DATA PROCESSING AGREEMENT

THIS DATA PROCESSING AGREEMENT (“AGREEMENT”) IS APPLICABLE TO YOU, THE “CONTROLLER” IF YOU HAVE ACCEPTED THE SOFTWARE LICENSE AGREEMENT WITH US, THE “PROCESSOR”. PLEASE READ THESE TERMS CAREFULLY AS THEY GOVERN THE MANNER IN WHICH THE CONTROLLER DATA IS PROCESSED. BY ACCESSING THE SOFTWARE, YOU ACCEPT THE TERMS AND CONDITIONS OF THIS AGREEMENT AND SHALL BE BOUND BY THE SAME. SINCE YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A LEGAL ENTITY,YOU REPRESENT AND WARRANT THAT YOU HAVE THE NECESSARY AUTHORITY, REQUISITE APPROVALS AND PERMISSIONS TO SUBMIT THE ORDER FORM AND LEGALLY BIND SUCH CUSTOMER TO THIS AGREEMENT.

I. DEFINITIONS:

In this Agreement, unless otherwise stated or unless the contextotherwise requires, each capitalised term will have the meaning setout below. Terms used but not otherwise defined in this clause havethe meanings given in the Data Protection Legislation.

”Controller Data” shall mean the Personal Data (as defined under the Article 4(1) of the General Data Protection Regulation) processed under this Agreement together with any additional Personal Data to which the Processor may have access from time to time in performing the Services.

”Data Protection Legislation” shall mean all applicable laws relating to data protection and privacy including(without limitation) the EU Data Protection Directive (95/46/EC) as implemented ineach jurisdiction, the EU General DataProtection Regulation (2016/679), the EUPrivacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, the California Consumer Privacy Act, and any amending or replacement or equivalent legislation from time to time and all legislation protecting the fundamental rights and freedom of persons and their rights to privacy and security of information applicable to the processing of data;

“Process” means any operation or set of operations which is performed on data or set of data, whether or not by automated means, such as collecting, gathering, obtaining,receiving, accessing, recording, organizing,structuring, storing, adapting or altering,retrieving, consulting, aligning or combining,restricting, erasing, destroying, using,disclosing by transmission, dissemination,or otherwise making available.

”Services” shall mean the use of software as laid downin the Software License Agreement;

“Software License Agreement” shall mean the Software License Agreement between the Parties pursuant to which the Services are being provided by the Processor to the Controller

”Standard Contractual Clauses” shall mean the contractual clauses set out in the European Commission’s Decision of 5th February 2010 on standard contractual clauses for the transfer of Personal Data to Processors established in third countries, under the Data Protection Legislation, as may be amended by the European Commission from time to time; and

”Supervisory Authority” shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction of the Controller.

II. APPOINTMENT:

1.  The Processor is appointed by the Controller to transfer, store or Process such Controller Data as may be required by the Processor to provide the Services, and as may be subsequently agreed between the Parties, in accordance with the terms laid out herein.

2.  If the California Consumer Protection Act or CCPA is applicable, the Processor is prohibited from selling Controller Data or from Processing Controller Data for any purpose other than for provision of Services, unless mandated by applicable law. The Processor shall not discriminate against the Controller, its customers or employees for exercising any of its rights under the CCPA.

3.  The Controller shall comply with its obligations as Controller under Data Protection Legislation and shall obtain all necessary approvals, permits, licenses from competent authorities in respect of having Controller Data processed by the Processor.

III. DURATION:

This Agreement shall commence on the Commencement Date and shall remain in full force and effect until the Software License Agreement is valid and effective. Following the Commencement Date, the provisions of this Agreement shall apply to the processing of any Controller Data received prior to the Commencement Date but not already processed.

IV. SUB-PROCESSORS:

To the extent necessary to fulfil the Services, the Controller hereby authorizes the engagement of other processors (“Sub-processor”) to process Controller Data. The Processor shall notify the Controller before transferring any Controller Data to the Sub-processor and the Controller shall at its discretion object to the transfer within fifteen (15) days of receiving the notification. The Processor shall not appoint any Sub-processor unless required to render the Services or authorised/consented to by the Controller. For the sake of clarity, the Controller authorizes and consents to the engagement of third parties as sub-processors in accordance with this provision.

V. DATA PROTECTION:

1.  Each Party shall comply with its obligations under the Data Protection Legislation in respect of any Personal Data it processes under or in relation to this Agreement or the Software License Agreement.

2.  The Processor shall process the Controller Data in the parameters set out in Schedule 1.

3.  The Processor warrants and undertakes that while processing the Controller Data, the Processor shall at all times:

   • implement commercially reasonable technical and organisational measures to protect any Controller Data processed by it to ensure a level of security appropriate to the risk, including as appropriate, the measures referred to in Article 32(1) of the GDPR.
   • inform the Controller promptly, and in any event within two (2) business days, of any enquiry or complaint received from a data subject or Supervisory Authority relating to the Controller Data;
   • at the request and option of the Controller or upon termination of the Software License Agreement (whichever is earlier) or any cessation of Services, promptly and as specified by the Controller return or delete all Controller Data in the possession or control of the Processor.

VI. SECURITY BREACHES:

1.  The Processor shall, as soon as practically possible, notify to the Controller by E-mail at [email protected], of any actual or suspected accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to, Controller Data (“Security Breach”). The Processor shall endeavour to provide the Controller of any such information that the Controller may reasonably request pertaining to the Security Breach.

2.  The Processor shall immediately take necessary and commercially reasonable actions, either requested by the Controller or on its volition, to investigate the Security Breach and to identify and endeavour to prevent or mitigate the effects of such Security Breach and carry out any recovery or other necessary action it deems reasonably fit to remedy the Security Breach.

VII. DATA TRANSFERS:

1.  To the extent that the Services involve a transfer of Personal Data originating from the EEA, the Controller authorizes the Processor to transfer the Controller Data across international borders in the event that such transfer is necessary and required for the provision of Services.

2.  The Controller hereby consents to Controller Data being processed outside the EEA, subject to the Processor’s continued compliance with this Clause VI throughout the duration of this Agreement.

3.  To the extent that any Controller Data is processed outside the European Economic Area, the terms of the transfer shall be governed by the Standard Contractual Clauses for the transfer of personal data to processors which are hereby incorporated into this Agreement by reference.

4.  In the event that the transfer of Controller Data becomes unlawful, the Controller shall terminate the Agreement and be liable to pay any fees that are accrued or owed to the Processor as of the Effective Date of such termination under this Clause at no additional cost to the Controller, provided however, that in the event the Processor adopts or implements an alternative lawful transfer mechanism, the Controller shall not be liable or entitled to terminate this Agreement.

VIII. DATA HANDLING:

1.  The Processor shall ensure that no Controller Data will be transferred or copied onto unencrypted portable devices, such as USB sticks or flash drives. Appropriate measures must be in place to secure portable devices against loss or theft.

2.  Where Controller requests the Processor to delete Controller Data, deletion means physical or logical deletion, ensuring that the data cannot be restored. Deletion of Controller Data must extend to all copies held by the Processor, including backups. Logical deletion methods will be considered appropriate if they are multi-pass overwrite methods. The Processor will provide written confirmation that deletion has been completed, including the physical deletion and method used. However, in the event that CCPA is applicable, the Processor is not required to delete the Controller Data, in the event that the Controller Data is necessary to (a) complete a transaction, provide a service or perform a contract between the Processor and the customer of the Controller; (b) detect Security Breaches; (c) identify and repair system errors; (d) exercise free speech; (e) comply with a legal obligation or any legislation (f) engage in research for public interest; and/or (g) use the Controller Data in a lawful manner consistent with the context in which it was provided.

IX. AUDIT:

The Processor will allow and shall cooperate with the Controller during the audit of the Processing of the Controller Data, on request, at no additional charge. Audits will be conducted by the Controller and/or a representative of the Controller, at the cost of the Controller after providing a prior notice of at least forty eight (48) hours. Audits will be conducted on the Processor’s premises or online via a remote access to the Processor’s system. The Controller hereby agrees that in exercising its audit rights under this clause, it shall ensure no harm is caused to the Processor’s systems and the scope of such audit shall extend only to matters concerning Processor’s compliance with this Agreement

X. FURTHER ASSURANCES:

The parties shall, and shall ensure that their agents, employees and subcontractors shall, do all things reasonably necessary, including executing any additional documents and instruments, to give full effect to the terms of this Agreement and to otherwise fulfil the provisions of this Agreement in accordance with its terms

XI. CONFIDENTIALITY:

Each party shall, keep this Agreement and information it receives about the other party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior consent of the other party except to the except to the extent that such disclosure is required by law or the relevant information is already in the public domain.

XII. COUNTERPARTS:

This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

XIII. JURISDICTION:

This Agreement and any dispute arising out of or in relation to it (whether contractual or non-contractual) shall be governed by and construed in accordance with the table below:

Customer Domicile:	Relevant Atlan Entity:	Governing Law	Courts with exclusive jurisdiction:
India	Atlan Technologies Pvt. Ltd.	India	New Delhi, India
United States of America	Atlan Inc.	Delaware, U.S.A.	Dover, Delaware
Rest of the World	Atlan Pte Ltd.	Singapore	Singapore

XIV. ENTIRE AGREEMENT:

This Agreement constitutes the entire agreement between the parties pertaining to the subject matter hereof and supersedes all prior agreements, understandings, negotiations and discussions of the parties in relation to the subject matter.

XV. SEVERABILITY:

The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Agreement shall remain in full force and effect.

SCHEDULE 1 – Controller Data

Subject matter of processing	Subject to License Agreement
Duration of processing
Nature and purpose of processing
Data categories
Categories of data subjects