iNua Technologies

1. Definitions

1.1. "Customer Personal Data" means any Personal Data Company Processes on behalf of the Customer and under Customer's instructions, in the course of providing the Service.

1.2. "Personal Data" means any information relating to an identified individual or an individual who is reasonably identifiable, including through means of an identifier such as a name, ID number, biometric identifier, location data, an online identifier, or one or more factors relating to the physical, health, economic, social, or cultural identity of such individual.

1.3. "Personal Data Breach" means an actual or reasonably suspected incident (a) of unauthorized access to or use of Customer Personal Data, or such access or use exceeding authorization, or (b) impacting the integrity of the Customer Personal Data in a manner that is not authorized or exceeds authorization.

1.4. "Processing" (and its derivatives) means the collection, access, retention, modification, use, disclosure and transfer of Personal Data.

Any capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement.

2. Scope

This Addendum shall only apply where the Company Processes Customer Personal Data. It shall not apply to any other Processing of Personal Data by Company.

3. Order of Precedence

In the event of any conflict between the provisions of this Addendum and the provisions of the Agreement, the provisions of this Addendum shall prevail solely in relation to the Processing of Customer Personal Data.

4. Processing of Customer Personal Data

4.1. The Company shall Process the Customer Personal Data solely for the purpose of providing its Service in accordance with the Agreement and this Addendum. For the avoidance of doubt, the foregoing shall not limit or restrict Company's right to process aggregated and/or de-identified data as set out in Section 5.3 of the Agreement.

4.2. The Company undertakes to manage access rights to Customer Personal Data, including by way of providing its employees with 'Least Privileges' based on their 'Need to Know', for the purpose of carrying out their tasks, and shall take measures in order to prevent access by unauthorized individuals to Customer Personal Data. The Company shall remain liable to the Customer for any action or omission by anyone Processing Customer Personal Data on Company's behalf.

5. Disclosure and Transfer of Customer Personal Data

The Company shall not disclose Customer Personal Data in the scope of its Processing activities to any entity, unless the Customer has provided its prior written consent, other than:

• As necessary for the provision of the Service.
• Where such disclosure is required by applicable law or during legal proceedings, in which case the Company shall notify the Customer thereof in writing prior to fulfilling the disclosure request (unless prohibited by law to do so), and will cooperate and disclose the minimum Personal Data necessary to comply with applicable law or legal proceedings.
• The Customer authorizes the Company to engage third party sub-processors and service providers in Processing Customer Personal Data within the scope of the Agreement and this Addendum. The Company will contractually bind sub-processors to Process the Customer Personal Data in a manner consistent with the Company's obligations under this Addendum and any applicable law, by way of engaging in a written contract providing sufficient guarantees thereof. The Company shall be liable to the Customer for sub-processors' compliance with their obligations.
• The Company shall comply with applicable law with respect to any cross-border disclosure or transfer of Customer Personal Data under this Addendum. The Company shall provide the Customer with thirty (30) days' prior written notice of any intended transfer of Customer Personal Data to any jurisdiction outside Israel or the European Economic Area (EEA). If the Customer does not object to the transfer within thirty (30) days, the Company shall transfer the Customer Personal Data and update the Customer of its compliance with applicable law in relation to the transfer.

6. Storage, Deletion and Return of Personal Data

6.1. The Company shall implement market-standard information security measures to ensure the integrity, availability, confidentiality, and reliability of the Customer Personal Data. In this regard, the Company shall implement measures to protect the Customer Personal Data from unauthorized access throughout its retention in the Company's systems and during its transfer between the parties or between the Company and third parties.

6.2. If the Company stores Customer Personal Data in its systems –

• The Company shall maintain logical separation between the systems used to access Customer Personal Data ("Systems") and other computer systems used by the Company that are not directly related to the Processing of Customer Personal Data. If the Systems are connected to the Internet or another public network, the Company shall implement appropriate means of protection, such as firewall and anti-virus tools.
• The Company shall retain the Customer Personal Data only as strictly necessary to provide the Service to Customer, or as mandatory under applicable law.
• The Company shall regularly update the Systems, including the software installed in the Systems, with information security updates. When operating the Systems, Company shall not use software and/or hardware components that are no longer supported by the manufacturer for security updates.
• The Company shall document any activities undertaken in the Systems, including access attempts, deletion or modification of Customer Personal Data, and changes to access permissions.

6.3. Upon Customer's written request (provided no subsequent Processing is required), or when the Agreement is terminated or expires, the Company shall, at the instruction of the Customer, delete or destroy any Customer Personal Data in its possession. Notwithstanding the foregoing, Company may retain statistical or aggregated and/or anonymized data derived from Customer Personal Data, and use it for Company's business purposes.

7. Data Subjects' Rights

7.1. The Company shall reasonably assist Customer, at its request, in handling data subjects' requests to exercise their rights under applicable law (each, a "Data Subject Request"). The Company shall pass on to the Customer any Data Subject Request it receives, along with any relevant details.

7.2. The Company shall, at the request of the Customer in writing, rectify or delete Customer Personal Data stored in Company's Systems (if relevant).

8. Personal Data Breach

8.1. The Company shall, without undue delay, notify the Customer of any Personal Data Breach that it becomes aware of. Such notice shall include details of the nature of the Personal Data Breach, the category and approximate number of affected individuals, the anticipated consequences and proposed remedies for mitigating the possible adverse effects of the Personal Data Breach.

8.2. Following investigation of the Personal Data Breach, the parties shall discuss in good faith and reach an agreement regarding the measures reasonably required to repair the Personal Data Breach and the schedule for their implementation. The Company shall promptly implement such required measures.

8.3. The Company shall reasonably assist Customer (upon request) in issuing required statements or notices to authorities and data subjects.

9. Audit, Documentation and Monitoring

The Company shall allow the Customer to audit the Company's compliance with its obligations hereunder, no more than once per year and subject to (i) at least twenty-one (21) days' prior notice; and (ii) confidentiality undertaking by the auditor.

10. Liability

The Company's liability in connection with a breach of this Addendum or applicable law shall be as set forth in the Agreement.

11. Termination

All provisions of this Addendum that are required by applicable law shall remain in effect following the expiration or termination of the Agreement, for as long as the Company retains Customer Personal Data in its possession.

12. Disputes

Any dispute that the parties are unable to amicably resolve under this Addendum shall be subject to the sole and exclusive jurisdiction and venue specified in the Agreement.

1. Capitalized terms used in this Part 2 but not defined under this Addendum shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, and the UK Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as "Data Protection Law".

2. Customer, as the data Controller, commissions, authorizes and requests that Company Process the Customer Personal Data, as a Data Processor on Customer's behalf. Company and Customer are each responsible for complying with the Data Protection Law as applicable to their roles.

3. Company shall Process the Personal Data only in accordance with this Addendum or as otherwise instructed by Customer in writing (which instructions must be consistent with the nature and characteristics of the Service). The foregoing applies unless Company is otherwise required by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Company shall immediately inform Customer if, in Company's opinion, an instruction is in violation of Data Protection Law.

4. The nature and purpose of the Processing activities is the provision of the Service to the Customer. The Customer Personal Data Processed includes the Personal Data of Recipients, provided by Customer and/or its Authorized Users or collected through communications with Recipients. The Recipients are the data subjects about whom Personal Data is Processed. Their identity is determined by the Customer.

5. Company shall make available to Customer, upon request, any other information in its disposal that is necessary to demonstrate compliance with the obligations under Data Protection Law.

6. Where applicable considering the nature of the Personal Data Processed by Company, Company will follow Customer's instructions to accommodate Data Subjects' requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it, within the boundaries of the Service's capabilities and features. If such instructions entail costs or expenses to Company, the parties shall first come to agreement on Customer reimbursing Company for such costs and expenses. Company will pass on to Customer requests that it receives from Data Subjects regarding their Personal Data Processed by Company. Any request from Data Subjects arising out of the processing of Personal Data by Company, including but not limited to rectification, erasure, and blocking of Personal Data, portability requests and objection, has to be asserted to Customer. Customer is solely liable for responding to Data Subjects on such requests.

7. Customer authorizes Company to engage other sub-processors for carrying out specific processing activities, provided that Company informs Customer at least ten (10) business days in advance of any new or substitute sub-processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, Company may not engage that new or substitute sub-processor for the purpose of Processing Personal Data, and Company may either select another sub-processor in which case the above procedure shall repeat, or if it so chooses, terminate the Agreement with no liability to Customer for such premature termination. At the outset, Customer authorizes Company to engage with the following sub-processors:

8. Without limiting the foregoing, in any event where Company engages another sub-processor, Company will ensure that the same data protection obligations as set out in this Addendum are likewise imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Company shall remain fully liable to Customer for the performance of sub-processors' obligations.

9. Company and its other sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission (or as applicable, the UK ICO), as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR, or using other adequate safeguards as required under Data Protection Law.

10. The Company is incorporated under the laws of the State of Israel and operates its business from Israel. Israel has been recognized by the European Commission as providing an adequate level of protection for personal data pursuant to Article 45 of the GDPR. Customer acknowledges that the transfer of Customer Personal Data to Company is made on the basis of such adequacy decision, and no additional transfer mechanism is required.

11. Company will ensure that its staff authorized to Process the Personal Data are contractually bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

12. Within twenty-one (21) days of Customer's written request, Company shall allow for and contribute to audits, including carrying out inspections conducted by Customer or another auditor mandated by Customer in order to establish Company's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Company processes on behalf of Customer. Such audits or inspections shall be carried out during Company's ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to Company's business activities, and be subject to confidentiality undertakings satisfactory to Company.

13. Company will assist Customer, upon request, with the preparation of data privacy impact assessments and prior consultation as appropriate.