DATA PROCESSING ADDENDUM

Effective date: 02.05.2024

This Data Processing Addendum ('DPA') supplements Getmany's Terms of Use ('Terms'), the agreement between you ('Client', 'User', 'you', 'your') and Getmany Software LLC ('Company', 'Getmany', 'we', 'us' or 'our') governing the processing of personal data that you upload or otherwise provide Getmany in connection with the Services or of any personal data that Getmany obtains in connection with the performance of the Services. Hereinafter, this DPA refers to you and us individually as a 'Party' or together as the 'Parties'.

Unless otherwise defined in this DPA, all capitalised terms in this DPA shall have the meanings as in Getmany's Terms of Use. This DPA shall remain in force until the termination of the Terms between you and us.

1. Definitions

“Data Protection Laws and Regulations” means all laws and regulations applicable to the processing of personal data under the Terms as periodically amended, such as laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, the United States and its states, applicable to the processing of personal data under the Terms as amended from time to time, such as the GDPR, UK Data Protection Laws, CCPA as amended (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah) or other applicable laws and regulations.

“General Data Protection Regulation (“GDPR”)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

“UK Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR (retained version of the EU GDPR).

“Standard Contractual Clauses (“SCCs”)” means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.

“UK Addendum” means the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK Data Protection Laws, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

“controller”, “processor”, “data subject”, “personal data”, and “processing” have the meanings given in Data Protection Laws and Regulations.

“Client Data” means personal data that you upload or otherwise provide Getmany in connection with the Services or any personal data that Getmany obtains in connection with the performance of the Services.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Data Exporter” means a person who transfers personal data to a data importer under this DPA.

“Data Importer” means the Company when it acts as a data processor engaged by the data exporter that receives personal data from the data exporter under this DPA.

“Sub-processor” means any entity which provides processing services to the processorin furtherance of the processing on behalf of the controller.

“Public Authority” means a government agency or law enforcement authority, including judicial authorities. “Services” means services provided at https://getmany.io/ as described in the Terms.

“Supervisory Authority” means an independent public authority responsible for monitoring the application of the data protection legislation.

“Technical and Organizational Security Measures” mean measures aimed at protecting the Client Data against unintentional destruction or unintentional loss, alteration, unauthorized disclosure or access, particularly where the processing involves the transmission of data via a network, and against all other unlawful forms of processing.

2. Roles and Responsibilities

Where Getmany processes data on your behalf for the provision of Services, you acknowledge and agree that with regard to the processing of such data, you are a controller or processor, and we are a processor or sub-processor acting on your behalf, as defined by the applicable Data Protection Laws and Regulations. A description of processing is described in Schedule 1 of this DPA. This DPA shall apply accordingly to established roles. It shall not apply to situations where we act as a controller in accordance with Getmany’s Privacy Policy.

3. Instructions

The Parties agree that this DPA and the Terms constitute the Client’s complete and final documented instructions regarding Getmany’s processing of data on the Client’s behalf (‘Instructions’). Any additional or alternate instructions must be consistent with this DPA and the Terms.

4. Description of Processing

The processing of data on your behalf in connection with the provision of Getmany’s Services is outlined in Schedule 1 of this DPA. We reserve the right to periodically update the processing description to reflect new functionalities or other relevant changes that constitute a part of Getmany’s Services.

5. Your obligations

Within the scope of the DPA and Terms, as well as your use of our Services, you will be solely responsible for complying with all requirements that apply to you under the applicable Data Protection Laws and Regulations. Therefore, you agree and guarantee that you will be responsible for:

(i) the accuracy, quality, integrity, confidentiality and security of collected Client Data that you provide to us for the provision of Services;

(ii) complying with all necessary transparency, lawfulness, fairness and other requirements under applicable Data Protection Laws and Regulations for the processing of personal data by: establishing and maintaining the procedure for data subjects whose data are processed on your behalf to exercise their rights; providing us only with data that has been lawfully and validly obtained according to the applicable Data Protection Laws and Regulations, and ensuring that such data will be relevant and proportionate to the respective uses for performing our Services; ensuring compliance with the provisions of this DPA and Terms by your personnel or by any third party accessing or using Client Data on your behalf (if applicable); and

(iii) ensuring that your Instructions on the processing of Client Data comply with the applicable Data Protection Laws and Regulations, including complying with principles of data minimisation, purpose and storage limitation.

6. Our obligations

6.1. General Obligations

With regard to the processing of data that you provide us, we shall:

(i) process the Client Data using appropriate technical and organisational security measures and in compliance with the Instructions received from you subject to Schedule 2 of this DPA;

(ii) inform you in case we consider your data processing Instructions may be in violation of the provisions of the Data Protection Laws and Regulations;

(iii) take reasonable steps to ensure that any employee/contractor we authorise access to the Client Data on our behalf complies with the relevant provisions of the Terms and this DPA.

6.2. Notices to Client

Upon becoming aware, we shall inform you of any legally binding request for disclosure of the Client Data by a Public Authority unless we are otherwise forbidden by law to inform you, for instance, to preserve the confidentiality of investigation by a Public Authority. We will inform you if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of the Client Data under this DPA conducted between you and us.

6.3. Security measures

We shall implement and maintain appropriate technical and organisational measures to protect the Client Data from personal data breaches (‘Security Incidents’) in accordance with our security standards set out in Schedule 2 of this DPA. You acknowledge that security measures are subject to technical progress so that we may modify or update Schedule 2 of this DPA at our sole discretion to reflect the necessary technological changes and safety standards, provided that such modification or update does not result in a material degradation in the security measures in Schedule 2 of this DPA.

6.4. Security Incident

Upon becoming aware of a Security Incident, we shall:

(i) notify you without undue delay after we become aware of the Security Incident;

(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you; and

(iii) promptly take reasonable steps to contain and investigate any Security Incident so that you can notify competent authorities and/or affected data subjects of the Security Incident. Our notification of or response to a Security Incident shall not be construed as an acknowledgement by us of any fault or liability regarding the Security Incident.

6.5. Confidentiality

We will not access, use, or disclose to any third party any Client Data, except, in each case, if necessary to maintain or provide our Services to you, or if necessary to comply with contractual and legal obligations or binding order of a public body, for example, subpoena or court order. We shall ensure that any employee/contractor authorized by us to access the Client Data on our behalf is subject to appropriate confidentiality contractual or statutory duty obligations with respect to the Client Data.

6.6. Return or deletion of the Client’s Data

Upon termination or expiration of the Terms between you and us, we shall delete all Client Data in our possession or control. This requirement shall not apply when we are required by applicable law or respective contractual obligations to retain some or all of the Client Data.

6.7. Reasonable Assistance

For the provision of our Services, implementation of the Terms and compliance with applicable Data Protection Laws and Regulations, we agree to provide reasonable assistance to you regarding:

(i) any request from a data subject in respect of access, rectification, erasure, restriction, portability, blocking or deletion of the Client Datathat we process on your behalf. In the event that a data subject sends such a request directly to us, Section 7 of this DPA shall apply;

(ii) the investigation of Security Incidents and communication of necessary notifications regarding such Security Incidents subject to Section 6.4 of this DPA;

(iii) preparation of data protection impact assessments and, where necessary, your consultation with the Supervisory Authority under Articles 35 and 36 of the GDPR.

6.8 Audit and Certification

If a Supervisory Authority requires an audit of the data processing facilities where we process data on your behalf to ascertain or monitor your compliance with the applicable Data Protection Laws and Regulations, we will cooperate with such requirements. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time we expend for any such audit, in addition to the rates for services performed by us.

You may, prior to the commencement of processing and at regular intervals, audit the technical and organisational measures taken by us. When you act as the controller with respect to the personal data processed by us on your behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to our business operations, we may provide you with all information necessary to demonstrate compliance with your obligations according to Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you with respect to such processing.

Upon your written request and within a reasonable period, we shall provide you with all information necessary for such audit, to the extent that such information is within our control and we are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

7. Data Subject Request

In the event that a data subject contacts us with regard to the exercise of their rights under the applicable Data Protection Laws and Regulations (in particular, requests for access to, rectification or deletion of the Client Data), we will use all reasonable efforts to forward such requests to you. If we are legally required to respond to such a request, we shall immediately notify you and provide you with a copy of the request unless we are legally prohibited from doing so.

8. Sub-processors

You agree that we may engage Sub-processors to fulfil our obligations regarding the provision of our Services under the Terms. The list of such Sub-processors is provided in Schedule 3 of this DPA.

9. Transfers of the Client’s Data under GDPR

9.1. General

Parties agree that when the processing of the Client Data on behalf of you in connection with Services constitutes a transfer under Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses and/or UK Addendum, which are deemed to incorporated into and form part of this DPA as further described in subsections 9.2 and 9.3 of this DPA. If and to the extent the EU SCCs and/or UK Addendum, as applicable, conflict with any provision of the DPA, the EU SCCs and UK Addendum shall prevail to the extent of such conflict.

9.2. Transfers under GDPR

When the processing of the Client Data on behalf of the Client in connection with Services constitutes a “transfer” under the GDPR, EU Standard Contractual Clauses shall apply. When you act as a controller, and we act as a processor, Module Two of the EU SCCs applies. When you act as a processor, and we act as a sub-processor, Module Three of the EU SCCs applies.

For the purpose of the EU SCCs, we are a “data importer”, and you are a “data exporter”. The provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs should apply as follows:

(i) in Clause 7, the optional docking clause shall not apply;

(ii) in Clause 9, Option 2 (General written authorisation) shall apply. For the purpose of Clause 9(a), the time period for informing of data exporter shall be 30 days;

(iii) in Clause 11, the optional provision shall not apply;

(iv) in Clause 13, a particular option shall apply depending on the specific case;

(v) in Clause 17, Option 1 shall apply. The EU SCCs shall be governed by the law of Germany ;

(vi) in Clause 18(b), disputes shall be resolved by the courts of the Germany;

(vii) Annex I of the EU SCCs is deemed completed with the information in Schedule 1 of this DPA;

(viii) Annex II of the EU SCCs is deemed completed with the information in Schedule 2 of this DPA;

9.3. Transfers under UK Data Protection Laws

When processing the Client Data on behalf of the Client in connection with Services constitutes a “restricted transfer” under UK Data Protection Laws, the UK Addendum shall apply. When you are a controller, and we are a processor, Module Two of the EU SCCs shall apply. When you act as a processor, and we act as a sub-processor, Module Three of the EU SCCs applies.

For the purpose of the UK Addendum, we are an “Importer”, and you are an “Exporter”. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum deemed to be completed as follows:

(i) Table 1 in Part 1 is deemed completed with the information set out in Schedule 1 of this DPA, and the official registration number of the Importer is 35-2841890, and the official registration number of the Exporter is contained in the Client’s account, if any;

(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 9.2 of this DPA;

(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2 and 3 of this DPA;

(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.

SCHEDULE 1 - DESCRIPTION OF PROCESSING

A. LIST OF PARTIES

Data exporter

Name: You, “Client”, “User”
Address: the relevant information is contained in the Client’s account.
Contact person’s name, position and contact details: the relevant information is contained in the Client’s account. Activities relevant to the data transferred under these Clauses: provision of Getmany’s services in accordance with the Terms. Signature and date: By entering into the Terms, the data importer is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms. Role: controller or processor

Data importer

Name: Getmany Software LLC
Address: 30 NGOULD ST STE R, SHERIDAN, WY 82801-6317-301
Contact person’s name, position and contact details: Kyrylo Kozak, the CEO, [email protected]
Activities relevant to the data transferred under these Clauses: provision of Getmany’s services in accordance with the Terms.
Signature and date: By entering into the Terms, the data importer is deemed to have signed the EU SCCs incorporated herein, including their Annexes, as of the effective date of the Terms.
Role: processor or sub-processor

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects whose personal data is transferred:

2. Categories of personal data transferred:

3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved: The data importer does not obtain access to the special categories of data (sensitive data).

4. The frequency of the transfer: The personal data is transferred on a continuous basis.

5. Nature of the processing: Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

6. Purpose(s) of the data transfer and further processing: The purpose of the data processing under these Clauses is the performance of the services for the data exporter by the data importer under the Terms concluded between the data importer and the data exporter.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The personal data shall be stored for the duration of this DPA between the data importer and the data exporter unless otherwise agreed in writing, or the data importer is required by applicable law to retain some or all of the transferred personal data.

8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: subject matter: the performance of services nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction. duration: the performance of the services for the data importer by the (sub-) processor under the service agreement concluded between the data importer and (sub-) processor.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, competent supervisory authority under these Clauses is determined depending on what version of Clause 13(a) applies to the data exporter.

SCHEDULE 2 - TECHNICAL AND ORGANISATIONAL MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:

SCHEDULE 3 - SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

Sub-processor 1

Name: Amazon Web Services, Inc.

Address: 410 Terry Avenue North, Seattle, WA 98109-5210.

Contact person’s name, position and contact details:https://aws.amazon.com/contact-us/?nc1=f_m

Description of processing: storing and processing data so that Getmany is able to provide its services.

Sub-processor 2

Name: MongoDB, Inc.

Address: https://www.mongodb.com/company/office-locations

Contact person’s name, position and contact details:https://www.mongodb.com/contact

Description of processing: storing and processing data so that Getmany is able to provide its services.

Sub-processor 3

Name: Clerk, Inc.

Address: 660 King St Unit 345 San Francisco, CA 94107 US

Contact person’s name, position and contact details:https://clerk.com/contact

Description of processing: storing and processing data so that Getmany is able to provide its services.