1. About this privacy policy

Pluginhost B.V. (also: “Pluginhost”, “we”, “us”, “Company”) provides Customers (“Customers”) with
access to a proprietary system – Fraud Judge (“System”) that monitors and prevents fraudulent activities
in digital systems, including, but not limited to – mobile applications, web applications, e-commerce
platforms, depending on chosen subscription plan.
Customers integrate the Company’s system so when users ("User") conduct activities in Customer digital
systems, the System can detect fraudulent activities performed in the form of registration of fake
accounts, fraudulent online transactions, unauthorised login, hostile account access and other fraudulent
activities (“Services”).
‍This Privacy Policy describes how Company collects, uses and stores information that is required to fulfil
the purpose of preventing fraudulent activities in digital systems and while Users, Customers or other
persons use Services, visit website (www.fraudjudge.com), social media sites. Any person visiting
aforementioned is welcome to read this Privacy Policy to learn how Company collects, uses and store that
information when You:

• Perform activities in System (“System Privacy Policy”);
• Interact with our website (“Website Privacy Policy”).

All processing of personal data is made based on Company’s legitimate interest and You have the right to
object to that processing. If you wish to exercise this right, please contact Company via email contact
details specified below.

---

2. Definitions

Customer – a legal entity that makes use of Services and/ or System and proprietary technology to detect
fraudulent activities in their digital systems and to make online services at their platforms safer.
Customer Contact Person – a Customer’s designated person who will work as a liaison between the
Company and Customer and will be available to respond to any communication in connection with
performance of these Terms and Conditions. Contact Person’s e-mail indicated in the Organization Details
Page shall be used for any official communication, including, but not limited to notifications regarding
System, Terms and Conditions, billing, etc. Contact Person must be at least 18 years of age (and at least
the legal age in Customer’s jurisdiction). Customer at all times represents and warrants that Contact
Person is of legal age and can enter a binding contract between Customer and Company.
“EEA” – European Economic Area.
“European Data Protection Legislation” – GDPR and other data protection laws of the EU, its Member
States, Switzerland, Iceland, Liechtenstein, Norway, in each case, applicable to the processing of Personal
Data under the Agreement.

Unless otherwise stated, the terms “data subject”, “processing”, “controller”, “processor” and
“supervisory authority” as used in this Privacy Policy have the meanings given in the GDPR. More
information about EU General Data Protection Regulation is available at: https://gdpr.eu/what-is-gdpr/.
“GDPR” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Online Activity” – any online transaction and other online activities, such as but not limited to, account
creation and registration, account log in, log off, account activity, payment, transfer of funds, funds
withdrawal and similar as offered via System.
“Personal Data” – refers to non-sensitive data (for instance: IP address, name, address, phone number,
payment information, shipping information) sent by Customer to Company with User’s consent to fulfil
the purpose of fraud prevention in the performance of the contract between User and Customer. The
Company processes Personal Data when providing the Services pursuant to the provisions of the Data
Processing Agreement, within the scope and extent as defined therein or pursuant to the European Data
Protection Legislation. Also, data provided by Customer’s Contact Person upon registration.
“Services” – means the real-time screening and the automated generation of a risk score on the potential
fraud in activities happening in digital system of a Customer.
“System” – Fraud Judge Enterprise a – proprietary technology developed and owned by Pluginhost B.V.
that provides with the Services to fulfil the purpose of detecting fraudulent activities in digital systems.
“Subprocessor” – a third party authorized by Company and Customer to fulfill the purpose of monitoring
of fraudulent activities.
“User” – any individual who lands on Customer digital systems to conduct a contract with Customer,
under the form of online transaction or any other online activity on Customer digital systems.
“Website” – www.fraudjudge.com.
“Terms and Conditions” – available at: www.fraudjudge.com.

---

3. System privacy policy

The Privacy Policy described below only applies to the collection, use and storage of your data for the
performance of Services. Please refer to the privacy policy provided by the Customer to understand how
the Customer collects, uses, processes and stores its client’s information for purposes other than fraud
prevention.

---

4. Data collection

The data outlined below is not used at personally identifying a User, but at detecting and grouping devices
that may be fraudulent.
Data verification may be conducted via third-party online resources such as search engines, social
networks etc., available publicly.

Cookies. Cookies and similar technologies may be used to collect and process data on our Website. These
technologies may include, but are not limited to, cookies, web beacons, pixels, and tags. Upon landing on
Website your consent and confirmation will be asked for your preferred settings. Any user of Website has
the right to withdraw consent or delete cookies at any time by following the instructions provided in
relevant browser settings.
For Data subjects in the EEA, cookies can be disabled from the small pop-out window that appears on the
screen when browsing. If User is an individual outside the EEA, cookies’ policies can be modified
through the device and browser settings.
Device Information. This includes browser information, operating systems, and connection attributes of
User’s device to connect to Customer’s digital system or mobile application. Other than the permission
granted by the User to the Customer, the Company does not request any additional permission from the
User to perform fraud detection regarding the Customer’s digital systems.
Geolocation Information. In the event User has given the Customer permission on the Customer digital
system, Company may collect User geo-location based on User’s IP address.
Passive Biometric Data. Company may collect information about Customer’s Contact Person’s passive
behavior in System or Website, for example how cursor moves, the number of words per minute typed,
the number of mouse clicks.
Payment Information. Company may collect basic payment information submitted on System or on
Customer digital systems to perform payment online, such as the type of payment method chosen and
basic billing information. The Company does not collect full credit card numbers.
Special Categories of Personal Data. The Company does not collect information that may be classified as
Special Category under Article 9 of GDPR.
Contact Information. When you visit Company’s Website and submit your personal information through
our contact forms, Company may receive the following details: First Name, Last Name, Company Email,
Job Position, Business Phone Number, and Country. The Company processes this information based on
your consent, which you provide by submitting your details for us to contact you. This information you
provide may be used by the Company to contact you regarding, for instance – your trial request, send
updates on our products and services, and deliver relevant marketing communications such as
promotions, newsletters, and event invitations. You can choose to stop receiving marketing
communications or emails from us by using the unsubscribe option in the emails or by reaching out to us
at [email protected].
The data described above is collected in the following cases:

• When User interacts with Customer’s digital systems, granting consent for this information to be
  collected as per Customer’s own privacy policy to perform the contract between User and Customer.
• When User performs Online Activities at Customer’s digital systems, granting consent for this
  information to be collected as per Customer’s privacy policy and/or terms and conditions.
• When information was made available by User on publicly available platforms, such as search
  engines, granting consent for this information to be available as per the platform’s privacy policy.
• When User or any other person interacts with Website or System.

---

5. Data storage as a processor & subprocessor

The Company may at its sole discretion and with the approval of Customers choose a subprocessor to
store the data collected. The Company ensures that subprocessors treat data and ensures its security
and integrity with the same standards as Company, and that subprocessor complies with all data
protection policies, including GDPR.
Company has assigned the following company as a subprocessor, for the sole purpose of data storage:

• SIA “D8 Corporation”

Subprocessor may use data center a storage facilities for subprocessors servers, namely – Tet Data
Center Kleistu – a PCI-DSS Level 1 certified data center, designed and built in accordance with
ANSI, NE 1047-1 and 1047-2 directives, as well as in accordance with the requirements of the
TIERIII infrastructure.
The Company uses Stripe, Inc. (or its affiliated entities) as third party payment processor. When
Customer makes a payment on our Website or System, the payment information is processed directly
by Stripe and is subject to Stripe’s own privacy policy.

---

6. Automated individual decision-making

Company’s System generates an automated risk score on the potential fraud in Online Activities and
Customer digital Platforms. It is the Customer’s (the Data Controller) sole discretion to follow
Company’s automated risk score and make an automated decision (if any), in accordance with Article
22 of the GDPR.

---

7. Data retention, sharing and transfer to third countries

The Company always strives to maintain adequate levels of data protection during collection, transfer
and storage. Security safeguards in place include but are not limited to audit and risk assessments,
periodic reviews, access controls to both physical and cloud data centers, network security controls,
and vulnerability and penetration tests. If a User or Contact Person believes that the privacy of data
may have been tampered or subject to unauthorized access, we request to be contacted immediately
at [email protected] .
7.1. Data retention
The Company retains data collected for as long as needed to provide the outlined purpose in this
Privacy Policy in full compliance with applicable regulations. Should the current legislation grant
User or Contact Person the right to delete data and should User or Contact Person exercise it, User or
Contact Person should send questions to [email protected]. In such case, Company
may request User or Contact Person to provide us with additional personal data for the purpose of

verifying identity. Please note that the deletion of User’s data in Company’s System may interfere
with Company’s ability of detecting fraud in User’s subsequent online activities at Customer’s digital
systems.
7.2. Data sharing
Unless required by supervisory authorities or to comply with legal proceedings, the Company does
not share, rent or sell your information to any third party, including the anonymized information on
fraudulent patterns that we may collect from performing the Services.
7.3. ‍Transfer of data to third countries
Company may transfer and process User information outside of User’s or Contact Person’s country of
residence, including any of the Member States of the European Union. When doing the previous,
Company ensures that adequate level of data protection is in place.

---

8. GDPR and data subjects in the EU

Individuals living in the European Union (“Data Subjects”) should be aware of the following under
GDPR:
Company acts as a data processor and has lawful purpose to collect the data described above, in order
to provide the fraud prevention Services. Customer acts as a data controller. The Company assumes
that User grants consent to Customer to collect and process the User’s data so User can perform a
contract between the User and the Customer.
It is Customer’s own discretion to follow an automated risk score on the potential fraud in the Online
Activities. Users can address Customer for any questions about the automated decisions.
As per GDPR Data Subjects are granted the right to access, modify and delete their data. Should a
Data Subject choose to exercise any of these rights, particularly the right to deletion (“right to be
forgotten”), Company may retain certain information required by law or by compliance with the
online payments industry, even if the rest of the information is deleted.
Any Data Subject in the EU may exercise their right to file a complaint with the corresponding
supervisory authority, duly appointed by their Member State.
8.1. Rights under GDPR
Data Subjects have the following rights regarding the processing of Personal Data:
8.1.1. Right of access to personal data
Data Subject has the right to request access to their Personal Data and obtain information from the
Company regarding (among others): the purpose of processing; what categories of personal data are
processed; to whom Company transfers or discloses your Personal Data; for what period Company
processes your Personal Data; rights in connection with data processing carried out by Company
regarding your Personal Data; rights to lodge a complaint with a supervisory authority regarding the
processing; in case Company collects your Personal Data from other sources than from Data Subject,

any available information as to the source; the existence of automated decision-making and related
information, including the logic involved, as well as the significance and consequences of such
processing; whether Data Subject’s personal data is transferred outside the EEA and regarding the
conditions of these transfers. Company will provide Data Subject with a copy of personal data in case
you require us to do so.
8.1.2. Right to rectification
Data Subject has the right to request Company to rectify your inaccurate personal data and to request
us to complete your incomplete Personal Data by means of providing us with a supplementary
statement.
8.1.3. Right to erasure
Company erases any of your Personal Data if Data Subject requests to do so in the event of the
following:

• Personal Data is no longer necessary for the purpose concerned;
• Data Subject withdraws consent and there is no other legal basis for the processing;
• Data Subject object to the processing and there are no overriding legitimate grounds for the processing;
• Personal Data has been processed unlawfully;
• Personal data must be erased according to relevant laws.

Please note that we as a Company are entitled not to erase your Personal Data if it is necessary for
compliance with legal obligations, and for the establishment, exercise or defense of legal claims.
8.1.4. Right to restriction of processing
Data Subject has the right to obtain a restriction of processing from Company where one of the following applies:

• Data Subject has contested the accuracy of Personal Data, in which case Data Subject will obtain restriction for a period enabling Company to verify the accuracy of contested Personal Data;
• the processing is unlawful, and Data Subject opposes the erasure of Personal Data and request the restriction of their use instead;
• Company no longer needs your Personal Data for the purposes of the processing, but they are required by Data Subject for the establishment, exercise or defence of legal claims; or
• Data Subject has objected to the processing and the verification is pending whether Company’s legitimate grounds override Data Subjects.

Where processing has been restricted, Personal Data shall, with the exception of storage, only be
processed with your consent or for the establishment, exercise or defense of legal claims, or for the
protection of the rights of another natural or legal person, or for reasons of important public interest
of the European Union or of an EU member state.
8.1.5. Right to object to processing
Data Subject has the right to object to the processing of Personal Data on grounds relating to your
particular situation, where the legal basis of the processing activity is Company’s legitimate interest

(or the legitimate interest of a third party). Company will no longer process the Personal Data unless
the Company can demonstrate compelling legitimate grounds, which override Data Subject’s
interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Data Subject does not need to ascertain grounds relating to your particular situation if your Personal
Data is processed for direct marketing purposes, and Company will no longer process Personal Data
if you as a Data Subject has objected to the processing.
8.1.6. Right to data portability
If certain conditions apply, Data Subject has the right to receive Personal Data, which has been
provided to Company, in a structured, commonly used and machine-readable format and Data Subject
has the right to transmit that data to another controller without hindrance from Company. Data
Subject also has the right to have your Personal Data transmitted directly from the Company to
another controller, where technically feasible.
8.1.7. Right to withdraw your consent
Data Subject has the right to withdraw consent at any time, without affecting the lawfulness of
processing based on consent before its withdrawal.
8.2. Company’s actions
If you wish to exercise any of your rights as a Data Subject, please contact the Company at the email
contact details indicated in this Privacy Policy. We will provide information on the actions taken on
the request without undue delay and in any event within one month of receipt of the request. This
period may be extended with a reasonable notification to you by two months where necessary, taking
into account the complexity and number of requests. The Company will take the necessary actions
free of charge except when the request is manifestly unfounded or excessive. In case Company has
reasonable doubts as to the identity of the natural person making the request, Company may request
additional information necessary to confirm the identity. The Company will inform all recipients of
all rectification, erasure, or restriction of processing to whom Personal Data was disclosed except if it
is impossible or requires disproportionate effort.
In case Company does not take any action regarding Data Subject’s request, Company will inform
Data Subject within one month of the receipt of the request as to the reasons and the possibility of
lodging a complaint with a data protection supervisory authority and seeking a judicial remedy.
8.3. Children
Company’s services and Website are intended for business use, and Company does not knowingly
collect any Personal Data from children younger than the age of 18 (eighteen) or otherwise, as
prohibited by applicable law. The Company’s products and services are not available to anyone who
is not of legal age to sign a fully enforceable contract. When acting as a Sub-processor Company may
receive some or all of identifiable information, which the parent, guardian or any other authorized
person has voluntarily submitted to data controller. The Company takes no responsibility or liability
for the use of such data if it is provided by the Customer as a data controller. Please note that any
information submitted by children and adults, whether it would be considered personally identifiable

information or not, is treated by the Company within the same safeguards as personally identifiable
information.

---

9. Description of data processing activities

9.1. Provision of services, provision of customer support, registration on the website, signing of
agreements.
Data processing is based on Company’s legitimate interest of Service provision and provision of help
requested by a Customer, which includes establishing a contractual relationship. Categories of
Personal Data processed: personal data provided by Contact Person (contact and communication
details, information provided upon registration). Data retention period: 5 years after termination of
contractual obligations.
9.2. Payment processing
Data processing is based on the Company’s legitimate interest of receiving payment for Services
rendered. Categories of Personal Data processed: personal data provided by legal entity or natural
person (contact details, information related to invoicing, information about Services use). Data
retention period: 7 years after termination of contractual obligations.
9.3. Service improvement and Marketing
Data processing is based on the Company’s legitimate interest of betterment of Services,
development of new functionalities and features and/or consent provided by Contact Person, which
can be withdrawn at any time. Categories of Personal Data processed: Cookie data collected, Personal
data provided (contact and communication details, information provided upon registration), data
collected from public sources. Data retention period: 5 years after termination of contractual
obligations or until consent is revoked.

---

10. Data rights: individuals outside the EU

Users and Contact Person’s outside the EU are encouraged to review the best practices recommended
by the data protection authorities in the countries of residence.
If a User or Contact Person believes that the privacy of the data with Company may have been
tampered or subject to unauthorized access, User and Contact Person should contact Company
immediately at [email protected].

Please note that we review this Privacy Policy on occasions and amend it as necessary. When we
amend this Privacy Policy, we will announce and publish it by the usual means (e.g., via e-mail
or on the Website), therefore you are kindly asked to check it on a regular basis. The use of the
Company’s Website after a change or an update has been made means that you agree with such
change or update.

---

 

Annex 1 to System Privacy Policy

Data processing agreement

1. Background

Whereas:

1. Pluginhost B.V. (CCI Noo: 81157533, RSIN No.: 861959474; registered seat:
Konnetlaantje 4, 1435HW, Rijsenhout, the Netherlands) (“Company” or “Processor” has
entered into a SaaS agreement or any other agreement (the “Agreement” or “DPA”) with
its customer (“Customer” or “Controller”) under which Company provides specific
Services to Customer. Within the scope of the Agreement, Company will process
Customer Data for which Customer is the data controller and Company is the data
processor of Customer in accordance with the European Data Protection Legislation.
2. This DPA forms part of, and complements the provisions of the Privacy Policy and
regulates the processing and transferring of Customer Data. Any issues not regulated by
this DPA shall be governed by the provisions of the Privacy Policy. By using Service,
Customer agrees to this DPA and this DPA becomes a binding commitment between
Customer and Company. The personal data processing provisions contained in this DPA
shall apply to and cover the activities carried out within the framework of the Service,
and the processing of personal data relating to Controller’s clients carried out by the
Processor on behalf of the Controller, as well as the organisational and technical
measures to be implemented when processing Personal Data.

2. Definitions

1. Unless otherwise stated in this DPA, capitalised terms or words are used in the same
sense as they are used in the GDPR or as specified in the Privacy Policy.
2. Processing of personal data means any operation performed on personal data, including
collection, recording, entry, storage, organisation, alteration, use, transfer, transmission,
and disclosure, blocking or erasure.
3. Controller means Customer. The Controller shall determine the purposes and means of
the processing of personal data and shall be responsible for the processing of personal
data.
4. Processor means Company, who processes personal data in the name and on behalf of the
Controller.
5. Data subject means a natural person who can be identified, directly or indirectly.

3. Processing of personal data

1. The Controller shall implement appropriate technical and organisational measures to
ensure and be able to demonstrate that only personal data necessary for the performance
of the mutually concluded agreements shall be used for processing.

2. The Controller shall only transfer to the Processor personal data for which there is a
lawful basis for processing and shall only transfer personal data to the Processor in order
to comply with its obligations under the Agreement, the purpose of the transfer of
personal data and in accordance with the minimum technical and organisational
requirements for the protection of personal data specified in the DPA.
3. The personal data processed by the Processor are the categories of data subjects and data
categories arising from the Agreement, namely:

1. Categories of data subjects: clients, potential clients, employees, business
   partners.
2. Data categories: personal identification data (name, surname,), contact information (business telephone number, business email address), payment information.
3. Personal data of the Controller’s clients and employees (for instance Contact Person’s information, payment data, information regarding performed financial transaction), as well as other personal data as defined in the GDPR and which the Controller transfers or to which provides access to the Processor to comply with its obligations under the Agreement entered between them.

4. Parties shall comply with the provisions arising from the applicable laws and regulations
on the processing of personal data, particularly the requirements of the GDPR.
5. Parties shall process Personal Data obtained from the other party in accordance with the
DPA, the Privacy Policy, applicable data protection laws and regulations, rules
established by data protection authorities.
6. The Processor shall not process Personal Data for its own purposes or for purposes other
than those for the performance of which the Processor has been engaged to process
Personal Data on behalf of the Controller and to the extent and in the manner necessary
for the performance of the mutual agreement.
7. The Processor shall only process Personal Data in accordance with the Controller’s
instructions.
8. The Processor undertakes not to keep personal data for longer than is necessary for the
purpose for which it was transmitted and to ensure that personal data are accurately and
timely updated in accordance with the purpose of the processing of personal data.
9. The Processor shall not transfer Personal Data to a country outside the European Union
or the European Economic Area, hereinafter referred to as a Third Country, or make them
available from a Third Country, unless such action is authorised and agreed upon.
10. The Processor is obliged to provide information to the Controller on the country and
jurisdiction in which the Data is processed and stored.
11. The Processor and the Controller undertake to assist each other, to the extent possible, in
the exercise of the data subject’s rights under the GDPR (e.g., the data subject’s right of
access, right to rectification, right to erasure / right to be forgotten, right to restrict
processing and right to data portability).

4. Business partners

1. The Processor may engage business partners to process Personal Data in accordance with
the DPA, hereinafter referred to as Business Partners, if it has received prior written
permission from the Controller or as specified in the Agreement.
2. The Processor shall ensure that the Controller is informed of and agreed to the Business
Partners who process Personal Data. The Processor shall, at the request of the Controller
or at least annually, promptly provide the Controller with a complete, accurate and up-to-
date list of the Business Partners, which shall include all Business Partners.
3. The Processor represents and warrants that it will not engage a Business Partner if this
involves transfer of Personal Data to a Third Country (including accessing that data from
a Third Country) except as set out in the DPA or the Agreement.
4. The Processor accepts full responsibility to the Controller for all processing of Personal
Data by a Business Partner.

5. Transfer of personal data to a third country

1. The Processor shall not transfer Personal Data to or make them available from a Third
Country unless the Controller has given prior written consent to such transfer and at least
one of the following conditions is met:

• Personal Data are transferred to a Third Country or an international organisation in respect whereof the Commission has decided that it ensures an adequate level of protection; or
• the data subject has provided consent to data transfer, which has in turn been confirmed in writing by the Controller; or
• the Processor of Personal Data (or Business Partner) is certified under Article 42 of the GDPR and has made binding and enforceable commitments to apply appropriate safeguards in the Third Country, including regarding the rights of data subjects; or
• the Processor of Personal Data (or Business Partner) is subject to an approved code of conduct in accordance with Article 40 of the GDPR and has made binding and enforceable commitments to apply appropriate safeguards in the Third Country, including regarding the rights of data subjects; or
• the Processor has put in place binding corporate rules in accordance with Article 47 of the GDPR and these rules also apply to Business Partner(s) in the Third Country; or
• the Processor of Personal Data (or Business Partner) complies with the standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) of the GDPR and has signed an agreement containing those clauses, or their activities have been approved by the data protection authority and thus also by the Commission; or
• including in connection with the transfer of Personal Data to a Third Country or an international organisation, except where it is required by the Union or Member Statelaws and regulations applicable to the Processor, in which case the Processor shall inform the Controller of that legal requirement before processing the data, except where such disclosure of information is prohibited by the relevant law or regulation for important reasons of public interest.

2. Where Personal Data is transferred to or accessed from a Third Country, the Processor
shall, prior to the data transfer or access, produce documents demonstrating that the
relevant provision of paragraph 5.1 is indeed met and confirming that the Third Country
to which the data will be transferred has granted the data subjects enforceable rights and
effective legal remedies. All documents related to the data transfer shall be attached to
this DPA (signed where applicable).

6. Safeguards

1. Parties undertake to demonstrate, as necessary, that they have implemented appropriate
technical and organisational measures to protect the processed Personal Data, in
accordance with the principles of good practice and the standards of the industry in which
they operate.
2. The Processor warrants and may at any time document that it has implemented
appropriate technical and organisational measures to protect the processed Personal Data.
The Processor shall comply with the security requirements and specific security measures
and instructions, as well as those necessary to comply with the GDPR and other laws and
regulations.
3. The Processor shall protect Personal Data against destruction, alteration, unauthorised
disclosure, and unauthorised access. The Processor shall also protect Personal Data
against any unauthorised processing.
4. The Processor shall ensure that persons authorised to process Personal Data (all persons
acting under the Processor’s instructions) meet and comply with the provisions of this
DPA and any instructions given by the Controller from time to time and that the
authorised persons receive regular and accurate information and training on EU and
national data protection laws and regulations. The Processor shall ensure that Personal
Data are accessible only by duly authorised persons who are performing duties in
accordance with the Processor's instructions and who need access to Personal Data to
perform their obligations to the Controller in accordance with the provisions of the
Agreement. The Processor shall ensure that persons who have access to Personal Data
have signed an undertaking to maintain strict confidentiality (including after the
performance of their work), that they are subject to the confidentiality obligations set out
in Section 9 of the DPA, and that such persons are informed of the way they may process
Personal Data. The Processor confirms that it has implemented an access control system
that prevents unauthorised access to Personal Data.
5. The Processor confirms that it has put in place technical, organisational, and practical
measures to investigate suspected unauthorised processing of Personal Data or
unauthorised access to Personal Data. In the event of unauthorised processing, erasure,
alteration of or access to Personal Data, or an attempt to do so, the Processor shall
immediately notify the Controller in writing (via e-mail), no later than within 24 (twenty-
four) hours, by sending all information available to the Processor to Customer’s Contact
Person. The Processor shall be obliged to participate in the investigation and remediation
of the data breach and to provide the Controller with access to all necessary information.
6. At the request of the Controller, the Processor shall assist the Controller in complying
with any procedures relating to the data breach in which the Processor may assist,

including assisting the Controller, as required by the GDPR, in notifying the national
competent authority of the identified data breach.
7. The Processor does not process Special Categories of Personal Data, as defined in
Articles 9 and 10 of the GDPR, or other Personal Data the integrity of which must be
specially protected, such as top secret or private personal data.
8. The Controller may provide additional guidance on the security measures to be followed
by the Processor. The Controller may carry out control measures, including internal or
external audits, to verify that appropriate technical and organisational measures are
implemented and complied with in the performance of the Agreement.
9. If the Processor has not received the Controller’s instructions that, in the Processor’s
opinion, it needs in order to process Personal Data, or if the Processor believes that the
Controller’s instructions are contrary to the GDPR, other EU Member State legal norms
and recommendations that the Processor is obliged to follow, the Processor shall
immediately inform the Controller in writing of its position and await the Controller’s
instructions.

7. Audits and supervision

1. The Controller shall have the right, at its own expense personally or by engaging an
independent third party, to verify the Processor’s compliance with the requirements set
out by the Controller in this DPA in relation to the processing of data. The Processor shall
assist the Controller or the third party conducting the audit by providing the necessary
documentation and other means required to verify the Processor’s compliance with the
provisions of this DPA. The Processor shall ensure that the Controller also has the same
rights with respect to any Business Partner it engages. The Processor may offer
alternative supervisory solutions, such as an audit by an independent third party, which
the Controller may or may not accept at its sole discretion. The Processor shall be entitled
to appropriate reimbursement for direct and verifiable audit costs.
2. If a data protection authority or other (supervisory) authority initiates an inspection of the
processing of Personal Data by the Controller, or if a data subject lodges a complaint
against the Controller in relation to the processing of data allegedly carried out by the
Processor, the Processor shall assist the Controller by providing the necessary
documentation and other information about the data processing to enable the Controller
to respond to the complaint and to provide the authorities with all necessary information
to enable them to carry out their supervision.

8. Disclosure of information

1. If a data subject, a data protection authority, another (supervisory) authority or a third
party requests the Processor to provide information relating to the processing of Personal
Data, the Processor shall forward the request for information to the Controller. The
Processor shall not disclose Personal Data or any other information relating to the
processing of Personal Data without the Controller’s written consent. The Processor shall
promptly assist the Controller in responding to requests concerning the exercise of the
data subject’s rights under Chapter III of the GDPR (e.g., the data subject’s right of

access, right to rectification, right to erasure, right to restrict processing and right to data
portability).
2. If the Processor is contacted by a data protection authority or other supervisory authority
related to the processing of Personal Data, the Processor shall promptly inform the
Controller thereof. The Processor shall not have the right to represent or act on behalf of
the Controller in any communication with a data protection authority or other supervisory
authority in relation to the processing of Personal Data.

9. Confidentiality

1. The Processor and its authorised persons undertake to respect confidentiality when
processing the information and data provided by the Controller, including but not limited
to Personal Data. The Controller’s documents, data and Personal Data shall not be
disclosed to third parties without authorisation. The Processor shall ensure that authorised
persons who process documents, data and Personal Data under the Processor’s
instructions undertake and comply with confidentiality obligations in accordance with the
provisions of the DPA and the Agreement.
2. The Processor shall ensure that the persons authorised to process Personal Data have
agreed in writing to respect confidentiality (even after termination of the employment
relationship).
3. Any Personal Data processed under this DPA shall be treated as Confidential
Information. Personal Data, information, instructions, information system solutions,
descriptions or other documentation or information provided directly or indirectly to the
Processor in connection with the performance of the Agreement (including this DPA)
shall not be used or disclosed by the Processor for any purpose other than as provided in
the Agreement and this DPA unless the Processor has obtained prior written permission
from the Controller.
4. Confidentiality obligations shall not apply to information in relation whereof a Party can
demonstrate that it is in the public domain or has been disclosed to the Party by a third
party without violating the provisions of this DPA.
5. The Processor may disclose Confidential Information, including Personal Data, pursuant
to a court or governmental order, mandatory legal requirement, or applicable mandatory
regulation, provided that the Controller shall, in cases where such disclosure is not
prohibited, be notified in a timely manner of such disclosure.
6. The confidentiality obligations under this DPA shall survive the termination of the DPA.

10. Indemnification and liability

1. Without prejudice to any other provision of this DPA or the Agreement, the Processor
shall indemnify and hold harmless the Controller against any liability, including liability
to third parties and data subjects and liability for compensation, administrative or other
fines imposed by a national or international authority or court, where such liability arises
from the Processor’s failure (intentionally or negligently) to comply with its obligations
regarding the processing of Personal Data under this DPA, the Agreement or applicable
data protection laws and regulations.

2. If either Party is subject to an administrative or financial penalty in connection with the
other Party’s failure (whether intentionally or negligently) to comply with its obligations
regarding the processing of Personal Data under this DPA or the Agreement, the Party
that has failed to comply with its obligations under this DPA or the Agreement shall
indemnify the other Party for any direct losses incurred by it.
3. In accordance with this DPA, neither Party shall be liable for indirect damages such as
loss of revenue, any liability provided for shall be deemed to be liability for direct
damages.
4. The Processor shall not be liable for any loss suffered by the Controller if it processes
Personal Data on its behalf and/or under its authority or pursuant to written instructions
received.
5. Any third-party claims that may arise during the term of this Agreement for breaches of
the processing of Personal Data shall be the responsibility of the Party within whose
sphere of responsibility and because of whose conduct the claims have arisen/may arise.

11. Term of validity, in relation to the agreement and amendments

1. The obligations of the Parties under this DPA shall not terminate even if the Agreement is
terminated for any reason and shall continue as long as either Party processes Personal
Data obtained from the other Party. Upon termination of the DPA, the Parties shall ensure
that all Personal Data are returned to the other Party or erased.
2. Personal Data processed in accordance with this DPA shall be erased by the Processor as
per System Terms and Conditions, System Privacy Policy, Website Privacy Policy, as
applicable and as amended from time to time. Prior to the erasure, the Party shall inform
the relevant designated contact person of the other Party in writing (via Contact Person’s
e-mail) that the data will be erased and shall, upon request of the relevant Party, promptly
confirm in writing that Personal Data have been destroyed.
3. This DPA applies to any amendments, supplements or modifications to existing
Agreement (e.g., changes to the description of the service, additional scope of the service
or provisions for additional support).
4. If any provision of this DPA becomes invalid, this shall not affect the validity of the
remaining provisions of the DPA and the Agreement. The Parties agree to replace the
invalid provision with a valid one that meets the Parties’ objectives as closely as possible.
5. In the event of breach of any of the provisions of this DPA, the Parties shall have the right
to terminate the Agreement immediately.

12. Applicable law and dispute resolution

1. This DPA shall be governed by and construed in accordance with the provisions of laws
and regulations specified in Privacy Policy or Terms and Conditions where Privacy
Policy is incorporated.
2. All disputes, controversies or claims arising out of or in connection with the DPA, or
matters relating to breach, termination or invalidity of the Agreement, shall be finally

settled in accordance with the dispute resolution procedure set out in Terms and
Conditions.