Ensuring Data Security: Your Guide to our Data Processing Agreement

DATA PROCESSING AGREEMENT

Last updated: April 01, 2024

Version No. 1.0

APEX SYNERGIES DMCC, registered and acting according to the applicable legislation of the United Arab Emirates, with the principal place of business at Unit No: RET-R5-074 Retail R5 - Jumeirah Lake Towers - Dubai - United Arab Emirate (“Apex” or “Licensor”), executing this Data Processing Agreement with its counterparties which have entered into a License Agreement and/or to Terms and Conditions (the “Main Agreement”) for the provision of Apex’s services (collectively, the “Services”) to the Client(s) and the Merchant(s) (collectively – “Customer(s)”) as defined in the Main Agreement. This Data Processing Agreement, including its Annexes (the “DPA”), forms part of the Main Agreement. Each of Apex and the Customers may be referred to herein as a “Party” and together as the “Parties”. Apex has the right to change the DPA for Apex’s Services at any time without any prior notice to the Customer(s) by posting the new edition of the DPA on the website. By using the Services, the Customer(s) are bound by the current version of the DPA. Apex makes no warranties, whether expressed or implied, therefore negating all other warranties. Furthermore, Apex does not make any representations concerning the accuracy or reliability of the use of the materials on its Services or otherwise relating to such materials or any sites linked to these Services. Capitalized terms not defined herein shall have the meaning given to them in the Main Agreement.

RECITALS:

(A) In connection with the Services, the Parties anticipate that Apex may process certain Personal Data outside of the EEA in respect to which and at the same time Apex may be a Controller under applicable EU Data Protection Laws or UK Data Protection Laws.

(B) The Parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws, UK Data Protection Laws and other applicable data protection laws, to the extent applicable.

1. Definitions

1.1 In this DPA, the following terms shall have the meanings set out below, and cognate terms shall be construed accordingly:

(a) “Adequate Country” means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner’s Office and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the EU GDPR;

(b) “Affiliate” means, with respect to a Party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such Party (but only for so long as such Control exists;

(c) “Customer(s)” means an individual or combined reference to the Merchant and the Client of the Platform or Platform Services.

(d) “Data Protection Laws” means:

(i) all laws and regulations of the European Union, the European Economic Area, and their member states applicable to the processing of Personal Data under the Main Agreement, including (where applicable) the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“EU GDPR”), or

(ii) all laws and regulations of the UK applicable to the processing of Personal Data under the Main Agreement, including the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018 (the “UK GDPR”);

(e) “Data Subject Request” means a request from or on behalf of a data subject to exercise any rights in relation to his/her Personal Data under Data Protection Laws;

(f) “EEA” means the European Economic Area;

(g) “EU Clauses” means the standard contractual clauses for international transfers of Personal Data to third countries set out in the European Commission's Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) incorporating Module Two for Controller to Processor transfers and which form part of this DPA in accordance with Schedule 2;

(h) “Apex Group” means Apex and any of its Affiliates;

(i) “Personal Data” means personal data or personal information of the Customer(s) and its Affiliates processed by Apex on behalf of the Customer(s) under this DPA and as defined in the Data Protection Laws. In accordance with Section 2.1 of this DPA, this may include the Personal Data of the Customer(s) and its Affiliates;

(j) “Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July 12, 2016, and by the Swiss Federal Council on January 11, 2017, respectively; as may be amended, superseded, or replaced.

(k) “Processing” shall mean any operation or set of operations that are performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

(l) “Restricted Transfer” means a (i) transfer of Personal Data from the Customer(s), its Affiliates to Apex; or (ii) an onward transfer of Personal Data from Apex to a sub-processor of Apex, in each case, where and to the extent the Party receiving the transferred Personal Data is outside the EEA and such transfer would be prohibited under the EU GDPR or the UK GDPR;

(m) “Security Breach” means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of Apex’s staff or sub-processors or any other identified or unidentified third-party;

(n) “Swiss DPA” means Switzerland Federal Data Protection Act on June 19 1992, and its ordinance.

(o) “Supervisory Authority” means in the UK, the Information Commissioner’s Office (“ICO”) (and, where applicable, the Secretary of State or the government), and in the EU, an independent public authority established pursuant to the GDPR;

(p) “UK” means the United Kingdom;

(q) “UK Approved Addendum” means the International Data Transfer Addendum issued by the U.K. Information Commissioner under section 119A(1) of the Data Protection Act 2018; and

(r) “UK Mandatory Clauses” means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any final version published by the Information Commissioner's Office.

1.2 An entity “Controls” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

1.3 The terms "Controller", "Data Subject", "Processor", and “sub-processor” have the meanings ascribed to them in the Data Protection Laws.

1.4 Any defined terms which are not defined in this DPA are as defined in the Main Agreement.

2. Roles and Compliance with Data Protection Laws

2.1 Apex is the Controller of Personal Data, and, at the same time, Apex is the Processor of Personal Data. Each Party will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply) with Data Protection Laws applicable to such Party in the processing of Personal Data. As between the Parties, the Customer(s) shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.

2.2 This DPA is without prejudice to the rights and obligations of the Parties under the Main Agreement, which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.

3. Description of Processing

3.1 The subject matter, nature and purposes of the processing, duration, types of Personal Data and categories of Data Subject are as set out in ANNEX I to Schedule 2.

3.2 As a Processor, Apex will only process Personal Data (i) in order to provide the Services to the Customers as agreed in the Main Agreement or Terms and Conditions or the Commercial Sales Terms. Apex will notify the Customers (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to the Customers’ instructions. As soon as reasonably practicable upon becoming aware, inform the Customers if, in Apex’s opinion, any instructions provided by the Customers infringe applicable Data Protection Laws. Upon termination of the Main Agreement and upon written request of the Customers, return or delete the Personal Data, unless required by law, to continue to store a copy of the Personal Data.

4. Technical and Organizational Security Measures

4.1 Apex is responsible for implementing and maintaining commercially reasonable and appropriate technical, physical, and organizational safeguards to protect the confidentiality, availability, and integrity of Personal Data that is maintained and accessed by Apex for the Customers using Apex’s Services pursuant to the Main Agreement. Apex’s security measures for protecting such Personal Data while it is Apex’s possession, custody, or control shall include, as appropriate, the measures described in ANNEX II to Schedule 2 of this DPA. Apex may modify or update these measures at its discretion, provided that such modification or update does not result in a degradation of its protection of such Personal Data.

4.2 Apex will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under confidentiality obligations.

5. Sub-processing and Audits

5.1 The Customers acknowledged that Apex has the right to appoint sub-processors (and permits each sub-processor to appoint additional sub-processors) in accordance with this Section (the “Sub-Processor List”). The Sub-Processor List may be updated from time to time and shall include the name and location of each current sub-processor and a brief description of the processing undertaken by them.

5.2 Apex will enter into a written contract with each sub-processor which imposes on such sub-processor terms no less protective of Personal Data than those imposed on Apex in this DPA (the “Relevant Terms“).

5.3 Upon The Customers’ request, and subject to the confidentiality obligations set forth in the Main Agreement, Apex shall promptly make available to the Customers information regarding Apex’s compliance with the obligations set forth in this DPA, which may include one or more of the following as the Customers may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant executive summaries of the third-party certifications and compliance audits to the extent available; and (iii) a summary of Apex' operational practices related to data protection and security.

6. Security Breaches, Data Subject Requests, and further Assistance

6.1 Apex will notify the Customers of any Security Breach without undue delay and within 48 (forty-eight) hours after becoming aware of the Security Breach.

6.2 To the extent legally permitted, Apex will promptly notify the Customers if it receives a Data Subject Request. Apex may, at its discretion, respond to confirm that such request relates to the Customers. The Customers acknowledge and agree that the Services may include features which will allow the Customers to manage Data Subject Requests directly through the Services without additional assistance from Apex.

6.3 Taking into account the nature of processing and the information available to Apex, Apex will provide such assistance as the Customers reasonably request in relation to the Customers’ obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Customers in response to a Security Breach, or (iii) the Customers’ compliance with its obligations under the EU GDPR or UK GDPR (as applicable) with respect to the security of processing.

6.4 Apex shall make available to the Customers such information in Apex’s possession or control as the Customers may reasonably request with a view to demonstrating Apex’s compliance with the obligations of Processors under Data Protection Laws in relation to its processing of Personal Data.

7. International Transfers

The Customers agree that its use of the Services can involve the transfer of Personal Data to, and processing of Personal Data in, various countries, including the country in which Apex is based and other countries outside the EEA that are not recognized as an Adequate Country, where such other countries could be with non-adequate Data Protection mechanism and organization.

UK transfers:
To the extent Personal Data is transferred to Apex and processed by or on behalf of Apex outside the UK (except if in an Adequate Country) in circumstances where the UK GDPR would prohibit such transfer in the absence of a transfer mechanism, the Parties agree that the EU Clauses subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this DPA.
Schedule 1 references the information required by Tables 1 to 4, inclusive of the UK Approved Addendum.

EU transfers:
To the extent Personal Data is transferred to Apex and processed by or on behalf of Apex outside the EEA (except if in an Adequate Country) in circumstances where EU GDPR would prohibit such transfer in the absence of a transfer mechanism, the Parties agree that the EU Clauses will apply in respect of that processing and are incorporated into this DPA in accordance with Schedule 2. The ANNEXES to Schedule 2 contain the information required by the EU Clauses.

In case of any discrepancies between the EU Clauses or UK Approved Addendum and the DPA, the EU Clauses or, as the case may be, the UK Approved Addendum shall take precedence when applicable pursuant to Section 7.2 or 7.3.

Apex may replace the EU Clauses and/or the UK Approved Addendum generally or in respect of the EEA and/or the UK (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any further or alternative standard contractual clauses approved from time to time.

8. CCPA

8.1 The terms set forth in this Section 8 of the DPA shall only apply to the extent that (i) Apex Processes Personal Information of California Consumers on behalf of the Customers; and (ii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (“CCPA”), is applicable to the Customers at the time of such Processing.

8.2 With the exception of party and agreement references (e.g., references to “Customers” and the “Main Agreement”), or which are separately defined in the DPA or the Main Agreement, the capitalized terms in this Section of the DPA shall have the meaning given to them under the CCPA, and the CCPA Regulations.

8.3 If the CCPA applies to the Customers, and Apex processes Personal Information on behalf of the Customers, the Customers shall be a Personal Data Holder, and Apex shall be a Service Provider with respect to the Processing of such Personal Information.

8.4 The Parties agree to comply with their respective obligations under the CCPA and the CCPA Regulations. Apex will comply with its obligations under all applicable sections of the CCPA and CCPA regulations and will provide the same level of privacy protection regarding Personal Information it Collects pursuant to the Main Agreement the Customers as is required of the Customers under the CCPA and CCPA regulations (e.g., cooperating with the Merchants in responding to and complying with the Clients’ requests made pursuant to the CCPA; implementing reasonable security procedures and practices appropriate to the nature of the Personal Information to protect the Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with California Civil Code section 1798.81.5).

8.5 The limited and specified Business Purposes for which Apex is Processing Personal Information pursuant to the Main Agreement include: (i) helping to ensure security and integrity to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes; (ii) debugging to identify and repair errors that impair existing intended functionality; (iii) undertaking internal research for technological development and demonstration; and (iv) undertaking activities to verify or maintain the quality and safety of services controlled by the Customers (the Merchants). Personal Information is only disclosed by the Customers to Apex for limited and specified purposes (i.e., the limited and specified Business Purposes set forth in this provision).

8.6 Apex will not retain, use, or disclose the Personal Information that it has collected pursuant to the Main Agreement for any purpose other than the Business Purposes specified in this DPA or the Main Agreement, which shall include (i) helping to ensure security and integrity to the extent the use of the Personal Information is reasonably necessary and proportionate for these purposes; (ii) debugging to identify and repair errors that impair existing intended functionality; (iii) undertaking internal research for technological development and demonstration; and (iv) undertaking activities to verify or maintain the quality and safety of services controlled by the Customers, or (v) as otherwise permitted by the CCPA and CCPA Regulations. This prohibition extends to the retention, use, or disclosure of Personal Information for a commercial purpose other than the Business Purposes specified in this DPA, the Main Agreement, or as otherwise permitted by the CCPA and CCPA Regulations.

8.7 Apex will not retain, use, or disclose Personal Information that it Collects pursuant to the Main Agreement outside of the direct business relationship between the Customers and Apex, unless expressly permitted by the CCPA and CCPA regulations.

8.8 Apex will not combine or update Personal Information that Apex Collects pursuant to the Main Agreement or otherwise receives from, or on behalf of, the Customers with Personal Information that it received from, or on behalf of, another person or source or from its own interaction with the Clients, other than combining Personal Information to perform any Business Purpose that is expressly permitted by the CCPA and CCPA Regulations. However, Apex will not combine the Personal Information of Consumers who have opted-out of the Sale or Sharing of Personal Information that Apex receives from, or on behalf of, the Customers with Personal Information that Apex receives from, or on behalf of, another person or collects from its own interactions with the Clients.

8.9 Apex will not Sell or Share, as such terms are defined under the CCPA, the Personal Information it Collects pursuant to the Main Agreement.

8.10 Apex will enable the Merchants to comply with the Clients requests of the Services made pursuant to the CCPA that involve Personal Information Apex has collected pursuant to the Main Agreement.

8.11 The Customers may take reasonable and appropriate steps to help ensure that Apex uses Personal Information that is Collected pursuant to the Main Agreement or otherwise transferred to Apex by the Customers in a manner consistent with the obligations imposed on the Customers under the CCPA and CCPA Regulations, through the process set forth in Section 5.3 of the DPA.

8.12 In the event Apex ever determines that it can no longer meet its obligations under the CCPA and CCPA Regulations, Apex will notify the Customerss of such determination.

8.13 Upon the Customers’ receipt of notice from Apex that it can no longer meet its CCPA obligations or the Customers’ provision of Apex with notice that it will be taking steps to stop and remediate any unauthorized use of Personal Information, the Customers shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information.

8.14 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CCPA, including any applicable regulatory or self-regulatory guidance.

9. VCDPA

9.1 The terms set forth in this Section 9 of the DPA shall only apply to the extent that (i) Apex Processes Personal Data of Virginia Consumers on behalf of the Customers; and (ii) the Virginia Consumer Data Protection Act (“VCDPA”) is applicable to the Customers at the time of such Processing.

9.2 With the exception of party and agreement references (e.g., references to “the Customers” and the “Main Agreement”), which are separately defined in the DPA, the capitalized terms in this Section of the DPA shall have the meaning given to them under the VDCPA.

9.3 If the VCDPA applies to the Customers, and Apex Processes Personal Data on behalf of the Customers, Apex shall be a Controller, and, at the same time, Apex shall be a Processor with respect to the Processing of such Personal Data.

9.4 The Parties agree to comply with their respective obligations under the VDCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the VDCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.

9.5 Apex agrees to assist the Customers in meeting the Customers’ obligations under the VDCPA with respect to any Personal Data of Virginia Consumers that Apex Processes on behalf of the Customers. Such assistance will include (i) assisting the Customers in fulfilling its obligation to respond to the Customers rights requests through Apex’s implementation of appropriate technical and organizational measures insofar as is reasonably practicable (taking into account the nature of the Processing and the information available to Apex); (ii) assisting the Customers in meeting the Customers' obligations in relation to the security of Processing the Personal Data and in relation to the notification of a breach of security system of Apex (taking into account the nature of Processing and the information available to Apex); and (iii) providing necessary information to enable the Customers to conduct and document data protection assessments relating to Personal Data of Virginia Consumers that Apex processes through the measures set forth in Section 5.3 of the DPA.

9.6 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such processing are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.

9.7 Apex will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to such Personal Data.

9.8 Upon the reasonable request of the Customers, Apex will make available to the Customers all information in its possession necessary to demonstrate Exit Game's compliance with its obligations under the VCDPA through the process set forth in Section 5.3 of the DPA.

9.9 Apex will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet Apex's obligations with respect to the Personal Data. Such contract shall not relieve the Parties of their respective liabilities under the VCDPA.

9.10 Apex will allow and cooperate with reasonable assessments by the Customers or the Customers’ designated assessor through the process set forth in Section 5.3 of the DPA.

9.11 At the Customers’ direction, Apex will either delete or return all Personal Data to the Customers as requested at the end of the provision of services unless retention of the Personal Data is required by law.

9.12 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the VCDPA, including any applicable regulatory or self-regulatory guidance.

10. CPA

10.1 The terms set forth in this Section 10 of the DPA shall only apply to the extent that (i) Apex Processes Personal Data of Colorado Consumers on behalf of the Customers; and (ii) the Colorado Privacy Act (“CPA”) is applicable to the Customers at the time of such Processing.

10.2 With the exception of party and agreement references (e.g., references to “the Customers” and the “Main Agreement”), which are separately defined in the DPA, the capitalized terms in this Section of the DPA shall have the meaning given to them under the CPA and the CPA Rules.

10.3 If the CPA applies to the Customers and Apex Processes Personal Data on behalf of the Customers, Apex shall be a Controller, and, at the same time, Apex shall be a Processor with respect to the Processing of such Personal Data.

10.4 The Parties agree to comply with their respective obligations under the CPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the CPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.

10.5 The type of Personal Data being Processed, the duration of such Processing, and the processing instructions, including the nature and purpose(s) of such Processing, are described in ANNEX I to Schedule 2 of this DPA and in the Main Agreement.

10.6 Apex will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to such Personal Data.

10.7 After providing the Customers with an opportunity to object, Apex will engage each of its subcontractors pursuant to a written contract in accordance with the CPA that requires the subcontractor to meet the obligations of Apex with respect to the Personal Data.

10.8 Upon request, Apex will make all information necessary to demonstrate its compliance with the CPA available to the Customers in accordance with the process set forth in Section 5.3 of the DPA.

10.9 Apex will allow for and contribute to reasonable audits and inspections by the Customers or the Customers’ designated auditor through the process set forth in Section 5.3 of the DPA.

10.10 At the choice of the Customers, Apex will delete or return all Personal Data to the Customers as requested by the Customers at the end of the provision of services described in the Main Agreement unless retention of the Personal Data is required by law.

10.11 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CPA, including any applicable regulatory or self-regulatory guidance.

11. CTDPA

11.1 The terms set forth in this Section 11 of the DPA shall only apply to the extent that (i) Apex Processes Personal Data of Connecticut Consumers on behalf of the Customers; and (ii) the Connecticut Data Privacy Act (“CTDPA”) is applicable to the Customers at the time of such Processing.

11.2 With the exception of party and agreement references (e.g., references to “the Customers” and the “Main Agreement”), which are separately defined in the DPA, the capitalized terms in this Section 11 of the DPA shall have the meaning given to them under the CTDPA.

11.3 If the CTDPA applies to the Customers and Apex Processes Personal Data on behalf of the customers, Apex shall be a Controller, and, at the same time, Apex shall be a Processor with respect to the Processing of such Personal Data.

11.4 The Parties agree to comply with their respective obligations under the CTDPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the CTDPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.

11.5 Apex agrees to assist the Customers in meeting the Customers’ obligations under the CTDPA with respect to any Personal Data of Connecticut Consumers that Apex Processes on behalf of Customers. Such assistance will include (i) assisting the Customers in fulfilling its obligation to respond to Consumer rights requests through Apex’s implementation of appropriate technical and organizational measures insofar as is reasonably practicable (taking into account the nature of the Processing and the information available to Apex); (ii) assisting the Customers in meeting the Customers’ Personal Data security obligations and obligations for notification of any breach of security of a system of Apex (taking into account the nature of Processing and the information available to Apex); and (iii) providing necessary information to enable the Customers to conduct and document data protection assessments relating to Personal Data of Consumers that Apex processes through the measures set forth in Section 5.3 of the DPA.

11.6 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.

11.7 Apex will ensure that each person Processing the Personal Data is subject to a duty of confidentiality with respect to the Personal Data.

11.8 Upon the reasonable request of the Customers, Apex will make available to the Customers all information in its possession necessary to demonstrate compliance with the CTDPA in accordance with the process set forth in Section 5.3 of the DPA.

11.9 After providing the Customers with an opportunity to object, Apex will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the obligations of Apex with respect to the Personal Data.

11.10 Apex will allow and cooperate with reasonable assessments by the Customers or the Customers’ designated assessor through the process set forth in Section 5.3 of the DPA.

At the Customers’ direction, Apex will either delete or return all Personal Data to the Customers, as requested, at the end of Apex’s provision of services, unless retention of the Personal Data is required by law.

11.11 The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the CTDPA, including any applicable regulatory or self-regulatory guidance.

12. UCPA

12.1 The terms set forth in this Section 12 of the DPA shall only apply to the extent that (i) Apex Processes Personal Data of Utah Consumers on behalf of the Customers; and (ii) the Utah Consumer Privacy Act (“UCPA”) is applicable to the Customers at the time of such Processing.

12.2 With the exception of party and agreement references (e.g., references to “the Customers” and the “Main Agreement”), which are separately defined in the DPA, the capitalized terms in this Section 12 of the DPA shall have the meaning given to them under the UCPA.

12.3 If the UCPA applies to the Customers and Apex Processes Personal Data on behalf of the Customers, Apex shall be a Controller, and, at the same time, Apex shall be a Processor with respect to the Processing of such Personal Data.

12.4 The Parties agree to comply with their respective obligations under the UCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter. Additionally, each Party agrees to respect the rights of the other Party under the UCPA, the Main Agreement, this DPA, and any other agreement into which the Parties enter.

12.5 Taking into account the nature of the Processing and information available to the Apex, by appropriate technical and organizational measures, insofar as reasonably practicable, Apex will assist the Customers in meeting the Customers’ obligations under the UCPA, including obligations relating to the security of Processing Personal Data and notification of a breach of system security of Apex.

12.6 The types of Personal Data being Processed, the duration of such Processing, and the nature and purpose(s) of such Processing are described in ANNEX I to Schedule 2 of this DPA. The instructions for such Personal Data Processing are as set forth in the Main Agreement.

Apex will ensure that each person Processing Personal Data is subject to a duty of confidentiality with respect to the Personal Data.

12.7 Apex will engage each of its subcontractors pursuant to a written contract that requires the subcontractor to meet the same obligations as Apex with respect to such Personal Data.

The Parties will cooperate in good faith to enter into additional or modified contract terms to address any modifications, amendments, or updates to the UCPA, including any applicable regulatory or self-regulatory guidance.

13. Customers Responsibility

13.1. Compliance with Laws. Within the scope of the Agreement and its use of the Services, the Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to the Customers.

13.1.1 In particular but without prejudice to the generality of the foregoing, the Customers acknowledge and agree that the Customer will be solely responsible for the following:

(i) the accuracy, quality, and legality of Customer Data and the means by which the Customer acquired Personal Data;

(ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorisations (particularly for use by Customer for marketing purposes);

(iii) ensuring that the Customer has the right to transfer, or provide access to, the Personal Data to the Customers for Processing in accordance with the Terms, Terms and Conditions, Privacy Policy and the DPA;

(iv) ensuring that the Customers Instructions to the Customers regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and

(v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent, or managed through the Services, including those relating to obtaining consent (where required) to send emails, the content of the emails and its email deployment practices.

The Customer will inform Apex without undue delay if the Customer is not able to comply with the Customer’s responsibilities under this section or applicable Data Protection Laws.

13.2 Controller Instructions. The Parties agree that the DPA, together with the Customer’s use of the Privacy Policy and the Terms and Conditions, constitute the Customer’s complete instructions to the Customers related to the Processing of Personal Data, so long as the Customer may provide any additional instructions with the nature and lawful use of the Terms and Conditions, Privacy Policy and this DPA.

13.3. Security. The Customer is solely responsible for determining whether the data security defined in the DPA, Privacy Policy and Terms and Conditions apply to the Customer’s obligations under the relevant Data Protection Laws. Moreover, the Customer is responsible for securely using the Services, including protecting the security of Personal Data in transfer to and from the Services (including securely backing up or encrypting any such Personal Data).

14. Information to Demonstrate Compliance

14.1. At the Customer’s request, the Apex makes available the information necessary to demonstrate compliance with the statutory obligations in a commonly used and machine-readable format.

14.2. Apex operates an Information Security Management System (hereinafter referred to as “ISMS”) using the requirements of ISO 27001:2013. If the Customer requests to conduct audits, including inspections, Apex will use external auditors to demonstrate compliance with the obligations laid down in this DPA. This audit will be performed by a third-party auditor annually according to ISO 27001 standards or other standards that are substantially equivalent to ISO 27001 at the Customers’ selection and expense. Apex will provide the audit report to the Customer at the Customer’s written request.

14.3. In cases of the official request of data protection authorities with jurisdiction over the Processing hereunder, or in case the Customer has reasonable grounds to assume that a security incident has taken place, the Customer may upon at least thirty (30) days prior written notice to Apex conduct a site visit at the Customers’ at the Customer’s expense by a representative of the Customer or its independent third party auditor. Such audits shall be carried out during normal business hours without disrupting the ongoing business operations of the Service of Apex. The Customers may make the audits dependent on signing a nondisclosure agreement with Apex. If the auditor commissioned by the Customer is in a competitive relationship with Apex, the Apex shall have the right to object to the Customer.

15. HIPAA COMPLIANCE

15.1 HIPAA rules and regulations are applicable to all participants of the Processing process.

15.2 HIPAA rules and regulations are defined in Apex’s Privacy Policies and Terms and Conditions.

15.3 HIPAA rules and regulations related to data usage and safety are obligations of the Merchants which are using the Services and providers own services to the Clients through the Apex Services.

16. General

16.1 The Parties will cooperate in good faith to enter into additional or modified contract terms to address future data protection and privacy laws and regulations.

16.2 This DPA sets out all of the terms that have been agreed between the Parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.

16.3 This DPA is without prejudice to the rights and obligations of the Parties under the Main Agreement, which shall continue to have full force and effect.

16.4 In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms (including definitions and the Schedules) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. In the event of an inconsistency between the DPA and the EU Clauses (or, as the case may be, the EU Clauses subject to the UK Approved Addendum), the latter, including the UK Approved Addendum, if applicable, will prevail.

16.5 This DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the Parties hereto and their respective permitted successors and assigns only and is not for the benefit of, nor may any provision hereof be enforced by, any other person.

16.6 This DPA is the final, complete and exclusive agreement of the Parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the Parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorized signatory of each Party.

16.7 Each Party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such Party’s obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such Party, enforceable in accordance with its terms.
16.8 This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement.

SCHEDULE 1: UK TRANSFERS

For the purposes of the UK Approved Addendum,

1. the information required for Table 1 is contained in ANNEX I of Schedule 2 of this DPA, and the start date shall be deemed dated the same date as the EU Clauses;

2. in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor;

3. in relation to Table 3, the list of Parties and description of the transfer are as set out in ANNEX I of Schedule 2 of this DPA, Apex’s technical and organizational measures are set in ANNEX II of Schedule 2 of this DPA, and the list of Apex' sub-processors shall be provided pursuant to ANNEX III of Schedule 2 of this DPA; and

4. in relation to Table 4, neither Party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.

SCHEDULE 2: EU CLAUSES

1. For the purposes of this Schedule 2, the EU Clauses (Module II), currently available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by reference to this Schedule and the DPA and shall be considered an integral part thereof, and the Parties’ signatures in the DPA shall be construed as the Parties’ signature to the EU Clauses. In the event of an inconsistency between the DPA and the EU Clauses, the latter will prevail.

2. For the purposes of the EU Clauses, the following shall apply:

• The Customers shall be the data exporter, and Apex shall be the data importer. Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer, respectively, as set out in the EU Clauses.
• Clause 7 (Docking clause) shall be deemed as included.
• Clause 9 (Use of sub-processors): OPTION 2 – GENERAL WRITTEN AUTHORISATION shall apply. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance.
• Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
• Clause 13 (a) (Supervision):

→ Where the Customers are established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I. C, shall act as competent supervisory authority.
→ Where the Customers are not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I. C, shall act as competent supervisory authority.
→ Where the Customers are is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose Personal Data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in Annex I. C, shall act as competent supervisory authority.

• Clause 17 (Governing law): These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.
• Clause 18 (b) (Choice of forum and jurisdiction): The Parties agree that any dispute between them arising from the EU Clauses shall be resolved by the courts of Germany.

ANNEX I to Schedule

A. LIST OF PARTIES

The Customers shall be the data exporter, and Apex shall be the data importer.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred

• Application Users

Categories of Personal Data transferred

• User Data
• IP address and device data

Sensitive data transferred (if applicable) and applied restrictions or safeguards None.

The frequency of the transfer (eg. whether the data is transferred on a one-off or continuous basis).

• Continuous while providing the Services.

Nature of the processing

• Provision of the Services.

Purpose(s) of the data transfer and further processing

• Providing the Services

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

• Duration of the Main Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

• Auxiliary services.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

The competent supervisory for the Customers, depending on whether Option (A), (B) or (C) applies according to the specifications with regard to Clause 13 of the EU Clauses, as described in Schedule 2.

ANNEX II to Schedule 2 – TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing (see Annex I) as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Apex implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

• the pseudonymization and encryption of Personal Data;
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Apex will provide a list of the actual technical and organizational measures on request of the Customers.

ANNEX III to Schedule 2 – LIST OF SUB-PROCESSORS

The controller/data exporter has authorized the use of the following sub-processors:

Third party	Purpose	Applicable Service	US Data Centre Sub-Processor Location: United States	EU Data Centre Sub-Processor Location: EU or Other
Amazon Web Services, Inc	Hosting and infrastructure	Used as a on-demand cloud computing platforms and APIs	United States	Germany
Google, Inc	Regional Data Processing	Data hosting provider	United States	Germany
Google reCAPTCHA	Form submission spam prevention	Used for Nanitor form submission spam prevention	United States	United States

SCHEDULE 3: INFORMATION

INFORMATION

Description	Information
Name:
Address:
Contact person’s name, position and contact details:
Activities relevant to the data transferred under this DPA:
Role: