Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements AppEQ’s Terms of Service (the “Agreement”) available at https://appeq.ai/terms-of-service. User and AppEQ have agreed to this Data Processing Addendum (“DPA”) as of the date of the agreement into which it is incorporated (“Agreement”). This DPA applies to all Services provided by AppEQ to User that involve the processing by AppEQ of any Personal Data provided to AppEQ under the Agreement on behalf of User pursuant to or in connection with the Services. (“User Personal Data”)

The terms used in this DPA shall have the meaning as set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement.

1. Definitions

   1. In this DPA, the following terms shall have the meanings set out below
   2. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household as defined under the Data Protection Laws.
   3. “Data Protection Laws” means, as applicable: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”); and (b) any other applicable data privacy and security laws and regulations.
   4. “EEA” means the European Economic Area.
   5. “Services” includes tools, softwares, channels, datafeeds, computer programmes etc. which are designed by AppEQ to connect applications, automate workflows and send or receive messages to and from humans and machines, all of which are hosted over the internet and available on the AppEQ Platform.
   6. “Standard Contractual Clauses” means the European Commission Standard Contractual Clauses and shall include the a.) Controller to Controller Clauses as available under Appendix 1; b.) Processor to Processor Clauses as available under Appendix 2; AppEQ relies on these Standard Contractual Clauses for data transfers as laid out in section 10.
   7. “Sub-processor” means any person appointed by or on behalf of AppEQ to process User Personal Data in connection with the Services provided under Agreement.
   8. “Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as elaborated under Appendix 1 to this DPA.
   9. “Processor-to-Processor Clauses” means the standard contractual clauses between processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as elaborated under Appendix 2 to this DPA.
   10. “Third Country” means a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR).
   11. The terms “Controller,” “Data Subject,” “Personal Data Breach,” “Processing,” “Processor,” and “Supervisory Authority” shall have the same meaning as in the GDPR.

2. Data Processing

   1. This DPA applies when User Personal Data is processed by AppEQ. In this context, AppEQ will act as a Processor.
   2. AppEQ shall not process User Personal Data other than on User’s documented instructions unless Processing is required by Data Protection Laws to which AppEQ is subject, in which case AppEQ shall, to the extent permitted by Data Protection Laws, inform User of that legal requirement before Processing User Personal Data.

3. Security

   AppEQ has implemented the security measures for protection of personal data under the DPA

   Technical and Organizational measures implemented by AppEQ

   • AppEQ maintains an ISMS Policy approved and reviewed by Management
   • Personal Data in transition is protected by SSL TLS 1.2+ with SSL certificates using SHA-256 with RSA Encryption provided by Amazon Certificate Manager. Intercommunication between microservices encrypted using mutual TLS via mesh management service.
   • Personal Data at rest is stored in Mongo Enterprise Database, volume level and item level encrypted using individual encryption keys via AWS KMS.
   • Data in memory: Each process in AppEQ is managed within containers, which have their own independent resources(volumes, memory and CPU). The logs of these processes are synced with a centralized logging system.
   • Has implemented anti-malware on its systems processing personal data.
   • Employees receive regular security and privacy training regarding the treatment and protection of Personal Data.
   • Ensures VAPT done by certified third parties to test security and identify vulnerabilities in the system.
   • Is ISO 27001 certified and ensures regular audits in line with this standard.
   • Ensures that access to information systems is restricted to authorized employees only.

4. Confidentiality

   1. AppEQ will not disclose User Personal Data to any unauthorized third-party subject to mandatory law. If a government demands access to User Personal Data, AppEQ will notify User prior to disclosure unless prohibited by the law.
   2. AppEQ shall take reasonable steps to ensure that individuals or entity that process User Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.

5. Personal Data Breach

   Upon determining that a Personal Data Breach has occurred that affects User, AppEQ will notify User within 72 hours, after becoming aware of a breach of security in respect of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Personal Data transmitted, stored, or otherwise processed by AppEQ.

6. Sub-processors

   User provides general authorization to AppEQ’s use of sub-processors to provide processing activities on User Personal Data on behalf of User (“Sub-processors”) in accordance with this Section. The AppEQ website (currently posted at https://appeq.ai/privacy-policy/gdpr lists Sub-processors that are currently engaged by AppEQ. AppEQ will update the list of sub-processor at least 30 days before engaging a new sub-processor. Further, AppEQ shall notify User of the addition or replacement of such Sub-processor and User may, on reasonable grounds, object to a Sub-processor by notifying AppEQ in writing within 10 days of receipt of AppEQ’s notification, giving reasons for User’s objection. Upon receipt of such objection, AppEQ shall: (a) work with User in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-processor; and (b) where such change cannot be made within 10 days of AppEQ’s receipt of User’s notice, User may by written notice to AppEQ with immediate effect terminate the portion of the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor. This termination right is User’s sole and exclusive remedy to User’s objection of any Sub-processor appointed by AppEQ. AppEQ shall require all Sub-processors to enter into an agreement with equivalent effect to the Processing terms contained in this DPA.

7. User Rights

   • Independent Determination
   • User is responsible for reviewing the information made available by AppEQ relating to data security and its security standards and making an independent determination as to whether the Services meets User’s requirements and legal obligations as well as User’s obligations under this DPA.
   • User Audit Rights.
   • User has the right to confirm AppEQ compliance with this Addendum as applicable to the Services, including specific AppEQ compliance with its security standards, by exercising a reasonable right to conduct an audit or inspection, including under the Standard Contractual Clauses if they apply, by making a specific request of AppEQ in writing to the address set forth in the Agreement. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses nor affects any supervisory authority’s or data subject’s rights under the Standard Contractual Clauses. This Section will also apply insofar as AppEQ carries out the control of Sub-processors on behalf of the User.

8. AppEQ Privacy Contact.

   The AppEQ privacy contact can be contacted at

   1. Name: AppEQ Inc
   2. Attention: Chief Operating Officer
   3. Physical address: 16192 Coastal Hwy, Lewes, Delaware 19958, United States
   4. Email address for contact: support@appeq.ai

9. Return or Deletion of User Personal Data.

   Unless otherwise required by applicable law, AppEQ will destroy or return User Personal Data within a reasonable period in a reasonable and common format upon receiving written instructions from the User prior to termination or expiration, provided that the User Personal Data is available to AppEQ.

10. Transborder Data Processing.

    1. Application of Standard Contractual Clauses: The Standard Contractual Clauses will only apply to User Personal Data that is transferred, either directly or via onward transfer, to any Third Country, (each a “Data Transfer”).
    2. The parties will conduct such Data Transfer in accordance with the applicable laws.
    3. Taking into account the nature of the processing, User agrees that it is unlikely that AppEQ will know the identity of User’s controllers because it has no direct relationship with User’s controllers and therefore, User will fulfill AppEQ’s obligations to User’s controllers under the Processor-to-Processor Clauses.
    4. If there is any conflict between this DPA or the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

11. Entire Agreement Conflict.

    This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Agreement will remain in full force and effect. Nothing in this document varies or modifies the Standard Contractual Clauses.

12. Termination of the DPA.

    This DPA will continue in force until the termination of the Agreement (the “Termination Date”).

13. Governing Law of the DPA.

    This DPA is governed by laws of Ireland. Any dispute shall be settled in the courts of Dublin. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence. The supervisory authority shall be of Ireland.

14. Contact Details

    The Data Protection Officer is Rajat Shukla who can be contacted at infosec@appeq.ai.

APPENDIX 1

Controller to Processor

FOLLOWING SHALL BE APPLICABLE ON THE TRANSFER OF PERSONAL DATA TO PROCESSORS ESTABLISHED IN THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF DATA PROTECTION. THE PARTIES HAVE AGREED ON THE FOLLOWING CONTRACTUAL CLAUSES IN ORDER TO ADDUCE ADEQUATE SAFEGUARDS WITH RESPECT TO THE PROTECTION OF PRIVACY AND FUNDAMENTAL RIGHTS AND FREEDOMS OF INDIVIDUALS FOR THE TRANSFER BY THE DATA EXPORTER TO THE DATA IMPORTER OF THE PERSONAL DATA.

1. Data importer shall process the personal data on the documented instructions of Data exporter. Data exporter shall give adequate instructions throughout the duration of the applicability of the DPA.
2. Data importer shall immediately inform Data exporter if it fails to follow the instructions of data exporter.
3. Data importer shall process personal data for the purposes enumerated in Annexure A of this Appendix 1.
4. Data subjects shall have the right to demand a copy of this DPA with annexures. Data Exporter shall be under obligations to provide details to such data subject after redacting critical information stating reasons for such reductions.
5. Data importer shall be liable to inform the data exporter when it becomes aware that personal data received is inaccurate or has become outdated; it shall inform data exporter of such inaccuracies without undue delay. In such cases, data importer shall cooperate with data exporter to erase or rectify the date.
6. Duration of processing of data shall be in accordance with Annexure A of this Appendix 1. After the completion of the duration, the data importer shall at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to data exporter that it has deleted or return all the personal data to data exporter. Data importer shall ensure that until the data is deleted or returned to data exporter, data importer shall be in compliance with the clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law.
7. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the data importer as well as the data exporter shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annexure B of this Appendix 1. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
8. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
9. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
10. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
11. Data importer shall promptly and adequately assist with the enquiries from the data exporter that relate to processing under these clauses.
12. Data importer shall keep appropriate documentation with respect to processing activities as per the instructions of the data exporter.
13. Data importer shall provide all information necessary to demonstrate compliance with obligations set out in this Appendix 1 and at the request of the Data exporter allow and contribute to auditing of its processing activities covered under this Appendix 1.
14. Data exporter, at its sole discretion, can decide to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
15. Data exporter and data importer shall make the information referred to in paragraphs 12 and 13, including the results of any audits, available to the competent supervisory authority on request.
16. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
17. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the parties shall set out in Annexure B of this Appendix 1 the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
18. In fulfilling its obligations under paragraphs 16 and 17, the data importer shall comply with the instructions from the data exporter.
19. Each party shall be liable to the other party/ies for any damages it causes the other party/ies by any breach of these Clauses.
20. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
21. Notwithstanding paragraph 20, the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
22. The Parties agree that if the data exporter is held liable under paragraph 21 for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
23. Where more than one party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
24. The parties agree that if one party is held liable under paragraph 21, it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
25. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
26. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
    
    1. Receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
    2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
27. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
28. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
29. The data importer agrees to preserve the information pursuant to paragraphs 26 to 28 of this Appendix 1 for the duration of the contract and make it available to the competent supervisory authority on request.

ANNEXURE A: Details of the Processing

List of Parties

Data Exporter

Name:

Address:

Contact Person’s Details:

Signature & Date:

Role: Controller

ANNEXURE B : Security Standards.

Technical and Organizational measures implemented by AppEQ :

• Technical and Organizational measures implemented by AppEQ :
• AppEQ maintains an ISMS Policy approved and reviewed by Management
• Personal Data in transition is protected by SSL TLS 1.2+ with SSL certificates using SHA-256 with RSA Encryption provided by Amazon Certificate Manager. Intercommunication between microservices encrypted using mutual TLS via mesh management service.
• Personal Data at rest is stored in Mongo Enterprise Database, volume level and item level encrypted using individual encryption keys via AWS KMS.
• Data in memory: Each process in AppEQ is managed within containers, which have their own independent resources(volumes, memory and CPU). The logs of these processes are synced with a centralized logging system.
• Has implemented anti-malware on its systems processing personal data.
• Employees receive regular security and privacy training regarding the treatment and protection of Personal Data.
• Ensures VAPT done by certified third parties to test security and identify vulnerabilities in the system.
• Is ISO 27001 certified and ensures regular audits in line with this standard.
• Ensures that access to information systems is restricted to authorized employees only.

APPENDIX 2 Processor to Processor

FOLLOWING SHALL BE APPLICABLE ON THE TRANSFER OF PERSONAL DATA TO PROCESSORS ESTABLISHED IN THIRD COUNTRIES WHICH DO NOT ENSURE AN ADEQUATE LEVEL OF DATA PROTECTION. THE PARTIES HAVE AGREED ON THE FOLLOWING CONTRACTUAL CLAUSES IN ORDER TO ADDUCE ADEQUATE SAFEGUARDS WITH RESPECT TO THE PROTECTION OF PRIVACY AND FUNDAMENTAL RIGHTS AND FREEDOMS OF INDIVIDUALS FOR THE TRANSFER BY THE DATA EXPORTER TO THE DATA IMPORTER OF THE PERSONAL DATA.

1. Data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
2. Data importer shall process the personal data as per the documented instructions of the controller as communicated to data importer by the data exporter and any additional documented instructions of the data exporter. The Data exporter or the controller may provide additional documented instructions throughout the duration of the Agreement.
3. Data importer shall immediately inform the data exporter of its inability to follow the documented instructions. Data exporter shall immediately inform the controller of the data importer’s inability to follow the documented instructions.
4. Data exporter warrants that it has imposed the same data protection obligations as entered between controller and the Data exporter.
5. The data importer shall process personal data for the purposes enumerated in Annexure A of this Appendix 2.
6. Data subject shall have the right to demand a copy of this DPA with appendices. Data Exporter shall be under obligations to provide details to such data subject after redacting critical information stating reasons for such redactions.
7. Data importer shall be liable to inform data exporter when it becomes aware that personal data received is inaccurate or has become outdated; it shall inform Data exporter of such inaccuracies without undue delay. In such case, data importer shall cooperate with the data exporter to erase or rectify the date.
8. Duration of processing of data shall be in accordance with Annexure A of this Appendix 2. After the completion of the duration, data importer shall at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to data exporter that it has deleted or return all the personal data to Data exporter. Data importer shall ensure that until data is deleted or returned, Data importer shall be in compliance with the clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law.
9. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the data importer as well as the data exporter shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annexure B of this Appendix 2. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
10. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
11. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
12. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
13. Data importer shall promptly and adequately assist with the enquiries from the data exporter that relate to processing under these clauses.
14. Data exporter and data importer shall demonstrate compliance under Appendix 2. In particular, the data importer shall keep appropriate documentation with respect to processing activities as per the instructions of the controller.
15. Data importer shall provide all information necessary to demonstrate compliance with obligations set out in this Appendix 2 and at the request of the Data exporter allow and contribute to auditing of its processing activities covered under this Appendix 2.
16. Data importer shall allow and contribute to audits by the Data exporter of the processing activities covered under this Appendix 2, The same shall apply where the Data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer. In case the audit is carried out on the instructions of the controller, the Data exporter shall make the results available to the controller.
17. Data exporter and data importer shall make the information referred to in paragraphs 14 and 15, including the results of any audits, available to the competent supervisory authority on request.
18. Each party shall be liable to the other party/ies for any damages it causes the other party/ies by any breach of these Clauses.
19. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
20. Notwithstanding paragraph 19, the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
21. The Parties agree that if the data exporter is held liable under paragraph 20 for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
22. Where more than one party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
23. The parties agree that if one party is held liable under paragraph 22, it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
24. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
25. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
    
    1. Receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
    2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
    3. The data exporter shall forward the notification to the controller.
26. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
27. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
28. The data importer agrees to preserve the information pursuant to paragraphs 25 to 28 of this Appendix 2 for the duration of the contract and make it available to the competent supervisory authority on request.

ANNEXURE A: Details of the Processing

List of Parties

Data Exporter

Name:

Address:

Contact Person’s Details:

Signature & Date:

Role: Controller

ANNEXURE B : Security Standards.

Technical and Organizational measures implemented by AppEQ :

• AppEQ maintains an ISMS Policy approved and reviewed by Management
• Personal Data in transition is protected by SSL TLS 1.2+ with SSL certificates using SHA-256 with RSA Encryption provided by Amazon Certificate Manager. Intercommunication between microservices encrypted using mutual TLS via mesh management service.
• Personal Data at rest is stored in Mongo Enterprise Database, volume level and item level encrypted using individual encryption keys via AWS KMS.
• Data in memory: Each process in AppEQ is managed within containers, which have their own independent resources(volumes, memory and CPU). The logs of these processes are synced with a centralized logging system.
• Has implemented anti-malware on its systems processing personal data.
• Employees receive regular security and privacy training regarding the treatment and protection of Personal Data.
• Ensures VAPT done by certified third parties to test security and identify vulnerabilities in the system.
• Is ISO 27001 certified and ensures regular audits in line with this standard.
• Ensures that access to information systems is restricted to authorized employees only.