Annex № 2 to the Master Service Agreement №___ as of ___

Version 5.0 as of April 01, 2022

This ANNEX to Agreement (hereinafter — “Annex II”, “PDPA”) is made and entered into ___ day of _______, _____ between Parties. Annex II shall determine applicable data processing terms and conditions. Annex II shall constitute an integral part of Agreement and shall continue to be in full force and effect in accordance with the provisions of Agreement.

For the provision of Subscription to Mindbox Service Contractor processes Personal Data on behalf of Customer. In this capacity Contractor is considered as the data processor (Processor) and Customer is considered as the data controller (Controller).

1. Obligations

   Contractor processes Personal Data only to the extent necessary for the provision of Subscription to Mindbox Service and the execution of Agreement. The Processing of Personal Data by Contractor is fair and lawful, compliant with United States applicable Privacy legislation and in accordance with Customers’ request for services.

2. Personal Data transfers

   Contractor contracts an affiliated enterprise and services providers as subcontractors (Sub-processors) for the data processing according to the data sub-processor agreements. The Contractor remains fully liable to the Customer for the performance of Sub-processors’ obligations.

   Customer generally authorises the engagement of Mindbox’ affiliated enterprise and Mindbox’ service providers as Sub-processors. The list of Sub-processors shall be provided to Customer upon request.

3. Security

   Contractor has implemented technical and organisational security measures to protect Personal Data against unauthorised or unlawful Processing, accidental or unlawful destruction or accidental loss, alteration, damage, unauthorised disclosure or unauthorised access by any person.

   Contractor does not take knowledge of non-public information, including Personal Data, which is placed on Mindbox Service by Customer, unless this is necessary for the proper provision of Subscription to Mindbox Service under this Agreement or this inspection is based on a legal obligation.

4. Data Breach notification

   Contractor will immediately notify Customer of any actual or suspected security breach involving Personal Data which can foreseeably compromise the confidentiality and/or integrity of Personal Data. Contractor will provide Customer upon request with all information necessary for notifying the Data Protection Authority or the Data Subjects involved in the Data Breach.

5. Data Subject requests

   Customer always has access to Contractor’s systems where Personal Data of Data Subjects are processed on behalf of Customer. Should Customer for any reason has no independent access to the information necessary for complying to Data Subject requests for access, rectification, erasure and/ or restriction of processing of their Personal Data, Contractor will assist Customer by providing all necessary information to respond to the request.

6. Confidentiality

   Contractor treats Personal Data confidential. Contractor ensures that those members of staff and third parties that have access to Personal Data maintain the confidentiality and the security of Personal Data by signing a confidentiality agreement.

   This obligation does not apply if and insofar as disclosure is required by law and / or court order, in which case the information to be disclosed will be kept as limited as possible. When Contractor receives a request from a public authority to disclose Personal Data belonging to Customer, Contractor shall immediately inform Customer.

7. Scope of this Personal Data Processing Agreement and re-negotiation

   Contractor’s obligations as set out in this Personal Data Processing Agreement will perpetuate after termination of Agreement for as long as Contractor still has access to Personal Data. Upon termination or receipt of notice terminating Agreement, Customer is responsible for the export of Personal Data from Mindbox Service. Contractor shall utilize commercially reasonable efforts to destroy the Customer’s Account in Mindbox Service with Personal Data processed on behalf of Customer within 30 (thirty) days after termination of this Agreement. The Contractor may deviate to the extent where a longer data retention period is necessary to demonstrate fulfilment of contractual obligations, if necessary under applicable legislation as well as authorized to keep the Personal Data backup as long as necessary according to the Contractor’s policies.

8. CCPA Processing.

   To the extent that Contractor processes Personal Data that is protected by the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (the “CCPA”), the terms of this Section 8 shall apply in addition to the terms above. In the event of any conflict or ambiguity between the terms in this Section 8 and any other terms in this Annex II, the terms of this Section 8 shall take precedence but only to the extent that they apply to the Personal Data in questions.

   For the purposes of this Section 8, Customer is a “Business” (within the meaning of the CCPA) and appoints Contractor as a “Service Provider” (within the meaning of the CCPA) to process Personal Data on behalf of Customer. Customer is responsible for compliance with the requirements of the CCPA applicable to Businesses.

   Contractor will not: (i) “sell” (within the meaning of the CCPA) Personal Data; (ii) process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Contractor will not process Personal Data outside of the direct business relationship between Customer and Contractor; or (iii) attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.

   The parties acknowledge that Personal Data that has been de-identified is not “personal information” (within the meaning of the CCPA). Contractor may de-identify Personal Data only if it: (i) has implemented technical safeguards that prohibit re-identification of the Data Subject to whom the information may pertain; (ii) has implemented business processes that specifically prohibit re-identification of the information; (iii) has implemented business processes to prevent inadvertent release of deidentified information; and (iv) makes no attempt to re-identify the information.

   Contractor hereby certifies that it understands its restrictions and obligations set forth in this Section 8 and will comply with them.

9. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

   The following measures apply to transfer of personal data from the Customer to the Contractor.

   1. Measures to ensure confidentiality

      1. System Access Control. To prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used.

         • Admission control system, document reader (magnet/chip card)

         • Door locks (electric door opener, number lock, etc.)

         • Protected doors/windows

         • Key administration / documentation of distribution of keys

         • Protection of facilities, guards

         • Special protective measures for the server room

         • Special protective measures for archiving back-ups and/or other data carriers

         • Employee and authorisation documents

         • Blocked areas

         • Visitor rules (e.g., pick-up at reception, documentation of visiting hours, visitor pass, accompanying visitors to exit after visit).

      2. Entry Control. To prevent data processing systems from being used without authorization.

         • Personal and individual user log-in for registration in the systems or company network

         • Authorization process for access authorizations

         • Password procedures (indication of password parameters with regard to complexity and update interval)

         • Electronic documentation of passwords and protection of this documentation against unauthorized access

         • Logging of access

         • Firewall.

      3. Access Control. To ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage.

         • Authorization process for authorizations

         • Profiles/roles

         • Segregation of duties

      4. Separation Control. To ensure that data collected for different purposes can be processed separately.

         • Storing data in physically separated databases

         • Separate systems

         • Multi-client capability of IT systems

         • Using pseudonyms for data

         • Using test data

         • Separating development and production environment

   2. Measures in order to ensure integrity

      To ensure that personal data is processed correctly and without any manipulations.

      • Access rights

      • System-side logging

      • Functional responsibilities, organizationally specified responsibilities

      • Logging of data transfer or sharing

      • Logging access for reading

      • Logging the copying, editing or removal of data.

   3. Measures in order to ensure and restore availability. To ensure that personal data is protected against accidental destruction or loss.

      • Back-up processes

      • Storage process for back-ups (fire-proof safe, separate fire sections, etc.)

      • Ensuring data storage in secured network

      • Need-based downloading of security updates

      • Setting up uninterrupted power supply

      • Suitable archiving facilities for paper documents

      • Fire-proof and/or fire water protection for server room

      • Climate-controlled server room

      • Virus protection

      • Firewall

      • Emergency plan

      • Redundant, offsite storage.

   4. Measures in order to ensure resilience. To ensure that the data processing systems are sufficiently robust and resilient in order to sustain the most important expectable disturbance effects without their functionality being impaired.

      • Emergency plan in case of machine breakdown

      • Redundant power supply

      • Sufficient capacity of IT systems and plants

      • Logistically controlled processes to avoid power peaks

      • Resilience and error management.

   5. Effectiveness control. To ensure that there are processes in place for regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures.

      • Processes of regular controls/audits

      • Concept for regularly testing, assessing and evaluating

      • Reporting system

      • Penetration tests

      • Emergency tests.

   6. Instruction control. To ensure that personal data is only processed in accordance with the instructions of the Controller (also in the case of a Processor)

      • This Controller to Processor Agreement with provisions on the rights and obligations of the Processor and the Controller

      • Process of issuing and/or following instructions

      • Specification of contacts and/or responsible employees

      • Controlling/checking that agreement is handled in accordance with instructions

      • Preparing/instruction of all Processor’s access-authorized employees

      • Independent auditing of adherence to instructions

      • Commitment of employees to maintain confidentiality

      • Agreement on conventional penalties for infringement of instruction

      • Appointment of a Data Protection Officer

      • Data protection manager / coordinator

      • Keeping records of processing activities

      • Documentation and escalation process for data protection infringements

      • Guidelines/instructions for guaranteeing technical-organisational measures for data security.

DETAILS AND SIGNATURES OF THE PARTIES