STELLARALGO DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”), which applies to the Agreement between Stellaralgo Corp . (“StellarAlgo”), a Canadian corporation (“PROVIDER”), and the customer identified in the signature block below (“Customer”) (collectively referred to as the “Parties”), sets forth the terms and conditions relating to the privacy, confidentiality, security and protection of Personal Data (as defined below) associated with services to be rendered by PROVIDER to Customer (and no other person) pursuant to the agreement entered into between the Parties whereby the Customer subscribed for PROVIDER’s services (the “Agreement”).

1. Definitions

Applicable Law” means all applicable laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: federal and state laws of the United States of America, including the California Consumer Privacy Act as amended by the California Privacy Rights Act, and its implementing regulations as amended by the California Privacy Rights Act of 2020 (“CCPA”); the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”), with effect from 25 May 2018, and EU Member State laws supplementing the GDPR; the EU Directive 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications; the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection of June 19, 1992 (“FADP”) and its revised version of September 25, 2020 (“Revised FADP”) as applicable, as well as relevant data protection and privacy laws in other jurisdictions applicable to Data Processor.

Adequate Third Country” means any country determined by the European Commission under article 45 of Regulation (EU) 2016/679 that such country outside the EU offers an adequate level of data protection, or such similar determination by the European Economic Area and/or their member states, Switzerland or the United Kingdom, as applicable.

Data Controller” means a person or organisation who alone or jointly with others determines the purposes and means of the Processing of Personal Data.

Data Security Measures” means technical and organisational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.

Data Subject” means an identified or identifiable natural person to which the Personal Data pertains.

Instructions” means this DPA, the Agreement and any further written agreement or documentation through which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data.

Personal Data” means any information relating to an identified or identifiable natural person Processed by PROVIDER in accordance with Customer’s Instructions; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

Services” means the services offered by PROVIDER and subscribed for by Customer under the Master Agreement.

Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.

2. Roles and Responsibilities of the Parties

2.1. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is a Controller or a Processor, PROVIDER is a Processor and that PROVIDER or members of the PROVIDER Group will engage Sub-processors pursuant to the requirements set forth in section 4 “Sub-processors” below.

2.2. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of their Personal Data by PROVIDER as Processor (including where the Customer is a Processor, by ensuring that the ultimate Controller does so). For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted- out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws and Regulations.

2.3. PROVIDER shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

2.4. The subject-matter of Processing of Personal Data by PROVIDER is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 2 (Description of Processing/Transfer) to this DPA.

2.5. PROVIDER shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if PROVIDER is unable to follow Customer’s instructions for the Processing of Personal Data.

3. Obligation of the PROVIDER

PROVIDER agrees to and warrants that it shall:

3.1. Process Personal Data disclosed to it by Customer only in accordance with Applicable Law and on behalf of, and in accordance with, the Instructions of the Data Controller, including in order to provide the Services (as defined in the Agreement) or as otherwise , unless PROVIDER is otherwise required by Applicable Law, in which case PROVIDER shall inform Customer of that legal requirement before Processing the Personal Data, unless informing the Customer is prohibited by law. PROVIDER shall immediately inform Customer if, in PROVIDER’s opinion, an Instruction provided infringes Applicable Law.

3.2. Ensure that any person authorised by PROVIDER to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller.

3.3. Enter into any written agreements as are necessary (in its reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from PROVIDER.

3.4. Inform Customer promptly and without undue delay of any formal requests from Data Subjects exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not respond to such requests, unless instructed by the Customer in writing to do so. Taking into account the nature of the Processing of Personal Data, PROVIDER shall assist Customer, by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligations to respond to a Data Subject’s request to exercise their rights with respect to their Personal Data.

3.5. Notify Customer immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data, unless informing the Customer is prohibited by law. Customer shall have the right to defend such action in lieu of and on behalf of PROVIDER. Customer may, if it so chooses, seek a protective order. PROVIDER shall reasonably cooperate with Customer in such defense.

3.6. Provide reasonable assistance to Customer, in complying with Customer’s obligations under Applicable Law available. Should PROVIDER incur costs that go beyond what may reasonably be expected from a support request, Customer and PROVIDER will cooperate in good faith to find an agreeable solution and Customer will reimburse PROVIDER accordingly.

3.7. Maintain internal record(s) of Processing activities, copies of which shall be provided to Customer by PROVIDER or to supervisory authorities upon request.

4. Sub-Processing

4.1. PROVIDER shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any third party, or contract any of its rights or obligations concerning Personal Data, unless PROVIDER has entered into a written agreement with each such third party that imposes obligations on the third party that are similar to those imposed on PROVIDER under this DPA. PROVIDER shall only retain third parties that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data.

4.2. PROVIDER has Customer’s general authorisation to appoint (and permit each Sub-processor appointed in accordance with this section 4 to appoint) Sub-processors.

4.3. PROVIDER shall give Customer prior written notice at least 30 (thirty) days in advance of the appointment of any new Sub-processor, including reasonable details of the Processing to be undertaken by the Sub-processor and any other information necessary to enable Customer to exercise its right to object. Customer shall have the right to object to the identity of any such alternate third-party provider and, in the event that PROVIDER continues to engage such alternate third-party provider despite such objection, to terminate this Agreement and the Master Agreement immediately on notice without any further liability to PROVIDER within sixty (60) days’ of notification of such appointment.

4.4. PROVIDER may continue to use those Sub-processors already engaged by PROVIDER as at the Effective Date. A list of those Sub-processors is set out in Schedule 2, Section 9 of this agreement.

5. Compliance with Applicable Laws

5.1. Each party covenants and undertakes to the other that it shall comply with all Applicable Laws in the provision and use (as applicable) of the Services.

5.2. Without limiting the above, (i) Customer is responsible for ensuring that it has a lawful basis for the processing of Personal Data in the manner contemplated by this Agreement, and has adequate record of such basis (whether directly or through another third party provider); and (ii) PROVIDER is not responsible for determining the requirements of laws applicable to Customer’s business or that PROVIDER’s provision of the Services meet the requirements of such laws. As between the parties, Customer is responsible for the lawfulness of the Processing of the Customer Personal Data. Customer will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.

5.3. Subject to the terms of the Agreement, Customer may claim from PROVIDER amounts paid to a Data Subject for a violation of their Data Subject rights caused by PROVIDER’s breach of its obligations under Applicable Law.

6. Europe Specific Provisions

6.1. For the purposes of this section 6 and Schedule 1 these terms shall be defined as follows:

6.1.1. “EU C-to-P Transfer Clauses” means Standard Contractual Clauses sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).

6.1.2. “EU P-to-P Transfer Clauses” means Standard Contractual Clauses sections I, II III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).

6.2. PROVIDER will Process Personal Data in accordance with the GDPR requirements directly applicable to PROVIDER’s provision of its Services.

6.3. If, in the performance of the Services, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of Europe, the transfer mechanisms listed below shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the Applicable Laws of Europe:

  • Where Customer is a Controller and a data exporter of Personal Data and PROVIDER is a Processor and data importer in respect of that Personal Data, then the Parties shall comply with the EU C-to-P Transfer Clauses, subject to the additional terms in section 1 of Schedule 1; and/or
  • Where Customer is a Processor acting on behalf of a Controller and a data exporter of Personal Data and PROVIDER is a Processor and data importer in respect of that Personal Data, the Parties shall comply with the terms of the EU P-to-P Transfer Clauses, subject to the additional terms in sections 1 and 2 of Schedule 1.

It is expressly agreed and acknowledged that the Personal Data may be transferred to and processed in the USA.

7. California Specific Provisions.

7.1. In this section 7, the terms “processing”, “personal information”, “consumer”, “sell”, “selling”, “sale” and “commercial purpose” shall have the meaning given to them in the CCPA. Notwithstanding anything to the contrary in this DPA, to the extent that PROVIDER is processing any personal information of any consumer on behalf of Customer, PROVIDER shall not:

(a) provide Customer with remuneration in exchange for Personal Data from Customer, where the parties further acknowledge and agree that Customer has not “sold” (as such term is defined by the CCPA) Customer Data to Provider;

(b) “sell” (as such term is defined by CCPA) or “share” (as such term is defined by the CCPA) Personal Data; nor

(c) retain, use or disclose the personal information that form part of the Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA, including retaining, using or disclosing the personal information for a commercial purpose other than providing the Services.

7.2. Service Provider certifies that any Subprocessors appointed in accordance with the terms of this DPA are “service providers” (as defined under the CCPA) with whom Service Provider has entered into a written contract that includes terms substantially similar to this DPA.

8. Data Security

8.1. PROVIDER shall develop, maintain and implement a comprehensive written information security program that complies with Applicable Law and good industry practice, including without limitation compliance with ISO/IEC 27001 and ISO/IEC 27018 standards. PROVIDER’s information security program shall include appropriate administrative, technical, physical, organisational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:

a) The encryption of the Personal Data;

b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

c) The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and

d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures adopted pursuant to this provision for ensuring the security of the Processing.

8.2. PROVIDER shall supervise PROVIDER personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. PROVIDER shall provide training, as appropriate, to all PROVIDER personnel who have access to Personal Data.

8.3. Promptly (and in any event within 90 days) following the expiration or earlier termination of the Master Agreement, PROVIDER shall return to Customer or its designee, if so requested during such period, or if not so requested securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Personal Data in PROVIDER’s, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event applicable law does not permit PROVIDER to comply with the delivery or destruction of the Personal Data, PROVIDER warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this DPA.

9. Data Breach Notification

9.1. PROVIDER shall promptly, but in any case within 72 hours of becoming aware of occurrence, inform Customer in writing of any Personal Data Breach. The notification to Customer shall include all available information regarding such Personal Data Breach, including information on:

a) The nature of the Personal Data Breach including where possible, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records;

b) The likely consequences of the Personal Data Breach; and

c) The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. PROVIDER shall cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate or rectify such Breach. PROVIDER shall provide such assistance as required to enable Customer to satisfy Customer’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR.

10. Audit

10.1. PROVIDER shall on written request (but not more than once per year, other than in the event of a breach) make available to Customer all information necessary to demonstrate compliance with the obligations set forth in this DPA and, at the Customer’s expense, allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer. Upon prior written request by Customer (but not more than once per year, other than in the event of a breach), PROVIDER agrees to cooperate and, within reasonable time, provide Customer with: (a) audit reports (if any) and all information necessary to demonstrate PROVIDER’s compliance with the obligations laid down in this DPA; and (b) confirmation that no audit, if conducted, has revealed any material vulnerability in PROVIDER’s systems, or to the extent that any such vulnerability was detected, that PROVIDER has fully remedied such vulnerability.

11. Governing Law

11.1. This DPA shall be governed by the same laws as those that govern the Agreement.

Schedule 1

1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS

For the purposes of the EU C-to-P Transfer Clauses and the EU P-to-P Transfer Clauses, Customer is the data exporter and PROVIDER is the data importer and the Parties agree to the following. Where this section does not explicitly mention EU C-to- P Transfer Clauses or EU P-to-P Transfer Clauses it applies to both of them.

1.1. Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA. References to clauses are references to clauses of the Standard Contractual Clauses. The information required for the purposes of the Appendix to the Standard Contractual Clauses are set out in Schedule 2.

1.2. Docking clause. The option under clause 7 shall not apply.

1.3. Instructions. This DPA and the Master Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to PROVIDER for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Master Agreement. For the purposes of clause 8.1(a) of Standard Contractual Clauses, the instructions by Customer to Process Personal Data are set out in section 2.3 of this DPA and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services.

1.4. Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with this DPA.

1.5. General authorisation for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), PROVIDER has Customer’s general authorisation to engage Sub-processors in accordance with section 5 of this DPA. PROVIDER shall make available to Customer the current list of Sub-processors in accordance with section 5.2 of this DPA.

1.6. Notification of New Sub-processors and Objection Right for new Sub- processors. Pursuant to clause 9(a) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that PROVIDER has the general authorization to engage new Sub-processors as described in this DPA. PROVIDER shall inform Customer of any changes to Sub-processors following the procedure provided for in section 5 of this DPA.

1.7. Liability. PROVIDER’s liability under clause 12(b) shall be limited to any damage caused by its Processing where PROVIDER has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Customer, as specified in Article 82 GDPR.

1.8. Supervision. Clause 13 shall apply as follows:

1.8.1. Where Customer is established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by Customer with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

1.8.2. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.

1.8.3. Where Customer is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, Commission nationale de l’informatique et des libertés (CNIL) – 3 Place de Fontenoy, 75007 Paris, France shall act as competent supervisory authority.

1.8.4. Where Customer is established in the United Kingdom or falls within the territorial scope of application of the Data Protection Laws and Regulations of the United Kingdom (“UK Data Protection Laws and Regulations”), the Information Commissioner’s Office (“ICO”) shall act as competent supervisory authority.

1.8.5. Where Customer is established in Switzerland or falls within the territorial scope of application of the Data Protection Laws and Regulations of Switzerland (“Swiss Data Protection Laws and Regulations”), the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws and Regulations.

1.9. Notification of Government Access Requests. For the purposes of clause 15(1)(a), PROVIDER shall notify Customer (only) and not the Data Subject(s) in case of government access requests. Customer shall be solely responsible for promptly notifying the Data Subject as necessary.

1.10. Governing Law. The governing law for the purposes of clause 17 shall be the law that is designated in the Governing Law section of the Agreement unless required to be in the EU, in which event they shall be those of Ireland.

1.11. Choice of Forum and Jurisdiction. The courts under clause 18 shall be those of Canada unless required to be in the EU, in which event they shall be those of Ireland.

1.12. Appendix. The Appendix shall be completed as follows:

  • The contents of section 1 of Schedule 2 shall form Annex I.A to the Standard Contractual Clauses
  • The contents of sections 2 to 9 of Schedule 2 shall form Annex I.B to the Standard Contractual Clauses
  • The contents of section 10 of Schedule 2 shall form Annex I.C to the Standard Contractual Clauses
  • The contents of section 11 of Schedule 2 to this Exhibit shall form Annex II to the Standard Contractual Clauses.

1.13. Data Exports from the United Kingdom under the Standard Contractual Clauses. For data transfers governed by UK Data Protection Laws and Regulations, the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses (“Approved Addendum”) shall apply. The information required for Tables 1 to 3 of Part One of the Approved Addendum is set out in Schedule 2 of this DPA (as applicable). For the purposes of Table 4 of Part One of the Approved Addendum, neither party may end the Approved Addendum when it changes.

1.14. Data Exports from Switzerland under the Standard Contractual Clauses. For data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity. In such circumstances, general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in Swiss Data Protection Laws.

1.15. Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

2. ADDITIONAL TERMS FOR THE EU P-TO-P TRANSFER CLAUSES

For the purposes of the EU P-to-P Transfer Clauses (only), the Parties agree the following.

2.1. Instructions and notifications. For the purposes of clause 8.1(a), Customer hereby informs PROVIDER that it acts as Processor under the instructions of the relevant Controller in respect of Personal Data. Customer warrants that its Processing instructions as set out in the Agreement and this DPA, including its authorizations to PROVIDER for the appointment of Sub- processors in accordance with this DPA, have been authorized by the relevant Controller. Customer shall be solely responsible for forwarding any notifications received from PROVIDER to the relevant Controller where appropriate.

2.2. Security of Processing. For the purposes of clause 8.6(c) and (d), PROVIDER shall provide notification of a personal data breach concerning Personal Data Processed by PROVIDER to Customer.

2.3. Documentation and Compliance. For the purposes of clause 8.9, all enquiries from the relevant Controller shall be provided to PROVIDER by Customer. If PROVIDER receives an enquiry directly from a Controller, it shall forward the enquiry to Customer and Customer shall be solely responsible for responding to any such enquiry from the relevant Controller where appropriate.

2.4. Data Subject Rights. For the purposes of clause 10 and subject to section 3 of this DPA, PROVIDER shall notify Customer about any request it has received directly from a Data Subject without obligation to handle it (unless otherwise agreed), but shall not notify the relevant Controller. Customer shall be solely responsible for cooperating with the relevant Controller in fulfilling the relevant obligations to respond to any such request.

SCHEDULE 2 – DESCRIPTION OF PROCESSING/TRANSFER

1. LIST OF PARTIES

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union

  • Name of the data exporter: The entity identified as the “Customer” in the Master Agreement and this DPA.
  • Contact person’s name, position and contact details: The address and contact details associated with Customer’s account, or as otherwise specified in this DPA or the Agreement.
  • Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement.
  • Signature and date: See front end of the DPA.
  • Role: For the purposes of the EU C-to-P Transfer Clauses Customer and/or its Authorized Affiliate is a Controller. For the purposes of the EU P-to-P Transfer Clauses Customer and/or its Authorized Affiliate is a Processor.

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

  • Name of data importer: Stellaralgo Corp.
  • Contact person’s name, position and contact details: Sean Fynn, CTO (sfynn@stellaralgo.com)
  • Activities relevant to the data transferred under these clauses: Performance of the Services pursuant to the Agreement.
  • Signature and date: See front end of the DPA
  • Role: Processor

2. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons)
  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of Customer (who are natural persons)
  • Customer’s Users authorized by Customer to use the Services

3. CATEGORIES OF PERSONAL DATA TRANSFERRED

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Employer
  • Contact information (company, email, phone, physical business address)
  • ID data
  • Professional life data
  • Personal life data
  • Localisation data

4. SENSITIVE DATA TRANSFERRED (IF APPLICABLE)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Data exporter may submit special categories of data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

5. FREQUENCY OF THE TRANSFER

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
Continuous basis depending on the use of the Services by Customer.

6. NATURE OF THE PROCESSING

The nature of the Processing is the performance of the Services pursuant to the Agreement.

7. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING

PROVIDER will Process Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services.

8. DURATION OF PROCESSING

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
PROVIDER will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

9. SUB-PROCESSOR TRANSFERS

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
As per 7 above, the Sub-processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement. Each Sub-processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Identities of the Sub-processors used for the provision of the Services and their country of location are:
– Amazon Web Services, United States
– Microsoft Azure, United States

10. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with clause 13:
the supervisory authority specified in section 2.11 of Schedule 1 shall act as the competent supervisory authority.

11. TECHNICAL AND ORGANISATIONAL MEASURES

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services using the requisite security measures, a description of which may be made reasonably available by data importer. Data Importer will not materially decrease the overall security of the Services during a subscription term. Data Subject Requests shall be handled in accordance with the DPA.