Data Processing Addendum

Introduction

This GDPR Data Processing Addendum ("DPA") forms part of the master Terms of Service Agreement available at the Terms of Service ("Agreement"), entered into by and between You ("Customer") and So Technology Ltd ("ScoreApp"), in accordance to which Customer has accessed ScoreApp's Application Services as outlined in the applicable Agreement. The main goal of this DPA is to demonstrate agreement between the two parties in terms of the processing of Personal Data in compliance with the requirements of Data Protection Legislation as provided below.

This DPA is an amendment to the Agreement and is effective through its incorporation into the Agreement, which is specified in the Agreement. Once this DPA is incorporated into the Agreement, it will form a part of the Agreement.

1. Definitions

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Processing" means any activity or a set of activities which is performed on Personal Data, which includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

"Data Protection Law" means any data protection or data privacy law or regulation applicable to all individuals within within the European Union (EU) and the European Economic Area (EEA).

"GDPR" means the General Data Protection Regulation (GDPR) (EU) 2016/679 on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

"Personal Data" means any data which relates to an identified or identifiable natural person ("Data Subject").

"Personal Data Breach" means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

"Sub-processor" means any person (including any third party, but excluding ScoreApp employees) appointed by or on behalf of ScoreApp to process data in connection with the Agreement.

2. Applicability

This Data Processing Addendum only applies to you if you or your End Users are data subjects located within the EEA or Switzerland and only applies in respect of Your Controlled Data. You agree that ScoreApp is not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.

3. Data Processing

3.1 Subject Matter - The subject matter of the data processing under this Data Processing Addendum is Your Controlled Data.

3.2 Duration. As between you and ScoreApp, the duration of the data processing under this Data Processing Addendum is determined by you.

3.3 Purpose. The purpose of the data processing under this Data Processing Addendum is the provision of the Services initiated by you from time to time.

3.4 Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.

3.5 Type of Personal Data. Your Controlled Data relating to you, your End Users or other individuals whose personal data is included in Content which is processed as part of the Services in accordance with instructions given through your Account.

3.6 Categories of Data Subjects. You, Your End Users and any other individuals whose personal data is included in Content.

Processing Roles and Activities

4.1 ScoreApp as Processor and You as Controller - You are the controller and ScoreApp is the processor of Your Controlled Data.

4.2 ScoreApp as Controller - ScoreApp may also be an independent controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users’ interactions with Your Scorecard, you receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.

4.3 Description of Processing Activities - We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified from within your Account (the “Purpose”). For example, depending on how you use the Services, we may process Your Controlled Data in order to enable certain features on Your Scorecard for example, reporting features or to email your End Users on your behalf.

4.4 Compliance with Laws - You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Addendum. ScoreApp will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.

5. Our Processing Responsibilities

5.1 Security - ScoreApp as a Processor shall take the appropriate technical and organisational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

5.2 Confidentiality - ScoreApp as a Processor shall ensure that any staff whom we authorise to process Personal Data on ScoreApp's behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities. ScoreApp ensures that its staff who access Personal Data are subject to confidentiality obligations that restrict their ability to disclose Customer Personal Data.

5.3 Personal Data Breaches - ScoreApp as a Processor is obliged to notify ScoreApp Application Customers about a Personal Data Breach not later than 72 hours after having become aware of it, unless ScoreApp can prove that the breach is not likely to result in a risk to the rights and freedoms of natural persons.

5.4 Data Subject Requests - ScoreApp as a Processor shall respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data), to the extent permitted by the law.

5.5 Sub-processors - ScoreApp as a Processor may hire other companies to provide limited services on its behalf. Any such sub-processors will be permitted to process Personal Data only to deliver the services ScoreApp has retained them to provide, and they shall be prohibited from using Personal Data for any other purpose. ScoreApp remains responsible for its sub-processors’ compliance with the obligations of this DPA. Any subcontractors to whom ScoreApp transfers Personal Data will have entered into written agreements with ScoreApp requiring that they abide by terms substantially similar to this DPA.

5.6 Data Transfers - ScoreApp customers acknowledges and agrees that, in connection with the performance of the services under the Agreement, Personal Data may be transferred outside of the European Union (EU) and the European Economic Area (EEA). While transferring the data, ScoreApp takes the necessary measures to safeguard the activity in general, and the data subjects in particular to ensure an appropriate level of protection for their fundamental rights. This Privacy Policy shall apply even if Personal Information is transferred or accessed from other countries.

5.7 Deletion or Retrieval of Personal Data - Upon termination or expiration of the Agreement or upon Customer’s request, ScoreApp will delete or return to Customer all individual- and account-related Personal Data that is in its possession or control (including any Data subcontracted to a third party for processing). This requirement will not apply to the extent that ScoreApp is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event ScoreApp will isolate and protect the Data from any further processing except to the extent required by such law.

6. Liability

The liability of each party under this Data Processing Addendum is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by ScoreApp in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Addendum or EU Data Protection Law shall reduce ScoreApp's maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.

7. Conflict

In the event of a conflict between this Data Processing Addendum and the Terms of Service, this Data Processing Addendum will control.

8. Miscellaneous

You are responsible for any costs and expenses arising from ScoreApp's compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Addendum) which fall outside the standard functionality made available by ScoreApp generally through the Services.