DATA PROCESSING ADDENDUM

Version

Current

BRYTER GmbH, Biebergasse 2, Frankfurt am Main, Germany (hereinafter “Processor“) and Customer (hereinafter “Controller“), together also referred to as the “Parties” and each also referred to as a “Party” hereby agree as follows:

1. Definitions

The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.

2. General provisions

2.1. Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.

2.2. Controller is the controller in accordance with Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.

2.3. Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA“) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.

2.4. The subject-matter of the processing is set out in the MSA.

2.5. The beginning and the duration of the processing depends on the duration of the MSA.

3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects

3.1. The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:

Type of Personal Data	Categories of subjects affected	Purpose of Processing	Duration of Processing
IP address	– Authorized User – End User, if a login is required	Functionality and security	90 days as of last login
First name	– Authorized User – End User, if a login is required	Functionality and security	Until termination of MSA
Last name	– Authorized User – End User, if a login is required	Functionality and security	Until termination of MSA
Email address	– Authorized User – End User, if a login is required	Functionality and security	Until termination of MSA
Password	– Authorized User – End User, if a login is required	Functionality and security	Until termination of MSA
Encrypted IP address	– Authorized User – End User	Functionality and security	90 days as of last login

3.2. Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.

4. Scope and Responsibility

Processor shall process Personal Data on behalf of Controller. Such Processing shall include actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR.

5. Controller’s rights and obligations; Instructions

5.1. It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects’ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.

5.2. Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.

5.3. Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.

5.4. Processor ensures that Controller, or a qualified third party instructed by Controller which is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid out in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).

5.5. Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit or are not independent. Controller acknowledges that most of the Processing is done via cloud computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.

5.6. Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.

5.7. Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4. or 5.5. of Controller.

5.8. Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.

6. Processor’s obligations

6.1. Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

6.2. Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects in accordance with Art. 12 to 22 GDPR by Controller.

6.3. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.

6.4. Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.

7. Processor’s notification obligations

7.1. Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.

7.2. Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations in accordance with Art. 33 and 34 GDPR.

7.3. Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2. as far as the obligation does not arise due to a violation of data protection law by Processor.

8. Processor’s obligation to maintain professional secrecy

8.1. This section only applies if Controller is subject to Section 203 of the German Criminal Code.

8.2. Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.

8.3. Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.

8.4. Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.

8.5. Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.

8.6. Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.

9. Sub-processors.

9.1. By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.

9.2. Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.

9.3. Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.

9.4. Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.

9.5. Processor shall remain liable to Controller for its Sub-processors’ obligations.

9.6. Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.

9.7. Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.

10. Transfer of Personal Data to third countries.

Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9. of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.

11. Technical and organizational measures in accordance with Art. 32 GDPR.

11.1. Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.

11.2. Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures in accordance with Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.

11.3. Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.

11.4. Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.

12. Obligations of Processor after termination of the MSA.

12.1. After termination of the MSA, Processor shall, at Controller’s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.

12.2. However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5., the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.

13. Liability.

Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.

14. Final provisions.

14.1. Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.

14.2. Section 12 (General Provisions) of the MSA shall apply accordingly to this DPA.

14.3. If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.

Schedule 1

List of Sub-processors for the BRYTER Automation Platform

Sub-processor	Service Provided	Corporate Location	Sever Location	Type of data processed
Amazon Web Services (AWS) EMEA SARL	Cloud Server	8 Avenue John F. Kennedy, L-1855 Luxembourg	Frankfurt am Main (Germany)	See above 3.1
DataDog Inc.	Monitoring Tool	620 8^th Avenue, 45^th Floor, New York, NY 10019-1741, USA	Frankfurt am Main (Germany)	IP address

List of Sub-processors for the BRYTER Policy AI

Sub-processor	Service Provided	Corporate Location	Sever Location	Type of data processed
Amazon Web Services (AWS) EMEA SARL	Cloud Server	8 Avenue John F. Kennedy, L-1855 Luxembourg	Frankfurt am Main (Germany)	See above 3.1
Microsoft Azure	Cloud Server	Takeda Ireland Ltd (Grange Castle), New Nangor Road, Grange, Dublin 22, Co	Dublin (Ireland)	See above 3.1
DataDog Inc.	Monitoring Tool	620 8^th Avenue, 45^th Floor, New York, NY 10019-1741, USA	Frankfurt am Main (Germany)	IP address
Intercom R&D Unlimited Company	Customer Support	3rd Floor, Stephens Court, 18-21 Saint Stephen’s Green, Dublin 2	Dublin (Ireland)	Name and IP address

Schedule 2

Technical und organizational measures

Usage of AWS

For data security measures concerning the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) technical and organizational measures.

Amazon Web Services EMEA Sarl, 8 Avenue John F. Kennedy, L-1855 Luxembourg

All personal data is stored and processed in European data centers of our sub-processor Amazon Web Services (AWS). BRYTER has executed a Data Processing Addendum with AWS, namely “AWS GDPR DATA PROCESSING ADDENDUM”. The agreement with AWS is an integral part of these technical and organizational measures. AWS is ISO 27001, 27017 and 27018 certified. ISO 27018 is a code of conduct for the protection of personal data in the cloud. It is based on the ISO 27002 information security standard (the “Standard”) and serves as a guideline for the implementation of ISO 27002-controls that apply to personal data that uniquely identifies a person in the public cloud. The Standard provides additional controls and guidelines for the protection requirements of personal data that is not taken into account by the current controls of ISO 27002. By complying with this Standard, AWS has a system of control mechanisms that are specifically concerned with the protection of private data. By complying with this internationally recognized guide and independently reviewing it, AWS demonstrates its commitment to customer content privacy. Further information on our sub-processors and their certifications can be found here: https://aws.amazon.com/compliance/gdpr-center/.

1. Physical access control

Processor is not using on-premises servers but cloud computing, currently AWS, to provide and execute the Software and to process data entered into the Software. Thereto the following is stated to ensure physical access control:

For data security measures concerning the physical location of the servers where the BRYTER Software is located please refer to the Amazon Web Services (AWS) Technical and organizational measures as stated above.
Electronic data storages are safely deleted after their usage.
The entrance of the office building by the public is prevented through doors that have opening systems through a key or an equivalent device with such areas being kept closed when access to the documents included in the filing is not required.

2. User access control to data processing systems

To prevent unauthorized parties from using data processing systems.

Workstation computers are secured as follows:

User login only through centrally controlled identity management system.
Workstation computers are automatically locked after a certain idle time.
Personal access code required to unlock computers.

Password policy:

For administrative access (minimum requirements for password length and complexity, two-factor authentication).
For employee access (minimum requirements for password length and complexity, two-factor authentication).
For customer access (minimum requirements for password length and complexity).

3. Access control to personal data in data processing systems

To ensure that those authorized to use a data processing system can only access the data for which they are authorized and that data, especially personal data, is not subject to unauthorized viewing, copying, modification, or deletion when it is processed or used or after it is stored.

Central rights management, separated for system access and application access.
Controls to prevent users from changing their own rights.
Controls to prevent users from requesting a change without the approval of the person in charge in accordance with the established approval process.
External access restricted to VPN- or SSH-secured connections.
Data encrypted for storage.

4. Separation control

To ensure that data collected for different purposes can be processed separately.

Separation of:

Employee data.
Customer contact data.
Customer test data (project work, customer developments).
Customer data in the BRYTER data center.

System level:

Customer data in data center is administered in strict separation and in separate systems (databases, etc.) from BRYTER data (including the CRM system).

Different applications:

Customer data and employee data is processed using separate applications.

5. Measures for pseudonymization and encryption

To ensure that traceability of data to individuals is at least restricted.

Privacy-by-design and privacy-by-default measures, including the appropriate training for product teams and based on the principles of avoiding and limiting data.
All download/upload internet connections secured through either SSL/TLS, SSH.
Input control

To ensure that it is possible to subsequently check and determine whether and by whom data, especially personal data, was entered into data processing systems, modified, or deleted.

Comprehensive logging by all systems that process personal data, making it possible to subsequently determine whether and by whom personal data was entered, modified, or removed.
Personalized user accounts extending to the specialized applications.
Separate system logs and application logs, ruling out manipulation of the application logs at the system level.

6. Order control

To ensure that personal data from orders can only be processed according to the client’s instructions.

Regulation of instructions in principal service and data processing agreement.
Administration of users and rights by client at application level.
Transfer/entry of data by client, who decides which data is transferred and when.
Access to this data limited to roles with corresponding access rights.
Automated processing of data by certified software ensuring that data is processed in accordance with contracted procedure.
Use of standardized contracts as stipulated by law for relations with customers and service providers.
Inclusion of sub-processor with corresponding confidentiality, data processing, system access agreements.

7. Transmission control

To ensure that data, especially personal data, cannot be viewed, copied, modified, or deleted without authorization while it is transmitted electronically, transported, or saved to storage media and that it is possible to check and determine the intended destinations of data, especially personal data, transferred using data transmission equipment.

All download/upload internet connections secured through either SSL/TLS, SSH.
No local storage of personal data; all data stored centrally in the systems of BRYTER.
External connections possible only through approved applications.
External connections possible only through approved services.
All remote data transfer connections logged wherever technically possible.
Regulations for the disposal of waste with confidential content.

8. Availability

To ensure that data, especially personal data, is protected against random destruction or loss.

Data encrypted for storage.
All access authorizations and access rights of a person leaving the company are promptly blocked and if necessary deleted.
All company-owned items relating to personal data are reclaimed from an individual leaving the company.
Written data carriers are stored before and after dispatch in such a way that access is only possible for authorized persons.
Regular testing of data security / backup systems, etc

9. Resilience

To ensure that data processing systems are sufficiently resilient and robust.

Inventory of processing activities with integrated assessment of consequences for data protection and assessment of the appropriateness of technical and organizational measures.
Integration of privacy by design in product management:
Advanced controls can be triggered by procedural manager together with the data protection officer for assessment of consequences for data protection (administration of processes including checks, coordination, analysis, and evaluation).
Use of next-generation firewall.
Monitoring to ensure early detection and at least limit or even prevent damage due to malware.
For server related resilience measures please refer to the to the Amazon Web Services (AWS) Technical and organizational measures.
Incident Response Management.

10. Security Management

To ensure security during processing

Internal and external ISO 27001 audits.
Regular checks of technical and organizational measures with responsible roles, including whether they reflect the state of the art.
Management evaluations as a regular routine.

11. Measures to prevent concatenation

To ensure that data is used only for the purpose for which it was collected (purpose limitation principle)

Use of role concept to limit processing, use, and transmission rights.
Programmed omission or closure of interfaces in procedures and procedure components.
Rules prohibiting backdoors, quality assurance audits to check compliance in software development.
Functional separations based on role concept.
Separations through role concepts with phased access rights based on identity management and a secure authentication process.
Regular awareness training.

12. Personal Data Protection Management

To ensure that obligations to provide information are met

Data Protection Management System in place with reporting lines to senior management.
Records of processing activities pursuant to Art. 30 GDPR (both as controller and as processor).
Data privacy statement on BRYTER website.
Detailed information outlined in data privacy portal of BRYTER.
Documentation of contracts with internal employees, contracts with external service providers and third parties from whom data is collected or to whom data is transmitted.

Version: 4.2 (March 2024)

between

Customer as defined in the MSA (hereinafter “Controller“)

and

BRYTER GmbH, Biebergasse 2, 60313 Frankfurt am Main, Germany (hereinafter „Processor“)

(together also referred to as the “Parties” and each also referred to as a “Party“)

1. Definitions

The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.

2. General provisions

2.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.

2.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.

2.3 Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.

2.4 The subject-matter of the processing is set out in the MSA.

2.5 The beginning and the duration of the processing depends on the duration of the MSA.

3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects

3.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:

Type of Personal Data	Categories of subjects affected	Purpose of Processing	Duration of Processing
IP address	· Authorized Users· End User, if a login is required	Functionality and security	90 days as of last login
First name	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Last name	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Email address	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Password	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Encrypted IP address	· Authorized Users· End User	Functionality and security	90 days as of last login

3.2 Additionally, Processor’s Software may be used by Controller to process any Personal Data determined by the Controller or voluntarily provided by the End User and/or Authorized User. Processor has no influence on the scope of such additional Personal Data being processed. The type of Personal Data that will be processed with Processor’s Software in addition to the data set out in 3.1 above is the sole responsibility of the Controller.

4. Scope and Responsibility

Processor shall process Personal Data on behalf of Controller. Such Processing shall include such actions as may be specified in the MSA. Within the scope of the MSA, Controller shall be solely responsible for complying with the statutory requirements relating to the lawfulness of Processing, in particular regarding the transfer of Personal Data to the Processor (acting as “controller” in accordance with Article 4 no. 7 of the GDPR).

5. Controller’s rights and obligations; Instructions

5.1 It is within the sole responsibility of Controller to assess the lawfulness of the Processing. If not set out differently in the MSA this includes the handling of data subjects´ rights requests. Processor shall forward immediately to Controller any such request discernibly addressed to Controller.

5.2 Controller’s Instructions are set out in the MSA. Controller shall only be entitled to issue additional Instructions if data protection regulations require such further Instructions.

5.3 Any Instructions given by Controller shall be in writing or in a documented electronic form. Oral Instructions shall be confirmed immediately in writing or in a documented electronic form. Changes of the subject-matter of the Processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.

5.4 Processor ensures that Controller, or a qualified third party instructed by Controller and who is obliged to maintain confidentiality, can verify the compliance with the Processor’s obligations laid down in the applicable data protection laws and regulations and this DPA and the implementation and adequacy of the technical and organizational measures by Processor before and during the Processing by making available all necessary information and contribute to audits (including onsite inspections).

5.5 Audits and inspections shall, as far as possible, not hinder Processor in its normal business operations and shall not place an undue burden on Processor. In particular, inspections at Processor’s premises shall not take place more than once per calendar year and only during the Processor’s normal business hours without a valid reason. The Parties shall agree on inspection dates at Processor’s premises. Appointments shall be made promptly upon Controller’s request and during usual business and operating hours, taking into account Processor’s business interests. Processor shall be entitled to reject auditors that are competitors of BRYTER, are not sufficiently qualified to conduct such an audit, or are not independent. Controller acknowledges that most of the processing is done via Cloud Computing on the premises of Amazon AWS (see schedule 2). Hence, any inspection directly of or at the premises of Processor is of limited use. Upon request by Controller, Processor will initiate inspections of Amazon AWS or other Sub-processors in accordance with the respective DPAs.

5.6 Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.

5.7 Controller shall pay for any costs reasonably incurred by an onsite inspection according to section 5.4 or 5.5 of Controller.

5.8 Controller shall notify Processor in sufficient detail and without undue delay of any defect or irregularity detected by Controller in Processor’s provision of the Software or the Services concerning data protection.

6. Processor’s obligations

6.1 Processor processes Personal Data solely within the scope of this DPA and on documented Instructions of Controller, unless required to do so by European Union, member state or UK law which Processor is subject to. In such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

6.2 Taking into account the nature of the Processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, when it comes to fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller

6.3 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller in its obligations under Art. 32 GDPR as well as its obligation to carry out a data protection impact assessment and prior consultation, where necessary (Art. 35, 36 GDPR). Processor shall immediately forward the required information to Controller.

6.4 Processor shall ensure that each person authorized to process Controller’s Personal Data is bound to adequate contractual or statutory confidentiality obligations, informs them of all relevant data protection obligations according to this DPA and takes steps to ensure that they process them only on Controller’s Instructions, except where they are required to process it under the law of the European Union or a member state.

7. Processor’s notification obligations

7.1 Processor shall immediately inform Controller if, in its opinion, an Instruction infringes the GDPR or other European Union, member state or UK data protection provisions. Processor is entitled to suspend the execution of such an Instruction until Controller confirms it in writing. If Controller insists on the execution of an Instruction in spite of the reservations expressed by Processor, Controller shall indemnify Processor against all damages and costs incurred by Processor in executing Controller’s Instruction. Processor will inform Controller about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of Controller and will conduct the defense at the discretion of Processor in due collaboration with Controller or leave it to Controller.

7.2 Taking into account the nature of processing and the information available to Processor, Processor shall assist Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.

7.3 Controller shall pay for any non-insignificant costs incurred by making use of Processor’s obligation to support Controller according to section 7.2 as far as the obligation does not arise due to a violation of data protection law by Processor.7.2

8. Processor’s obligation to maintain professional secrecy

8.1 This section only applies if Controller is subject to Section 203 of the German Criminal Code.

8.2 Under the MSA and this DPA, Processor may process Professional Secrets. Controller shall be responsible to assess whether any data provided to Processor is deemed a Professional Secret and to notify Processor accordingly.

8.3 Processor undertakes to obtain knowledge of Professional Secrets only to the extent necessary for the performance of the obligations set out in the MSA.

8.4 Processor undertakes to maintain confidentiality about Professional Secrets, to keep Professional Secrets strictly confidential and to take adequate measures to protect Professional Secrets from unauthorized access by third parties.

8.5 Processor may disclose Professional Secrets to subcontractors to the extent necessary for the provision of subcontracted services, provided that (i) each subcontractor has been contractually prohibited in writing (digitally sufficient) from disclosing Professional Secrets to unauthorized third parties and (ii) subcontractors must obligate their subcontractors accordingly.

8.6 Processor shall ensure that all employees and other persons working for Processor who are involved in the processing of Professional Secrets, have undertaken in writing (digitally sufficient) not to disclose without any Professional Secrets of which they have become aware in the course of or on the occasion of their work to unauthorized third parties.

9. Sub-processors

9.1 By signing this DPA, Controller authorizes Processor’s use of Sub-processors listed in Schedule 1. Depending on the services outlined in the Agreement, Processor will use different Sub-processors.

9.2 Controller hereby generally authorizes Processor’s use of Sub-processors. Processor shall, prior to the use of additional Sub-processors or replacement of Sub-processors, inform Controller with written notice thereof any time during the term of the MSA (‘Sub-processor Notice’) provided that Controller signs-up to a mailing list via: subprocessors@bryter.io through which such notices will be delivered by e-mail.

9.3 Controller shall be entitled to object to any change notified by Processor within 15 business days and for materially important reasons. Where Controller does not object to such change within such period of time, Controller shall be deemed to have authorized such change. Where a materially important reason for such contradiction exists, and failing an amicable resolution of this matter by the Parties, Processor shall be entitled to, at its choice, provide the services under the MSA without the use of the respective Sub-processor or to terminate the MSA at the time of the planned use of the respective Sub-processor.

9.4 Processor shall contractually ensure that Processor’s obligations agreed on in this DPA also apply to all approved Sub-processors.

9.5 Processor shall remain liable to Controller for its Sub-processors´ obligations.

9.6 Controller agrees with execution of this DPA to the use of Amazon Web Services (AWS) EMEA SARL (“AWS”) as a Sub-processor. In the relationship between Processor and AWS the AWS GDPR Data Processing Addendum applies. The AWS GDPR Data Processing Addendum will be submitted to Controller by Processor upon Controller’s explicit request.

9.7 Controller acknowledges that the use of AWS (or a substitute Sub-processor) is crucial to the performance of the service carried out by Processor. In case that Controller withdraws its agreement regarding the use of AWS (or a substitute Sub-processor) as a Sub-processor, the Processor shall be entitled to terminate extraordinarily the MSA and this DPA as well as any other potential agreement between the Parties immediately. In case of such termination, Processor is entitled to demand the full fees payable by the Controller under the MSA or any other agreement that is terminated for the full term agreed upon between the Parties.

10. Transfer of Personal Data to third countries

Personal Data shall be generally processed in member states of the European Union, in another state that is a party to the Agreement on the European Economic Area (“EEA”) or the UK. Subject to compliance with the provisions of this DPA, Processor is also permitted to process Personal Data outside the EEA and UK or to have it processed by Sub-processors in accordance with Section 9 of this DPA, if the conditions of Articles 44 to 48 GDPR are fulfilled or an exception in accordance with Art. 49 GDPR exists.

11. Technical and organizational measures according to Art. 32 GDPR

11.1 Taking into account the state of the art, the costs of implementation and – as far as known to Processor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk.

11.2 Prior to the beginning of the Processing, Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Schedule 2 and maintain them for the duration of the MSA.

11.3 Since the technical and organizational measures are subject to technical progress, Processor is entitled and obligated to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Schedule 2. If Processor makes significant changes to the measures specified in Schedule 2, he will inform Controller of such changes in advance.

11.4 Controller is responsible to verify the technical and organizational measures taken by Processor, in particular whether these are also sufficient with regard to circumstances of Processing.

12. Obligations of Processor after termination of the MSA.

12.1 After termination of the MSA, Processor shall, at Controller´s choice, delete in accordance with data protections regulations, or return and delete existing copies of, all Personal Data, documents and Processing or usage results in connection with the Processing being in its possession, unless the laws of the European Union, of a member state or of the UK require storage of the Personal Data.

12.2 However, Processor shall be entitled to keep backup copies of such Personal Data or information for a period of 30 days, provided that the deletion of Controller’s data from such backup copies is not technically feasible with regard to Art. 32 GDPR. Notwithstanding Section 2.5, the rights and obligations of the Parties under this DPA with regard to the backup copies shall continue to apply for this period.

13. Liability

Any provisions on the Parties’ liability set out in the MSA shall also apply on the Processing under this DPA, unless expressly agreed upon otherwise.

14. Final provisions

14.1 Where the Personal Data become subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Processor’s control, Processor shall notify Controller of such action without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Controller’s sole property and area of responsibility, that data is at Controller’s sole disposition, and that Controller is the responsible body in the sense of the GDPR.

14.2 Section 14 (General Provisions) of the MSA shall apply accordingly to this DPA.

14.3 If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.

Version 4.1 (February 2024)

between

Customer as defined in the MSA (hereinafter “Controller“)

and

BRYTER GmbH, Biebergasse 2, 60313 Frankfurt am Main, Germany (hereinafter „Processor“)

(together also referred to as the “Parties” and each also referred to as a “Party“)

1. Definitions

The capitalized terms used in this data processing addendum (“DPA“) shall have the meaning as set forth in the definitions set out in Appendix 1 to the MSA.

2. General provisions

2.1 Unless otherwise implied (e.g. by context of a reference, or explicitly stated), “GDPR” refers to both the EU General Data Protection Regulation as well as the UK General Data Protection Regulation.

2.2 Controller is the controller according to Article 4 no. 7 of the General Data Protection Regulation (GDPR). Processor is the processor in accordance with Article 4 no. 8 of the GDPR.

2.3 Processor processes personal data on behalf of Controller for the delivery of the BRYTER Software within the meaning of the Master Service Agreement and agreements incorporating it (jointly referred to as “MSA”) according to Art. 4 no. 2 and Art. 28 GDPR solely based on this DPA.

2.4 The subject-matter of the processing is set out in the MSA.

2.5 The beginning and the duration of the processing depends on the duration of the MSA.

3. Nature and purpose of the Processing, type of Personal Data and categories of data subjects

3.1 The scope and duration and the detailed stipulations on the type and purpose of Processing shall be governed by the MSA. Specifically, Processing shall include the following Personal Data:

Type of Personal Data	Categories of subjects affected	Purpose of Processing	Duration of Processing
IP address	· Authorized Users· End User, if a login is required	Functionality and security	90 days as of last login
First name	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Last name	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Email address	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Password	· Authorized Users· End User, if a login is required	Functionality and security	Until termination of MSA
Encrypted IP address	· Authorized Users· End User	Functionality and security	90 days as of last login