1. Background; Definitions

1.1 Background. This DPA (including its Appendices and incorporations by reference) supplements and forms part of the agreement between DDFU and Customer under which DDFU shall carry out certain Services ("Principal Agreement") provided that the Services include the Processing of Personal Data and Data Protection Legislation applies to Customer's use of the Services.

This DPA is in addition to, and does not relieve, remove, or replace either party's obligations under the Data Protection Legislation.

None of the terms and conditions of the Principal Agreement shall be waived or modified by this DPA but if there is any conflict between any of the provisions of this DPA and the provisions of the Principal Agreement in relation to the Processing of Personal Data, the Parties agree the provisions of this DPA shall prevail to the extent of any such conflict.

1.2 Definitions. In this DPA, the following terms shall have the meanings set out below:

• "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of management and the policies of an entity.
• "Data Protection Legislation" means, (i) the GDPR (and any laws of Member States of the European Economic Area ("EEA") implementing or supplementing the GDPR), (ii) UK Data Protection Law and (iii) data protection or privacy laws of Switzerland, in each case, to extent applicable to the Processing of Personal Data under this DPA and the Principal Agreement.
• "GDPR" means EU General Data Protection Regulation 2016/679.
• "Services" means the services or products and other activities to be supplied to or carried out by or on behalf of DDFU for the Customer pursuant to the Principal Agreement.
• "Sub-processor" means any third party (including any DDFU Affiliate) appointed by or on behalf of DDFU as a subcontractor to Process Personal Data on behalf of any Customer or Customer Affiliate in connection with the Principal Agreement.

The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Processor" shall have the same meaning as in the applicable Data Protection Legislation.

2. Data Processing Obligations

2.1 Controller and Processor of Personal Data, Appointment of Processor and Purpose of Processing.

DDFU will comply with all applicable requirements of the Data Protection Legislation to the extent it imposes obligations upon DDFU as a Data Processor and expects Customer to also comply with Data Protection Legislation.

This DPA applies to the extent Customer is the Controller and DDFU is the Processor. It also applies to the extent that Customer is a Processor and DDFU is acting as a (sub) Processor. Where the Customer is a Processor, the Customer confirms that its instructions, including appointment of DDFU as a Processor or (sub) Processor, have been authorized by the relevant Controller.

2.2 DDFU's obligations with respect to the Customer.

DDFU will, in relation to any Personal Data it will be Processing under the Principal Agreement and this DPA:

• process such Personal Data solely for the purpose of providing the Services;
• process such Personal Data in accordance with documented and commercially reasonable instructions from the Customer, subject to and in accordance with the terms of the Principal Agreement;
• ensure that the persons authorized by it to process such Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and have received appropriate training on their responsibilities; and
• limit access of DDFU personnel to the Personal Data undergoing processing to what is necessary for provision of the Services.

Customer agrees that the Principal Agreement (including this DPA) are its complete documented instructions to DDFU for the Processing of Personal Data. Additional instructions, if any, require prior written agreement between the Parties.

2.3 Sub-processing. Customer provides DDFU a general authorization to engage Sub-processors. Sub-processors may include: (i) DDFU global Affiliate companies as exist from time to time (and their vendors); and/or (ii) any of the subcontractors that DDFU engages in connection with the provision of certain Processing activities.

DDFU shall Inform the Customer at least 14 days before DDFU appoints a new or replacement Sub-processor to give the Customer opportunity to reasonably object to the changes.

2.4 Data Subjects' Right to Information. It is the Customer's (or the party acting as Controller) responsibility to inform the Data Subject(s) concerned of the purposes and the legal basis for which their Personal Data will be processed at the time the Personal Data is collected.

2.5 Exercise of Data Subjects' Rights. Taking into account the nature of the Processing, DDFU shall assist the Customer insofar as this is possible and reasonable for the fulfilment of the Customer's obligation under Data Protection Legislation to respond to requests for exercising the Data Subject's rights of: access, rectification, erasure and objection, restriction of processing, data portability, not to be subject to a decision based solely on automated processing.

2.6 Notification of Personal Data Breach. DDFU shall notify the Customer of a Personal Data Breach without undue delay after DDFU becoming aware of it by email to a Customer email address on file with DDFU, along with any necessary documentation to enable the Customer, where necessary, to notify this breach to the Data Subject and / or the competent Supervisory Authority.

2.7 Assistance lent by DDFU to the Customer regarding Compliance with Customer's Obligations under the Data Protection Legislation. Where requested by the Customer and to the extent required by Data Protection Legislation, DDFU shall, taking into account the nature of processing and the information available to DDFU, provide reasonable assistance to the Customer in carrying out data protection impact assessments or should the Customer need prior consultation with a Supervisory Authority.

2.8 Protective Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Customer and DDFU shall both be responsible to implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk.

DDFU agrees to implement the Technical and Organizational Measures in respect of the Services.

Customer is responsible for implementing and maintaining privacy protections and protective measures for components that Customer or any Customer Affiliate provides or controls. Customer shall apply the principle of data minimisation and limit DDFU access to systems or Personal Data to only where essential for the performance of Services.

2.9 Data Return or Destruction. Where DDFU has stored Personal Data as part of the Services: at the end of the Service(s) upon Customer's written instruction, DDFU may (i) offer a data return service or (ii) following a reasonable data retention period delete the Personal Data unless applicable law requires further storage of the Personal Data.

2.10 The Data Protection Officer. DDFU has designated a data protection officer in accordance with Data Protection Legislation. They can be contacted by email via legal@ddfu.eu.

2.11 Inspections and Audits. Upon written request from Customer DDFU shall, where available, provide a copy of the latest Service Organization Control (SOC) audit report and/or other third-party audit reports or information to demonstrate the processing activities of DDFU relating to the Personal Data is in compliance with its obligations under this DPA.

Customer may request evidence of DDFU relevant policies and other related documents to verify that DDFU is complying with its obligations under this DPA.

Customer may conduct an on-site inspection at DDFU's premise either by itself or by an independent third party auditor (not to include a competitor of DDFU) where the information under Sections 2.11.2 and 2.11.3 has failed to verify compliance by DDFU of its obligations under this DPA or such an inspection is formally required by the Supervisory Authority.

2.12 Customer Information and related Restrictions. Instructions by Customer related to the Processing of Personal Data must be provided in writing duly signed by an authorised representative of Customer. Customer is responsible to have all necessary consents and notices in place and confirms it is entitled to lawfully transfer the Personal Data to DDFU.

3. International Transfers

Personal Data may be processed in the EEA, the United Kingdom and Switzerland (each a "Designated Country") and in countries outside of a Designated Country ("Other Countries") by DDFU or its Sub-processors. The transfer to Other Countries shall be in accordance with Data Protection Legislation (to the extent it applies).

The Parties shall have in place a Transfer Mechanism in respect of any Restricted Transfer. In the event of an EEA Restricted Transfer where Personal Data is transferred from Customer as data exporter acting as a Controller or Processor (as applicable), to DDFU as data importer acting as a Processor, the Parties shall, as part of this DPA, comply with the EEA Controller to Processor SCCs where the Customer acts as a Controller and the EEA Processor to Processor SCCs where the Customer acts as a Processor.

4. General Provisions

4.1 Execution of this DPA. Where requested by Customer, DDFU and Customer shall execute this DPA in one or more counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

4.2. The Parties agree that with respect to the period on and after the date that this DPA comes into effect between the Parties, this DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Customer and DDFU may have previously entered into in connection with the Services.

5. For Partner Agreements

If the Principal Agreement relates to the resale or supply of Services with a partner under an DDFU partner programme or a partner agreement (a "Partner"), with DDFU acting as the Partner's sub-processor under that arrangement with no direct contractual relationship to the direct and indirect customers of the Partner which are entitled to use the Services such as the End User or, in the case of a Partner who is an MSP, the Beneficiary (hereinafter "Using Parties"), then the following provisions shall apply:

All references to "Customer" in this DPA shall mean the Partner. Partner shall procure implementation and maintenance of privacy protections and protective measures for components that Partner or any Using Parties (including Affiliates of any of these) provides or controls.

Contact

For questions about this Data Processing Addendum, contact DDFU at legal@ddfu.eu or by post at: DDFU, Jan Skopový, Castkova 689/74, 326 00 Plzen, Czech Republic, EU.