undatasio - DATA PROCESSING ADDENDUM

This Data Processing Addendum, including its Annexes and the Standard Contractual Clauses ("DPA"), forms a part of the undatasio Services Agreement, or other written agreement, entered into between the entity identified as the "Customer" in the applicable agreement ("Customer") and undatasio, Inc. ("undatasio") that governs Customer's use of the Services (the "Agreement") and is hereby incorporated into the Agreement. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.

Customer enters into this DPA on behalf of itself and, if applicable and to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, and except where otherwise indicated, the term "Customer" shall include Customer and its Authorized Affiliates.

1. Definitions.

"Applicable Data Protection Laws"

means data protection and privacy laws applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement, which may include, to the extent applicable, European Data Protection Laws and the CCPA.

"Authorized Affiliate"

means a Customer Affiliate who is authorized to use the Services under the Agreement and who has not signed their own separate "Agreement" with undatasio.

"California Consumer Privacy Act" or "CCPA"

means the California Consumer Privacy Act of 2018, as may be amended, superseded or replaced from time to time.

"Customer Data"

means the queries and submissions made by Customer ("Inputs") that are used to generate responses ("Outputs") based on proprietary data sets, information and content (in any format) that are owned or licensed by Customer and uploaded to the Services.

"Customer Personal Data"

means any 'personal data' or 'personal information' contained within Customer Data.

"European Data Protection Laws"

means (a) Regulation 2016/679 (General Data Protection Regulation) ("EU GDPR"); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss FADP"); in each case as may be amended, superseded or replaced from time to time.

"Restricted Transfer"

means a transfer (directly or via onward transfer) of personal data that is subject to European Data Protection Laws to a third country outside the European Economic Area, United Kingdom and Switzerland which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).

"Security Breach"

means a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Services"

means the artificial intelligence solutions, including, without limitation, workflow engines, APIs and other online services developed by undatasio and provided to Customer under an Order Form.

"Standard Contractual Clauses" or "SCCs"

means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.

"Subprocessor"

means any other processor engaged by undatasio to process Customer Personal Data.

"UK Addendum"

means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.

The terms "controller", "data subject", "supervisory authority", "processor", "process", "processing", "personal data", and "personal information" shall have the meanings given to them in Applicable Data Protection Laws. The term "controller" includes "business", the term "data subject" includes "consumers", and the term "processor" includes "service provider" (in each case, as defined by the CCPA).

2. Processing of Personal Data.

Scope and Roles of the Parties.

This DPA applies when and only to the extent Customer Personal Data is processed by undatasio as a processor in its provision of the Services to Customer. Customer will act as either a controller or processor, as applicable, of Customer Personal Data.

Customer Processing.

Customer agrees that (i) it will comply with its obligations under Applicable Data Protection Laws in its processing of Customer Personal Data and any processing instructions it issues to undatasio, and (ii) it has provided notice and obtained all consents, authorizations and rights necessary under Applicable Data Protection Laws for undatasio to process Customer Personal Data and provide the Services pursuant to the Agreement.

undatasio Processing.

undatasio agrees that when it processes Customer Personal Data on behalf of the Customer, undatasio will (i) comply with Applicable Data Protection Laws, and (ii) process the Customer Personal Data as necessary to perform its obligations under the Agreement, and only in accordance with Customer's documented instructions. undatasio is not responsible for determining if Customer's processing instructions are compliant with applicable law. However, undatasio shall notify Customer in writing if, in its reasonable opinion, Customer's processing instructions infringe Applicable Data Protection Laws.

Details of Processing.

The details of the processing of Customer Personal Data by undatasio are set out in Annex A to this DPA.

3. Subprocessing.

Authorization.

Customer provides a general authorization to undatasio for use of Subprocessors to process Customer Personal Data, including those Subprocessors listed in Annex C ("Subprocessor List").

Subprocessor Obligations.

undatasio shall (i) enter into a written agreement with each Subprocessor, which includes data protection and security measures no less protective than those in this DPA; and (ii) remain liable for any breach of this DPA caused by an act or omission of its Subprocessors.

Subprocessor Changes.

undatasio shall update the Subprocessor List and provide Customer with at least fifteen (15) calendar days' notice prior to any new Subprocessor commencing the processing of Customer Personal Data. Notice will be sent to the email address on file for your account.

Subprocessor Objections.

Customer may object to a new Subprocessor on reasonable grounds relating to data protection by notifying undatasio in writing at alex.zhang@undatas.io within ten (10) calendar days after receiving notice. If the parties cannot resolve the objection, Customer may terminate the applicable Order Form(s) for the affected Services as its sole and exclusive remedy, and undatasio will provide a pro-rata refund of any prepaid, unused fees for such terminated Services.

4. Security.

Security Measures.

undatasio shall implement and maintain appropriate administrative, physical and technical security measures designed to protect Customer Personal Data from a Security Breach as further set forth in Annex D ("Security Measures").

Confidentiality.

undatasio shall ensure that all personnel it authorizes to process Customer Personal Data are subject to an appropriate duty of confidentiality.

Security Breach Notification.

In the event of a Security Breach, undatasio will (a) notify Customer in writing without undue delay and in no event later than forty-eight (48) hours after becoming aware of it; and (b) promptly take reasonable steps to contain, investigate, and mitigate any adverse effects.

5. Assistance.

Data Subject Requests.

undatasio shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to data subject requests ("DSRs"). If a DSR is sent directly to undatasio, undatasio will promptly forward it to Customer.

Data Protection Impact Assessments.

undatasio will provide reasonably requested information regarding the Services to assist Customer with data protection impact assessments and related consultations with supervisory authorities.

Legal Requests.

If undatasio receives a legal demand for Customer Personal Data, it will attempt to redirect the requesting body to Customer. If compelled to disclose, undatasio will provide Customer with reasonable notice, unless legally prohibited.

6. Audits and Records.

Upon written request, undatasio shall provide Customer with reasonably requested documentation (such as an audit report from a qualified third-party auditor) evidencing undatasio's compliance with this DPA. Only where such documentation is insufficient, an audit may be conducted under mutually agreed-upon terms.

7. Transfer of Personal Data.

Restricted Transfers.

Where the transfer of Customer Personal Data to undatasio is a Restricted Transfer, such transfer shall be governed by the Standard Contractual Clauses, which shall be deemed incorporated into and form an integral part of the Agreement in accordance with Annex B of this DPA.

Alternative Transfer Mechanisms.

If the SCCs can no longer be relied upon, the parties shall cooperate to implement an alternative transfer mechanism.

8. Deletion and Return.

Upon termination or expiration of the Agreement, undatasio will, upon Customer's written request, delete or assist in deleting Customer Personal Data within its possession or control within thirty (30) days.

9. US State Law Compliance.

undatasio shall not process, retain, use, or disclose Customer Personal Data for any purpose other than for the specific purposes set out in the Agreement and this DPA. undatasio shall not "sell" or "share" information as those terms are defined under the CCPA or other applicable US state data privacy laws.

10. General.

This DPA replaces any existing data processing agreements between the parties.

In the event of a conflict between this DPA and any other data privacy provisions in the Agreement, this DPA shall prevail.

Each party's liability under this DPA shall be subject to the limitation of liability section of the Agreement.

This DPA will be governed by the governing law specified in the Agreement.