Data Protection Addendum

This Data Protection Addendum ("DPA") forms part of Umwelt Peopletech Solutions Inc's And/Or Umwelt Peopletech Solutions Private Limited's (Company) Master Service Agreement and/or the Service Order including its appendices (as the case may be, and as executed between the Company and its Customer (Customer), and is subject to the terms and conditions of the Master Service Agreement.

Terms not defined herein shall have the meaning set forth in the Master Service Agreement. In the event of a conflict between the Master Service Agreement and this DPA, with respect to Data Protection, this DPA shall prevail.

Customer and Company are hereinafter jointly referred to as "Parties" and individually as a "Party".

This DPA to the Master Service Agreement including its appendices will, as from the amendment Effective Date (as defined above), be effective and replace any previously applicable data privacy provisions or any terms previously applicable to privacy, data processing and/or data security.

Except as modified below, the terms of the Master Service Agreement shall remain in full force and effect.

1. Introduction

This DPA reflects the parties' agreement with respect to the terms governing the processing and security of Customer Personal Data under the applicable Master Agreement. The purpose of this DPA is to ensure the protection and security of Personal Data where Company on behalf of Customer is processing Personal Data for which Customer is controller in accordance with applicable Data Protection laws.

NOTE: The Parties agree that Personal Data under this DPA shall only refer to such data where Customer shall be considered as controller of data as defined hereinabove under Applicable Data Protection Laws.

2. Definitions

• "Addendum Effective Date" means the date on which Customer clicked to accept or the parties otherwise agreed to this Data Protection Addendum in respect of the applicable Agreement.
• "Customer Data" means data submitted, stored, sent or received via for the provision of Services by Customer, its Affiliates.
• "Customer Personal Data" means personal data contained within the Customer Data and as otherwise defined in GDPR.
• "Data Incident" means a breach of Processor's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Processor.
• "Data Incidents" will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
• "DPA" means this Data Protection Agreement.
• "EEA" means the European Economic Area.
• "Agreement" shall mean the Master Service Agreement, the Service Orders (and any addendum or renewal thereof) entered into between the Parties regarding the services.
• "Applicable Data Protection Laws" shall mean any applicable law relating to data protection and security, including without limitation Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, The Personal Data Protection Bill, 2019 as may be enacted into law, General Data Protection Regulation (GDPR) 2016/679 as may be applicable and any amendments, replacements or renewals thereof.
• "International Data Transfer" shall mean transfer of Personal Data to recipients outside EU Member State or EEA Country ("third country") as provided for under applicable Data Protection laws.
• "Personal Data" shall mean any information relating to an identified or identifiable natural person.
• "Process" means any operation, or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, access, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
• "Sub-processors" means third parties authorized under this DPA to have logical access to and process Customer Data in order to provide parts of the Services and related technical support.
• "Term" means the period from the Addendum Effective Date until the end of Company's provision of the Services under the applicable Agreement.

2.1

The terms "personal data", "data subject", "processing", "controller", "processor" and "supervisory authority" as used in this DPA have the meanings given in the GDPR, and the terms "data importer" and "data exporter" have the meanings given in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.

3. Duration of DPA

This DPA will take effect on the Effective Date and, notwithstanding the expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Data by Company as described in this DPA or as otherwise agreed between the parties.

4. Scope of Data Protection Legislation

4.1 Application of European Data Protection Laws

The parties acknowledge and agree that, in respect of the Services provided by the Company under the Master Agreement, the European Union Data Protection Legislation will apply to the processing of Customer Personal Data if:

• the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA; and/or
• the Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behaviour in the EEA.

4.2 Application of Non-European Data Protection

The parties acknowledge that while Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data the parties agree to comply with their respective obligations under the GDPR.

4.3 Application of this DPA

Except to the extent this DPA states otherwise or as required by law, the terms of this DPA will apply irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies to the processing of Customer Personal Data.

5. Processing of Data

5.1 Roles and Regulatory Compliance; Authorization

The parties acknowledge and agree that with regard to the Processing of Personal Data in respect of the Services under the Agreement, the Customer is the Controller, Company is the Processor.

5.1.2 Controller and Processor Responsibilities

In the event the European Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:

• the subject matter and details of the processing are described in Annexure 1 to this DPA;
• each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Personal Data.

5.1.3 Customer Representation

Customer represents and warrants that with regard to the Personal Data in their original possession, is responsible for ensuring that it collected the Personal Data lawfully and in accordance with the requirements of the Data Protection laws.

5.1.4 Customer's Processing of Personal Data

Company shall in its use of the Services, Process Personal Data in accordance with, and to the extent required by, the requirements of European Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

5.2 Scope of Processing

5.2.1 Customer's Instructions

By entering into this DPA, Customer instructs the Company to process Customer Personal Data only in accordance with the European Data Protection Legislation:

• to provide the Services;
• as further specified via Customer's use of the Services;
• as documented in the form of the applicable Master Agreement, including this DPA; and
• as further documented in any written instructions given by Customer and acknowledged by Company as constituting instructions for purposes of this DPA.

5.2.2 Company's Compliance with Instructions

Company will comply with the Customer's Instructions (including with regard to data transfers). The Parties hereto understand and agree that the Software and the services provided herein do not fall in the category of "automated decisions".

6. Data Deletion

6.1 Deletion During Term

Company will enable Customer (by way of informing the Company) to delete Customer Personal Data during the applicable Term in a manner consistent with the functionality of the Services. Company will comply with deletion instructions as soon as reasonably practicable and within a maximum period of 180 days.

6.2 Deletion on Term Expiry

On expiry of the applicable Term Customer instructs Company to delete all Customer Personal Data (including existing copies) from Company's systems in accordance with European Data Protection Legislation. Company will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days.

6.3 Deferred Deletion Instruction

To the extent any Customer Personal Data covered by the deletion instruction described in Section 6.2 is also processed when the applicable Term expires in relation to an Agreement with an extended term, such deletion instruction will only take effect with respect to such Customer Personal Data when the extended term expires.

7. Data Security

7.1 Company's Security Measures, Controls and Assistance

Company will implement and maintain adequate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as required by the European Data Protection Legislation. The Security Measures include measures to:

• protect and encrypt personal data
• ensure ongoing confidentiality, integrity and availability of systems and services
• restore timely access to personal data following an incident
• regular testing of effectiveness

7.1.2 Security Compliance by Company Personnel

Company will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors. All persons authorized to process Customer Personal Data have committed themselves to confidentiality.

7.2 Data Security Incidents

If Company becomes aware of a Data Incident, Company will:

• notify Customer of the Data Incident promptly and without undue delay; and
• promptly take reasonable steps to minimize harm and secure Customer Data.

7.4 Security Certifications and Reports

Company will update the ISO/IEC 27001:2022 Report at least once every 18 months to evaluate and help ensure the continued effectiveness of the Security Measures.

8. Impact Assessments and Consultations

Customer agrees that Company will assist Customer in ensuring compliance with any obligations in respect of data protection impact assessments and prior consultation, including if applicable Customer's obligations pursuant to Articles 35 and 36 of the GDPR.

9. Data Subject Rights; Data Export

9.1 Access; Rectification; Restricted Processing; Portability

During the applicable Term, the Company will enable Customer to access, rectify and restrict processing of Customer Data, and to export Customer Data.

9.2 Data Subject Requests

If Company receives any request from a data subject in relation to Customer Personal Data, Company will advise the data subject to submit the request to Customer. Customer will be responsible for responding to any such request.

10. Data Transfers

10.1 Data Storage and Processing Facilities

Customer agrees that Company may store and process Customer Data in countries in which Company or any of its Sub-processors maintains facilities. The Company maintains its servers in the AWS at Virginia, United States of America or Mumbai, India.

10.2 Transfers of Data Out of the EEA

If the storage and/or processing of Customer Personal Data involves transfers outside of the EEA and the European Data Protection Legislation applies, Company will if requested ensure that Company as the data importer enters into Model Contract Clauses with Customer as the data exporter.

11. Sub-processors

11.1 Consent to Sub-Processor Engagement

Customer specifically authorizes the engagement of Company's Affiliates as Sub-processors. In addition, Customer generally authorizes the engagement of any other third parties as Sub-processors.

11.3 Requirements for Sub-Processor Engagement

When engaging any Sub-processor, Company will ensure via a written contract that:

• the Sub-processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it;
• if the GDPR applies, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Sub-processor.

12. Tracking Technologies

Company acknowledges that in connection with the performance of the Services, Company employs the use of cookies, unique identifiers, web beacons and similar tracking technologies. Company shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by applicable Data Protection Laws.

13. General Terms

13.1 Governing Law and Jurisdiction

The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Master Agreement with respect to any disputes or claims howsoever arising under this DPA. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated in the Master Service Agreement.

13.2 Changes in Data Protection Laws

Company may propose any other variations to this DPA which Company reasonably considers to be necessary to address the requirements of any change in the Data Protection Law.

Annex 1 – Description of Processing Activities

Data Exporter

• Name: Customer (as defined in the Agreement)
• Role: Controller
• Activities: Recipient of the Services provided by Company

Data Importer

• Name: Umwelt Peopletech Solutions Inc.
• Contact: Himanshu Sindwani, Senior Product Developer, himanshu.s@umwelt.ai
• Role: Processor

Processing Information

• Categories of data subjects: Customer's authorized users of the Services (Employees)
• Categories of personal data: Employee information such as telephone numbers, email address, gender, age
• Sensitive personal data: None
• Frequency of transfer: Continuous

Annex 2 – Company's Sub-processors

Contact Information

For questions regarding this DPA or data protection matters, please contact:

Data Protection Contact:
Email: himanshu.s@umwelt.ai