Data Protection Addendum

This Data Processing Addendum (“DPA”) forms an integral part of the Agreement (“Agreement”) between Xyte Technologies Ltd. (“Xyte”) and between the counterparty listed in the Main Agreement (“Customer”; each a “Party” and together “Parties”) and applies to the extent that Xyte processes Personal Data on behalf of the Customer, in the course of its performance of its obligations under the Agreement.
This Data Protection Addendum ("DPA") is entered into by Xyte and Customer and is an integral part of the Agreement. This DPA will be effective, and replaces any previously applicable terms relating to its subject matter, from the Terms Effective Date.
Xyte will Process Personal Data (both as defined below) for Customer, which in turn acts as a 'data processor' (as this term is defined and used in the GDPR) on behalf of its customers (the 'data controllers', as this term is defined and used in the GDPR), and for as long as Customer instructs Xyte to do so. Customer and Xyte are each responsible for complying with Data Protection Laws (defined below) as applicable to them in their roles. For clarity, this DPA shall not apply with respect to Xyte processing activity as a Data Controller as detailed in Xyte’s privacy policy available here.

The Parties shall comply with the terms and conditions of this DPA, including Annexes I–III, and Schedule A, which are attached herewith and incorporated herein by reference (“Attachments”).

1. Introduction
1.1. This DPA reflects the Parties’ agreement on the Processing of Personal Data in connection with the Data Protection Laws.
1.2. Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws.
1.3. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.

2. Definitions and Interpretation
2.1 In this DPA:
2.1.1. “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, "control" (including, with correlative meanings, the terms "controlling", "controlled by" and "under common control with") means the direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
2.1.2. “Approved Jurisdiction” means a jurisdiction approved as having adequate legal protections for data by the European Commission, currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
2.1.3. “Data Protection Laws” means, as applicable the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act of 2018 ("UK GDPR") and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA") and any amendments or replacements to the foregoing.
2.1.4. “Data Subject” means a natural person to whom Personal Data relates.
2.1.5. “Personal Data” means any information which could be used, either directly or by employing additional means, to identify a natural person (e.g., such as a name, location data, an online identifier or to one or more factors specific to the as defined under Data Protection Laws, and that is Processed by the Customer in the context of the performance of the Agreement.
2.1.6. “Personal Data Breach“ means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2.1.7. "Security Measures" mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Xyte’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Xyte’s business activities.
2.1.8. “Standard Contractual Clauses” means the applicable module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4^th 2021.
2.1.9. "Sub-Processor(s)" means any vendor, service provider or any other third party engaged by Xyte and/or its Affiliates to Process Personal Data on behalf of Customer.
2.1.10. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
2.1.11. “Terms Effective Date” means the effective date of the Agreement.“Terms Effective Date” means the effective date of the Agreement.
2.1.12. The terms “Controller”, “Process(ing)” and “Processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, controller shall be deemed as a "Business" and Processor shall be deemed to be a "Service Provider", as these terms are defined in the CCPA.
2.1.13. Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. Application of this DPA
3.1. This DPA will only apply to the extent all of the following conditions are met:
3.1.1. Xyte Processes Personal Data that is made available by the Customer in connection with the Agreement;
3.1.2. The Data Protection Laws apply to the Processing of Personal Data.

4. Roles and Restrictions on Processing
4.1. Roles and Restrictions on ProcessingThe subject matter of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects, shall be as set out in the Agreement, and in the attached Annex I, which is incorporated herein by reference.
4.2. Customer warrants, represents and covenants to Xyte that:
4.2.1. Customer’s instructions and actions with respect to the Personal Data, including its appointment of Xyte as another Processor and concluding the Standard Contractual Clauses (where applicable).
4.2.2. The relevant Controller has complied with all its obligations under Data Protection Laws, including, the Controller has informed Data Subjects of the processing and transfer of Personal Data pursuant to the DPA and obtained the relevant consents or lawful grounds thereto.
4.2.3. It is solely responsible for determining the lawfulness of the data processing instructions it provides to Xyte and shall provide Xyte only instructions that are lawful under Data Protection Laws.
4.3. To the extent that the Personal Data is subject to the CCPA, Xyte shall not sell, retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the services procured by Customer or outside of the direct business relationship between the Parties, including for a commercial purpose other than providing the said services, except as required under applicable laws, or as otherwise permitted under the CCPA (if applicable) or as may otherwise be permitted for service providers or under a comparable exemption from “sale” in the CCPA (as applicable), as reasonably determined by Xyte. Notwithstanding the foregoing, Xyte may use, disclose, or retain Personal Data to: (i) transfer the Personal Data to other Xyte’s Affiliates and Sub-processors, in order to provide the services to Customer; (ii) to comply with, or as allowed by, applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (iv) for internal use by Xyte to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (v) to detect data security incidents, or protect against fraudulent or illegal activity; and (vi) collect and analyze anonymous information. Xyte certifies that it, and any person receiving access to Personal Data on its behalf, understand the restrictions contained herein..
4.4. If Xyte has access to or otherwise Processes Personal Data pursuant to the Agreement, then Xyte shall:
4.4.1. Only Process the Personal Data in accordance with Customer's documented instructions and on its behalf, and in accordance with the Agreement and this DPA and related Attachments, unless required otherwise under applicable laws. Xyte will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Xyte, to the extent that such is a result of Customer’s instructions.
4.4.2. Provide reasonable cooperation and assistance to Customer in relation to Xyte’s Processing of Personal Data in order to allow Customer to comply with its obligations under the Data Protection Laws.
4.4.3. Upon becoming aware of a Personal Data Breach, and in no event in more than 72 hours, Xyte will notify Customer without undue delay and will provide information relating to the Personal Data. Xyte will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.
4.4.4. Taking into account the nature of the Processing, provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising Data Subject's rights, at Customer’s expense.
4.4.5. Provide reasonable assistance to the Customer in ensuring Customer’s compliance with its obligation to carry out data protection impact assessments or prior consultations with data protection authorities with respect to the Processing of Personal Data, provided, however, that if such assistance entails material costs or expenses to Xyte, the Parties shall first come to agreement on Customer reimbursing Xyte for such costs and expenses.
4.4.6. If Xyte receives any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under applicable Data Protection Law, to the extent permitted by law, Xyte will promptly redirect the request to Customer. Xyte will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Xyte is required to respond to such a request, Xyte will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so. The Customer is responsible for verifying that the requestor is the Data Subject whose information is being sought. Xyte bears no responsibility for information provided in good faith to Customer in reliance on this subsection.
Xyte may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws (in such a case, Xyte shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.

5. Sub-Processing
5.1. Customer provides a general written authorization to Xyte to appoint (and permit each Sub-Processor appointed in accordance with this clause to appoint) Sub-Processors in accordance with this clause.
5.2. Xyte may continue to use Sub-Processors already engaged by Xyte as at the date of this Agreement, which are detailed in Annex III and hereby authorized.
5.3. Xyte can at any time appoint a new Sub-Processor provided that Customer is given five (5) days' prior notice and Customer does not legitimately object to such changes within 3 business days after receipt of Xyte notice. Legitimate objections must contain reasonable and documented grounds relating to a Sub-Processor's non-compliance with Data Protection Laws. If, in Xyte’s reasonable opinion, such objections are legitimate, Xyte shall either refrain from using such Sub-Processor in the context of the Processing of Personal Data or notify Customer of its intention to continue to use the Sub-Processor. Where Xyte notifies Customer of its intention to continue to use the Sub-Processor in these circumstances, Customer may terminate the Agreement immediately and at its sole remedy by providing written notice to Xyte.
5.4. With respect to each Sub-Processor, Xyte shall ensure that the arrangement between Xyte and the Sub-Processor is governed by a written contract including terms which offer at least a substantially similar level of protection as those set out in this Agreement and meet the requirements of article 28(3) of the GDPR and/or of the CCPA (as applicable).
5.5. Xyte will be responsible for any acts or omissions by its Sub-Processors, to the same extent that Xyte is itself responsible under this DPA.
5.6. This Section ‎5 shall not apply to subcontractors of Xyte which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.

6. Transfer of Personal Data
6.1. To the extent that the GDPR and/or UK GDPR applies to the Processing of Personal Data under the Agreement, then if Xyte Processes Personal Data outside the EEA, UK or an Approved Jurisdiction, then the Parties shall be deemed to have entered Module Two of the Standard Contractual Clauses and Module Three of the Standard Contractual Clauses, as applicable, which are incorporated to this DPA reference, and such transfer will rely on the Standard Contractual Clauses, including the amendments as set out in Schedule A and Annexes I-III below, which are incorporated in the Standard Contractual Clauses by reference.
6.2. For the purpose of the Standard Contractual Clauses, Xyte shall be deemed as the Data Importer and Customer shall be deemed as the Data Exporter.

7. Security Standards
7.1. Xyte shall implement Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed or Processed by Xyte in connection with this Agreement, and (ii) to protect such data from Personal Data Breach. Such Security Measures include, without limitation, the security measures set out in Annex II.
7.2. The Security Measures are subject to technical progress and development and Xyte may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by Customer.
7.3. Xyte shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who has access to and Processes Personal Data. Xyte shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. Audit
8.1. Xyte shall, upon reasonable and written notice and subject to obligations of confidentiality, no more than once a year and in normal business hours, allow its data Processing procedures and documentation to be inspected by Customer (or its third party auditors, which shall not be Xyte’s competitor), at Customer's costs and expenses, in order to ascertain compliance with this DPA; Xyte shall cooperate in good faith with such audit requests by providing access to relevant knowledgeable personnel and documentation. Notwithstanding anything to the contrary, nothing in this DPA will require Xyte either to disclose to Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Xyte; (ii) Xyte’s internal accounting or financial information; (iii) any trade secret of Xyte; or (iv) any information that, in Xyte’s sole reasonable discretion, could compromise the security of any of Xyte’s systems or premises or cause Xyte to breach obligations under any applicable law or its obligations to any third party..

9. Data Retention and Destruction
9.1. Xyte will retain Personal Data for the duration of the Agreement or as required to perform its obligations under the Agreement, or has otherwise required to do so under applicable laws or regulations. Following expiration or termination of the Agreement, and upon Customer’s written request, Xyte will delete or return to Customer all Personal Data in its possession, except to the extent Xyte is required under applicable laws to retain the Personal Data. If the Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Xyte’s Customers.
9.2. Notwithstanding the foregoing, Xyte shall be entitled to retain Personal Data to the extent required or allowed by applicable law, Xyte may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and.

10. Indemnification
10.1. Customer will indemnify, defend  and hold Xyte its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) harmless from any and all liabilities, costs, charge, fines, penalties, damages, expenses and losses incurred as a result of Customer’s breach of any of the provisions of this DPA. Indemnification hereunder is contingent upon (a) Xyte promptly notifying Customer of a claim, (b) Customer having sole control of the defense and settlement of any such claim, and (c) Xyte providing reasonable cooperation and assistance to Customer in defense of such claim.

11. General
11.1. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
11.2. Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement.
11.3. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) Xyte’s (including Xyte’s Affiliates’) entire, total and aggregate liability, related to personal data or information, privacy, or for breach of, this DPA and/or Data Protection Laws, including, without limitation, if any, any indemnification obligation or applicable law regarding data protection or privacy, shall be limited to the amounts paid to Xyte under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Xyte and/or Xyte Affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings;  (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (c) the foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Xyte, Xyte Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
11.4. Xyte may change this DPA if the change is required to comply with Data Protection Law, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of Xyte as a Sub-Processor; (ii) expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise Process Personal Data; or (iii) have a material adverse impact on Customer, as reasonably determined by Xyte. If Xyte intends to change this DPA under this section, and such change will have a material adverse impact on Customer, Xyte will use commercially reasonable efforts to inform Customer at least 10 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
11.5. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA automatically, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective Processing activities.

12. Termination. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections ‎4.2, 9, 10 and ‎11 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.

Schedule A – Standard Contractual Clauses Stipulations

1. Xyte acts as a Sub-Processor of Customer, which in turn operates as a processor for its customers. Accordingly, the Parties shall be deemed to enter into the Processor to Processor Standard Contractual Clauses (Module Three).
‍
2. This Schedule A sets out the Parties' agreed interpretation of their respective obligations under Module Three of the Standard Contractual Clauses.
‍
3. The Parties agree that for the purpose of transfer of Personal Data between Xyte (Data Importer) and the Customer (Data Exporter), the following shall apply:
3.1. Clause 7 of the Standard Contractual Clauses shall not be applicable.
3.2. In Clause 9, option 2 shall apply. The Data Importer shall inform the Data Exporter of any intended changes to the list of Sub-Processor at least five (5) days prior to the engagement of the Sub-Processor. Annex III shall be updated accordingly.
3.3. In Clause 11, Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body.
3.4. In Clause 13, the relevant option is the one informed by the Customer to Xyte.
3.5. In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of the Republic of Ireland.
3.6. In Clause 18(b) the Parties choose the courts of Dublin, Ireland as their choice of forum and jurisdiction.

4. The Parties shall complete Annexes I–III below, which are incorporated in the Standard Contractual Clauses by reference.
‍

Annex I – Description of Processing Activities

A. Identification of Parties
"Data Exporter": Customer;
"Data Importer": Xyte.

B. Description of Transfer

Data Subjects
The Personal Data transferred concern the following categories of Data Subjects:
☒ End-users

Categories of Personal Data
The Personal Data transferred concern the following categories of data:
☒ Contact information (name, address, email address etc.)
☒ Device identifiers and internet or electronic network activity (IP addresses)
For the avoidance of doubt, the information subject to the Xyte’s privacy policy (e.g., log-in details) available here: https://www.xyte.io/privacy-policy shall not be subject to the terms of this DPA.

Special Categories of Data (if appropriate)
‍The Personal Data transferred concern the following special categories of data (please specify):
‍☒ None

The frequency of the transfer
‍The frequency of the transfer:
‍☒ Continuous

Nature of the Processing
☒ Collection
‍☒ Recording
‍☒ Storage
☒ Analysis
‍☒ Erasure or destruction

Purpose of the transfer and further Processing
‍As defined in the Agreement.

Retention period
‍Personal Data will be retained for the term of the Agreement.

Supervisory Authority
‍The competent supervisory authority shall be set in accordance with the provisions of Clause 13 of the Standard Contractual Clauses.

Annex II – Technical and Organizational Measures to Ensure the Security of the Data

This   Annex   forms   part   of   the   DPA   and   describes   the   technical   and   organizational   securitymeasures implemented by Xyte.

Taking into account the state of the art, the costs of implementation and the nature, scope,context and purposes of Processing as well as the risk of varying likelihood and severity for therights   and   freedoms   of   natural   persons,   Xyte   shall   implement   appropriate   technical   andorganizational measures to ensure a level of security appropriate to the risk, including inter aliaas appropriate:
‍
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

More specifically, Xyte's security controls shall include
1. In transit and at rest data encryption.
2. Physical security to offices and servers.
3. MFA and access control for its employees.
4. Continuous review of access logs and security credentials.
5. Continuous patches and security updates to software.
6. External pen-tests to search for vulnerabilities.
7. Automated code and external open-source package analysis.

Annex III – List of Sub-Processors

Below is the list of the Data Importer's Sub-Processors:

‍