above. In the event Customer objects to a new Sub-processor, and that objection is not unreasonable, Xecurify will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially-reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening the Customer. If Xecurify is unable to make available such change within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those aspects of the Service which cannot be provided by Xecurify without the use of the objected-to new Sub-processor by providing written notice to Xecurify. Xecurify will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Service.

9. Sub-processors and the Standard Contractual Clauses

Customer acknowledges and agrees that Xecurify may engage Sub-processors as described in this Section for the fulfillment of Xecurify’s obligations under Clause 9(a) of the Standard Contractual Clauses. The parties agree that the copies of the Sub-processor agreements that must be provided by Xecurify to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Xecurify beforehand to protect business secrets or other confidential information; and, that such copies will be provided by Xecurify, in a manner to be determined in its discretion, only upon request by Customer.

10. Liability of Sub-processor

Xecurify shall be liable for the acts and omissions of its Sub-processors to the same extent Xecurify would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

11. Security

Xecurify shall maintain appropriate organizational and technical measures for protection of the security (including protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data. Xecurify regularly monitors compliance with these measures. Xecurify will not materially decrease the overall security of the Service during a subscription term.

12. Notifications Regarding Customer Data

Xecurify has in place reasonable and appropriate security incident management policies and procedures, and shall notify Customer without undue delay after becoming aware of the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Xecurify or its Sub-processors of which Xecurify becomes aware (hereinafter, a “Customer Data Incident”). Xecurify shall make reasonable efforts to identify the cause of such Customer Data Incident, and take those steps as Xecurify deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident, to the extent that the remediation is within Xecurify’s reasonable control. The obligations set forth herein shall not apply to incidents that are caused by either Customer or Customer’s Users.

13. Return of Customer Data

Xecurify shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data, unless the retention of the data is requested from Xecurify according to mandatory statutory laws.

14. Authorized Affiliate

The parties agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliate(s), thereby establishing a separate DPA between Xecurify and each such Authorized Affiliate, subject to the provisions of the Agreement. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. An Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Service by Authorized Affiliate(s) must comply with the terms and conditions of the Agreement and any violation thereof by an Authorized Affiliate shall be deemed a violation by Customer.

15. Communication

The Customer that is the contracting party shall be responsible for coordinating all communication with Xecurify under this DPA, and shall be entitled to transmit and receive any communication in relation to this DPA on behalf of its Authorized Affiliate(s).

16. Confidentiality

Xecurify takes reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Company’s own written binding policies are at least as restrictive as this Data Protection Addendum).

17. Standard Contractual Clauses

The Standard Contractual Clauses apply to: (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of Customer established within the European Economic Area, Switzerland and the United Kingdom, which have signed Order Forms for the Service. For the purpose of the Standard Contractual Clauses the aforementioned entities shall be deemed “data exporters.” If necessary to fulfill its legal obligations, Customer may share a copy of the attached Standard Contractual Clauses with Data Subjects.

18. Audits

Subject to the confidentiality obligations set forth in the Agreement, Xecurify performs internal security audits periodically, and upon the request from the customer, can make available the audit reports to the customer.. Customers can perform third party security audits through independent Third Party Auditors of their choice, charges and expenses for such audits shall be borne by the customer. Before the commencement of any such audit, Customer and Xecurify shall mutually agree upon the scope, timing, and duration of the audit.

19. Limitation of Liability

The total liability of each of Customer and Xecurify (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Agreement, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
Claims from one party due to the other party’s non-compliance with this DPA shall be subject to the same limitations as in the Customer Use Agreement. In assessing whether the limitation is reached, claims under this Agreement and the Customer Use Agreement shall be viewed in conjunction, and the limitation in the Customer Use Agreement shall be viewed as a total limitation.