Data Processing Agreement

This Data Processing Agreement ("DPA") forms a part of the agreement between the User and the Service Provider, means the TERMS & CONDITIONS, which govern the provision of the Services to the User, as such terms may be updated by the Service Provider from time to time.

This DPA forms a contract regulating relationship between You (the User), as the data controller, and Us (the "Service Provider"), as the data processor defined in the General Data Protection Regulations (EU Regulation 2016/679) ("GDPR").

Except for the changes made by this DPA, the TERMS & CONDITIONS and the Privacy Policy remain unchanged and in full force and effect. If there is any conflict between this DPA and the TERMS & CONDITIONS or the Privacy Policy, this DPA shall prevail to the extent of that conflict.

Your personal and business details are carried over automatically into this DPA from Your User's Account upon Your acceptance of the Privacy Policy, the TERMS & CONDITIONS with this DPA annexed to it. Your details will always be displayed as submitted by You to Us and treated by Us as "current" unless You provide Us with the amended details.

This DPA is concluded by and between:

(the "User" or the Data Controller), and

PNL Fintech BV (operating under the trade name "FINOM"), Jachthavenweg 109H, 1081 KM Amsterdam, the Netherlands (the "Service Provider" or "Data Processor"),

each is referred to as the "party" and collectively as "the parties".

The hereto parties agree as FOLLOWS:

Subject matter

The parties seek to implement this DPA to comply with the requirements of the current legal framework in relation to personal data processing and GDPR.

The parties, therefore, AGREE to the terms of this "DPA" to regulate their relations as a data controller and a data processor of personal data in accordance with the GDPR.

Nature and purpose of processing

The Service Provider provides the Services defined in the TERMS & CONDITIONS as agreed by the User. When the User is acting as a company/entrepreneur/employer/adviser it may process personal data of the data subjects which are the User's clients, employees, associates, representatives, advisers (the "User's relations") by uploading, amending, sharing, deleting it at the Service Provider's Platform. The provision of the Services may require the Service Provider to process personal data of the User's relations. Therefore, the User will act as a data controller in a meaning defined in the GDPR. The Service Provider will then act as a data processor, processing data on the User's behalf.

The purpose of personal data processing is for the provision and receiving of the Services in accordance with the TERMS & CONDITIONS.

The Data Controller, therefore, instructs hereby the Data Processor to process all the personal data as stated in this DPA, in accordance with the GDPR and applicable legislation.

Duration of Processing

Until the termination of this DPA in accordance with its terms unless a longer period is required for the parties to comply with their obligations in accordance with GDPR and relevant applicable legislation.

Type of personal data and categories of data subjects

"Personal data" (referred in this DPA as data or "personal data") and processing (referred in this DPA as "processing") are meant as defined in the GDPR. No "sensitive personal data", as defined in the GDPR, is deemed to be processed.

1. Categories of personal data which may be processed:
1. Name
2. Address
3. Telephone number(s)
4. Email address(es)
5. Address(es)
6. Any account numbers and/or bank details,
7. Other personal data strictly necessary for the provision of the Services under the TERMS & CONDITIONS.
2. Categories of data subjects which personal data may be processed:
1. The Data Controller's clients/employees/associates, representatives/advisers
2. The Data Controller's Contacts (telephone/email/addresses/etc)
3. The Data Controller's Users
4. The Data Controller's Banking information
5. Their User's Employees
6. Their User's Contacts (telephone/email/addresses/etc)
7. Their User's Users
8. Their User's Users Banking information.

Responsibilities

The Data Processor:

• will, and shall also cause all its sub-processors to, handle all personal data on behalf of the Data Controller as instructed by the Data Controller hereto:
1. as described in this DPA;
2. in accordance with GDPR;
3. as may be further explicitly instructed by the Data Controller;
• will act in accordance with GDPR, will undertake all the required measures and will meet all its obligations as stated in the GDPR and applicable laws.
• shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of data processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in relation to the personal data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR;
• shall notify the Data Controller without undue delay if it becomes aware of any security breach;
• will assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in GDPR Chapter III. The Data Controller will be responsible for all the costs associated with such requests;
• shall, as far as possible and lawful, inform the Data Controller upon receipt of the data subjects requests pertaining to execution of their rights under GDPR. The Data Processor will respond to such requests once authorized by the Data Controller to do so. The Data Processor will not disclose information, unless the Data Processor is required by law to do so;
• shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to personal data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant personal data, as strictly necessary for the defined in GDPR and this DPA purposes, and to comply with applicable laws, ensuring that all such individuals or companies are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

The Data Controller:

• will act in accordance with GDPR, will undertake all the required measures and will meet all its obligations as stated in GDPR and applicable laws;
• confirms that it is entitled to a lawful access to all the personal data which is being processed in accordance with this DPA and that it will maintain the lawful access in accordance with GDPR, the TERMS & CONDITIONS, the Privacy Policy and all the applicable laws;
• is responsible at all times for the accuracy, integrity, content and reliability of personal data processed under this DPA;
• must have an accurate list of the categories of personal data delivered to the Data Controller and processed under this DPA;
• must notify the Data Processor if personal data processing differs from the categories listed in the DPA and the Privacy Policy;
• must respond to any request of a data subject to exercise its right(s) under GDPR;
• must implement appropriate technical and organisational measure to ensure an appropriate level of data security;
• notify the Data Processor if it receives requests/questions/complaints from data subjects with respect to personal data processed by the Data Processor;
• will always fulfil all mandatory requirements in relation to notification to, or obtaining permission from, the relevant public authorities regarding the processing of personal data.
• will always fulfil its disclosure obligations to the relevant authorities regarding processing of personal data in accordance with GDPR and applicable data protection legislation;
• will obtain and maintain explicit consent to the processing of his own personal data and the personal data of the User's relations whose personal data is processed for the provision and receiving of the Services under the TERMS & CONDITIONS. The Data Controller can revoke this consent any time, in such case the provision of the Services under the TERMS & CONDITIONS to the User and its representatives will automatically cease with an immediate effect.

Audits

Subject to the terms described in this section, the Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor chosen as stated in this section.

Information and audit rights of the Data Controller only arise under this section to the extent that the DPA does not otherwise provide the Data Controller information and audit rights under the relevant requirements of GDPR.

The Data Controller is entitled to regularly initiate a review in relation to the processing of personal data by the Data Processor. The parties mutually view that in a regular course of business an annual audit by the Data Controller should suffice. A detailed audit plan must be provided by the Data Controller, detailing the scope, duration and start date at least four weeks prior to the proposed start date. The Parties decide together if a third party should conduct the audit. However, the Data Controller may allow the Data Processor to have the security review by a neutral third party of the Data Processor's choice, since it is a processing environment with multiple data controllers.

If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a qualified third-party auditor and the Data Processor confirms that there have been no material changes in the measures under review within the recent twelve months of such audit, this should suffice.

All the audits may not unreasonably interfere with the Data Processor's regular business. The Data Controller is responsible for all the costs associated with the audits.

Use of Subprocessors
and
Data Transfers

Use of Subprocessors: In order to provide the Services to the User/Data Controller, the Data Processor may use subprocessors ("subprocessors"). The subprocessors engaged by the Data Processor are located within and outside the EU/EEA and are listed in the relevant sections describing each processing activity in the Privacy Policy, as may be amended from time to time. The names of private individuals, acting as subprocessors (contractors, employees, freelancers of the Data Processor) are not displayed in the Privacy Policy for protection of their privacy but can be provided upon legitimate request of the Data Controller or authorities. The Data Controller agrees that the Data Processor may engage all the aforementioned subprocessors to process personal data on the Data Processor's or/and Data Controller's behalf on terms stated by this DPA and in compliance with GDPR.

The Data Processor shall: (i) enter into written agreements with all the subprocessors (current and new) imposing data protection terms that require the subprocessors to protect the private data to the standard required by GDPR; and (ii) on an ongoing basis, monitor and control its subprocessors compliance with the GDPR. Documentation or evidence of such monitoring and control can be provided to the Data Controller upon its written request unless otherwise provided in law, and iii) remain responsible for any acts or omissions of the subprocessors that cause the parties to breach obligations under this DPA.

Data Transfers:

In the usual course of business, the Data Processor will not transfer data, which was transferred from the Data Controller to the Data Processor for processing purposes, to countries outside the European Economic Area ("EEA") or those approved for the purposes of Applicable Law by the EU Commission ("Commission Approved Territories").

In some cases, personal data will be saved on storage solutions that have servers outside the European Economic Area (EEA) or Commission Approved territories (for example, Dropbox or Google). Only those storage solutions that provide secure services with adequate relevant safeguards will be utilized by the Processor.

If the Data Processor is required to transfer personal data received from the Data Controller outside of the EEA or Commission Approved Territories, it will inform the Data Controller to give it an option to object to such transfer. If such transfer is not objectionable to the Data Controller, the Data Processor must ensure that it has adequate Third Country Transfer of Data agreements in place with such subprocessors. Such an agreement must be made available for review by the Data Controller if requested.

At the date of entering into the DPA, the Data Controller acknowledges that it has been informed that the following data processing activities, carried out by subprocessors of the Data Processor will take place outside of the EEA. Such processing activities, which are hereby specifically authorized by the Data Controller, will take place in the countries listed below and in strict compliance with the legal bases for data transfer set forth in GDPR to each processing activity.

For avoidance of doubts it is stressed that the Data Controller issues a clear mandate to the Data Processor to enter in the name and on behalf of the Data Controller into the Standard Contractual Clauses (Model Clauses 2010/87/EU which can be found at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087) whereby the Processor will be the data exporter and each subprocessor will be the data importer. The Data Controller has reviewed and agrees to the content of Appendices 1 and 2 of Standard Contractual Clauses (Model Clauses 2010/87/EU) attached hereto.

The Data Processor may amend from time to time the list of subprocesses in the relevant sections of the Privacy Policy which will be duly communicated to the Data Controller. The names of private individuals, acting as subprocessors (contractors, employees, freelancers of the Data Processor) shall remain being omitted from the Privacy Policy for protection of their privacy but can be provided upon legitimate request of the Data Controller or authorities.

If the Data Controller wishes to object to a use of any subprocessor, the Data Controller shall immediately provide a written notice to the Data Processor. Absence of any objections from the Data Controller shall be deemed as fully consenting to the use of subprocessors as stated in this DPA. In the event that the Data Controller objects to a use of any subprocessor and the Data Processor cannot accommodate the Data Controller's objection, the Service Provider will offer to terminate the provision of the Services to the User.

Duration and Termination

This DPA remains in effect as long as the Data Processor processes personal data for the purposes stipulated in this DPA.

Upon termination of the Services the User/the Data Controller can initiate a procedure of a deletion of the personal data stored with the Data Processor or request its return if technically possible/feasible, and unless otherwise provided by applicable legal requirements, in such case private data will be held in accordance with the technical and organizational safeguards of the Data Processor/Service Provider.

The Data Controller is enabled to retrieve all its eligible personal data at the Service Provider's platform/application. If the Data Controller requests an extra assistance with the data retrieval the associated costs shall be determined based on the complexity of the process and the time to fulfil it in the chosen format.

Changes to the DPA

Parties agree that the Service Provider is entitled at all times to change the terms of this DPA with a due observance of the Data Controller's legitimate interests. The Service Provider will notify the User upon the changes in due time as stated and agreed by the User/Data Controller in the TERMS & CONDITIONS. In case of a disagreement with the changes the User/Data Controller is free to terminate the Services and this DPA at any time via the User's account, or communicating to the Service Provider's email address at hello@finom.co (or other email address announced at the Service Provider's web site).

Final provisions

Liabilities for breaches of this DPA are governed by GDPR, the TERMS & CONDITIONS and applicable law.

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, and the Courts of the Netherlands shall have exclusive jurisdiction to determine any dispute concerning this DPA and/or its subject matter.

Should any provisions of this DPA be or become ineffective, this shall not affect the validity of the remaining provisions.

Appendices 1 and 2

Appendix 1
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

• providing personal data to the data importer necessary for the provision of products and services to the data exporter and its users.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

• processing personal data of the data exporter in accordance with the instructions of the data exporter in order to deliver products and services to the data exporter and its users.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

• customers
• potential customers
• internet users
• employees, associates, staff members
• internal consultants

Categories of data

The personal data transferred concern the following categories of data (please specify):

• personally identifiable information (e.g. name, surname, email, telephone number)
• statistical or other usage data observed on the internet (e.g. via analytics, services etc.)
• customer history
• billing, invoicing and payment data

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

• N/A

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

• Provision of the Services: end-to-end analytics of a project, which includes analysis of advertising effectiveness, web analytics, CRM and scaling.

Appendix 2
to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

1. Organizational and Security measures

   Data Importer hereby declares that:

   • Data Importer has internal personal data processing policies in place. Every employee of Data Importer is obliged to familiarize themselves with the policies before accessing personal data.
   • Every employee of Data Importer is obliged to sign an NDA before commencing their work at Data Importer.
   • The policies are reviewed annually to keep them up-to-date in accordance with the industry standards. The review is based upon testing, assessing, and evaluating the effectiveness of the covered measures for ensuring the security of the processing of personal data.
   • Depending on the harm caused, violation of the policies by an employee may cause penalties varying from written notice to dismissal.
   • Security breaches are reported to the company’s senior management.
   • To achieve compliance with up-to-date security standards, Data Importer runs security audits for business-critical applications.
   • Data Importer maintains a personal data processing policy and ensures reasonable awareness of it within the company.
   • Data Importer ensures the compliance of Subprocessors and data processing partners with applicable data protection regulations.
   • Data Importer ensures reasonable awareness of the applicable data protection regulations within the company.

2. Data access

   1. Physical access to production environment

      • Employed hosting providers utilize secure premises for storage and encrypted physical communications channels compliant with recent security standards.

   2. Availability

      • Data Importer uses scalable applications for business-critical functionality to provide full availability of its products and services to its users.
      • Data Importer employs third-party hosting providers’ stable infrastructure to improve the availability of its products and services.
      • Employed service providers provide Data Importer with the functionality of restoring from backups for business-critical processes and restoring the availability of and access to personal data in a timely manner in the event of a physical or technical incident.

   3. System access

      • Access to production systems is limited to authorized employees who require the access to perform their duties.
      • Accounts used for access to production systems are terminated when an employee leaves Data Importer.

   4. Permissions management

      • Access to data or systems is provided on a "need-to-know" basis.
      • Personal data is pseudonymized where it could noticeably improve data security.
      • Employees involved in development do not have access to production infrastructure unless it is required for the support or provision of services.
   5. Data Importer keeps track of (logs) any important data processing activities, i.e. copying, amendment, deletion, etc., in order to enable Data Importer and Customer to demonstrate due protection of any personal data processed and compliance with data protection regulations in general.

3. Data security

   • Data Importer makes commercially reasonable efforts to protect processed personal data from unauthorized access and to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
   • Data storages are encrypted when the encryption noticeably improves data security. The transfer of data outside Data Importer premises or premises Data Importer maintains is secured with certificates of actual TLS versions, in order to prevent any unauthorized subject from capturing and reading the personal data that are subject to the transfer.

4. Incident management

   To respect the privacy of its users and protect the business from risks imposed by security incidents, Data Importer:

   • Maintains breach response and breach notification policies.
   • Maintains a data breach registry.

   • Applies commercially reasonable efforts to:

     • Maintain awareness of the current regulations within the company.
     • Audit activities related to personal data.
   • Shall notify the controller (and, if the controller so wishes, the corresponding authority or data subjects, the latter being subject to limitations according to Art. 34 paragraph 3 of the GDPR) of an incident without undue delay and in accordance with the GDPR.