POS DPA

For the purposes of this Addendum, capitalized terms shall have the meaning given to them in this Clause or in the body of this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or the Terms.

"Affiliate" means with respect to an entity, an "Affiliate" is any other entity directly or indirectly controlling, controlled by, or under common control by a party. A party controls another entity if such entity, directly or indirectly, either owns (i) 20% or more of the shares having ordinary voting rights for the election of directors of such entity; or (ii) the power to direct or cause the direction of management or policies of the other entity, whether through the ownership of voting securities, by contract, or otherwise;

"Authorised User" means a person authorised by the Merchant to have access to the Account and to provide instructions to and receive communication from Bizzon, notwithstanding whether via the Account, e-mail, or otherwise;

"Controller" means a person or entity that determines the purposes and means of the Processing of Personal Data;

"Data Protection Legislation" means EU Data Protection Laws, UK Data Protection Laws, CCPA, and any other applicable data privacy legislation of the country of registration of Bizzon;

"Data Subject" means the identified or identifiable person to whom Personal Data relates;

"EU Data Protection Laws" mean GDPR and the EU e-Privacy Directive (Directive 2002/58/EC);

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

"Personnel" means those employees, agents, consultants, subcontractors, and other third parties who are engaged by Bizzon so that it may fulfil its obligations to Merchant under the Agreement or Addendum;

"Personal Data" means any information relating to (i) an identified or identifiable natural person; or (ii) an identified or identifiable legal entity (where such information is protected by Data Protection Legislation similarly to data which identifies a living individual) processed under this Addendum;

"Processing" means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

"Processor" or "Sub-processor" means a person or entity that Processes Personal Data on behalf of a Controller or a Processor, as applicable;

"Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021;

"Supervisory Authority" means an independent public authority which is established by an EU Member State or other country pursuant to GDPR or a corresponding law;

"UK Data Protection Laws" mean all laws relating to data protection, the processing of personal data, privacy and electronic communications effective in England and Wales, including the UK GDPR and the Data Protection Act 2018; and

"UK GDPR" means GDPR as saved into law of England and Wales by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018.

2.1. Processing of personal data. Bizzon and the Merchant acknowledge that the Merchant is the Controller or primary Processor with regard to the Personal Data. Bizzon shall Process Personal Data only as a Processor or Sub-processor (as applicable to Merchant’s use of the Services) on the Merchant's behalf and only to the extent and in such a manner as is necessary for the purposes specified by and in accordance with this Addendum, the Agreement or as otherwise instructed by the Merchant from time to time. Where Bizzon reasonably believes that the Merchant's instruction is contrary to: (i) applicable law and regulations or (ii) the provisions of the Agreement or the Addendum, Bizzon will undertake all reasonable endeavours to inform the Merchant and is authorized to defer the performance of the relevant instruction until it has been amended by the Merchant to the extent required by Bizzon to satisfy it that such instruction is lawful, or is mutually agreed by both the Merchant and Bizzon to be lawful.

2.2. Technical and organisational measures. Bizzon shall maintain and implement reasonable and appropriate technical and organizational measures aimed at protecting the Personal Data against accidental or unlawful destruction or accidental loss, alteration unauthorized disclosure or access, and in relation to the security of Personal Data and the platforms used to provide the Services as described in the Data Protection Legislation. In implementing such measures Bizzon shall be entitled to take into account the current standard practice in determining what is reasonable, as well as the proportionality of the cost of putting such measures in place when weighed against the potential harm to the relevant Data Subjects that the putting into place of those measures is designed to protect against. As of the date of this Addendum, Bizzon maintains and implements technical and organisational measures in Annex II of this Addendum.

2.3. Personnel. Bizzon shall ensure that its Personnel engaged in the Processing is informed about its obligation and responsibilities, has received appropriate training, and is informed about the confidential nature of the Personal Data. Bizzon shall ensure that Personnel’s access to Personal Data is limited to those performing Services in accordance with the Agreement, and the Personnel confidentiality obligations shall be substantially same as set out in Agreement and Addendum, and shall survive the termination of the Personnel engagement.

2.4. Notifications. Bizzon shall notify the Merchant as soon as commercially reasonable in writing:

• 2.4.1. of any communication received from an individual relating to (i) an individual’s rights to access, modify, correct, delete or block her Personal Data; (ii) an individual’s right to rectify, restrict, or erase her Personal Data, to data portability, to object to the Processing and not to be subject to automated decision-making; and (iii) any complaint about Merchant’s Processing;
• 2.4.2. of any subpoena or other judicial or administrative order or proceeding seeking access to, or disclosure of Personal Data;
• 2.4.3. of any complaint, notice or other communication that relates to Merchant’s compliance with data protection and privacy law and the Processing of Personal Data; Bizzon shall provide the Merchant with commercially reasonable cooperation and assistance (at Merchant’s expense) in relation to such complaint, notice or communication; and
• 2.4.4. of a material breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorized access to, the Personal Data of which we become aware, in accordance with applicable law (each a "Security Breach"); Bizzon shall make reasonable efforts to identify the cause of such Security Breach and take those steps as necessary and reasonable, and which are acceptable to Merchant, in order to remediate the cause of such Security Breach to the extent remediation is within Bizzon’ reasonable control.

The obligations herein shall not apply to incidents that are caused by the Merchant.

2.5. No acknowledgment. The Merchant agrees that Bizzon's obligation to notify a Security Breach is not and will not be construed as an acknowledgment by Bizzon of any fault or liability of Bizzon with respect to such Security Breach.

2.6. Data returns and deletion. Subject to limitations set out in applicable laws, Bizzon shall return to the Merchant all persistent Personal Data (if not already deleted in accordance with applicable law) following standardised procedures and within commercially reasonable deadlines.

2.7. Bizzon compliance. Bizzon shall comply with the Data Protection Legislation applicable to its own operations and provision of the Services and its obligations under this Addendum.

2.8. Data sharing. By enabling or accepting data sharing within the Account with any third party, the Merchant instructs Bizzon pursuant to Art. 28(3)(a) of GDPR to provide access to all Personal Data and any other data processed within Merchant’s Bizzon Account to such third party. The Merchant is responsible for obtaining all necessary consents of the Data Subjects or any other third parties with the data sharing as required by the applicable Data Protection Legislation. The Merchant will fully indemnify, defend, and hold Bizzon and its Affiliates harmless from and against any claims brought by a Data Subject or any third party, arising out of the violation of this clause, including for all liabilities, damages, losses, cost, and expenses.

2.9. Integrations. The Services offer several integrations. By connecting or subscribing to the respective integration via the Account, the Merchant instructs Bizzon pursuant to Art. 28 (3)(a) of GDPR to provide access to the Personal Data processed within the Account to the respective integration Merchant as required for the interoperation of the integration services or product with the Services.

2.10. Audit. The Merchant shall have the right to conduct an audit to verify Bizzon's compliance with its obligations laid down in Art. 28 of GDPR and in this Addendum. Bizzon shall allow the Merchant to carry out the audit under the following conditions:

• 2.10.1. the Merchant asks Bizzon to carry out the audit via a written notice specifying the agenda for such audit at least 30 (thirty) days in advance;
• 2.10.2. the audit shall not take place more than once a year;
• 2.10.3. all associated costs and expenses shall be borne by the Merchant and reimbursed to Bizzon on demand; and
• 2.10.4. the audit shall last no longer than the equivalent of 1 working day (8 hours) of the Bizzon representative.

In case the Merchant requests the audit via third independent party – external licensed auditor, Bizzon may object to an external licensed auditor appointed by the Merchant to conduct the audit if the auditor is, in Bizzon’ reasonable opinion, not suitably qualified or independent, a competitor of Bizzon, or otherwise manifestly unsuitable. Any such objection will require Merchant to appoint another auditor. In case the Merchant requires more than one audit within one calendar year, the Merchant shall obtain prior written permission of Bizzon and shall bear the cost associated with such audits and reimburse Bizzon all reasonably incurred costs of such audits. On the request of the Merchant, Bizzon will provide the Merchant with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by the Merchant.

3.1. The merchant's processing. The Merchant shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Legislation. For the avoidance of doubt, Merchant warrants that its instructions for the Processing of Personal Data shall comply with Data Protection Legislation and that it shall not make any instruction or order which directs Bizzon to take any action or course of action which is unlawful or otherwise not in compliance with Data Protection Legislation. The Merchant shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Merchant acquired the Personal Data.

3.2. Merchant's compliance. In addition to the Merchant's obligations stated in the Agreement, the Merchant is responsible for (i) integrity, security, maintenance, and appropriate protection of the Personal Data, and (ii) ensuring its compliance with any applicable privacy, data protection, and security law and regulation relative to: (a) its Processing of the Personal Data; (b) its use of the Services; and (c) all registration or notification requirements to which the Merchant is subject under the applicable law.

3.3. Notifications. The Merchant agrees to make any required notifications to, and obtain required consents and rights from, individuals in relation to Bizzon's provision of the Services to the Merchant. Where Bizzon receives a communication described in Clauses 2.4.1 or 2.4.3 above and notifies Merchant of such communication, it is the Merchant's responsibility to respond to and take all other appropriate action with regard to the communication. The Merchant agrees to immediately notify Bizzon of any unauthorized use of the Services or the Account or of any other breach of security involving the Services.

3.4. Technical and organisational measures. The Merchant is solely responsible for implementing and maintaining security measures and other technical and organizational measures appropriate to the nature and volume of the Personal Data that the Merchant stores or otherwise Processes using the Services . The Merchant is also responsible for the use of the Services by any of its employees, any person the Merchant authorizes to access or use the Services, and any person who gains access to the Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by the Merchant.

4.1. Merchant and Bizzon cooperation. The Merchant and Bizzon agree to cooperate in a commercially reasonable fashion as reasonably required to protect the Personal Data under applicable laws, Articles 35 and 36 of GDPR to carry out a data protection impact assessment related to the Merchant's use of the Services, to the extent the Merchant does not otherwise have access to the relevant information, and to the extent such information is available to Bizzon. The Merchant must cooperate with Bizzon's reasonable investigation of the Services outages, security problems, and any suspected Security Breach. The Merchant shall provide reasonable assistance to Bizzon in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks related to this Clause, to the extent required under applicable law.

4.2. Assistance by Bizzon. During the term of the Agreement, the Merchant may request that Bizzon assists the Merchant's efforts to comply with the Merchant's obligations under applicable laws provided (i) such requested assistance is relevant to the Services that support the Processing of Personal Data, (ii) such requested assistance is commercially reasonable and proportionate to the objective of the exercise with which Bizzon is requested to assist, and (iii) all of Bizzon's associated costs and expenses (including the cost of its staff's time) shall be borne by the Merchant and reimbursed to Bizzon on demand.

5.1. Sub-processors. In relation to third parties or sub-contracting the Processing, Bizzon may only authorise a third party (Sub-processor) to Process the Personal Data with the prior consent of the Merchant and provided that provisions relating to data processing and data protection in the Sub-processor's contract with respect to the Personal Data is on terms which are substantially the same as those set out in this Addendum provided that the sub-processor's contract with respect to the Personal Data terminates automatically on termination of the Agreement for any reason. For the purpose hereof the following sub-processors are approved by the Merchant by signing this Addendum: (i) Sub-processors listed in Annex III hereof; (ii) Bizzon's Affiliates; and (iii) any Sub-processor authorised by the Merchant via its Authorised User by authorizing an integration with the Services through the Account or otherwise. Bizzon may during the term of the agreement involve new Sub-processors, provided that such Sub-processors only access and use the Personal Data to the extent required to perform obligations subcontracted to it.

5.2. Objections. The Merchant may reasonably object to Bizzon's use of a new Sub-processor by notifying Bizzon promptly in writing within ten (10) business days after receipt of Bizzon's notice. In the event the Merchant objects to a new Sub-processor, Bizzon will use reasonable efforts to (i) add additional safeguards (covering the specified concerns); (ii) change the Sub-processor (vis a vis the Sub-processor); or (iii) make available to Merchant a change in the Services or recommend a commercially reasonable change to Merchant's configuration or use of the Services to avoid Processing by the objected-to Sub-processor without unreasonably burdening the Merchant. If Bizzon is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, the Merchant may terminate only those part of the Services which cannot be provided by Bizzon without the use of the objected-to Sub-processor by providing written notice to Bizzon. Bizzon will refund the Merchant any prepaid fees covering the remainder of the term of Agreement following the effective date of termination with respect to such terminated part of the Services, which shall represent the sole and exclusive remedy of the Merchant in connection with introduction of a new Sub-processor.

5.3. Liability. Bizzon shall be liable for the acts and omissions of its Sub-processors to the same extent Bizzon would be liable if performing the Services of each Sub-processor directly under the terms of this Addendum except as otherwise set forth in the Agreement.

6.1. European economic area. The Parties agree that Personal Data may be transferred from the European Economic Area to a third country only if one of the following conditions applies:

• 6.1.1. there is an applicable decision of the European Commission that states that the third country ensures an adequate level of protection;
• 6.1.2. the transfer may take place because Bizzon has provided appropriate safeguards according to the Art. 46 of GDPR, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available; or
• 6.1.3. the derogations for specific situation under the Art. 49 of GDPR apply.

6.2. Standard contractual clauses. For the purposes of Clause 6.1.2 above, the Parties agree that Standard Contractual Clauses are considered as appropriate safeguards. To enable data transfer from and to third countries to and from the European Economic Area or the UK (as applicable), the Standard Contractual Clauses (the "SCCs")are hereby incorporated by reference into this Addendum and form an integral part of this Addendum as follows:

• 6.2.1. For the purposes of the Personal Data that is subject to the EU Data Protection Laws (the "EU Data"):
  • 6.2.1.1. Where Merchant is Controller Module Two (Controller to Processor) of the SCCs will apply, where the Merchant is Processor Module Three (Processor to Sub-Processor) of the SCCs will apply;
  • 6.2.1.2. in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 5 (Sub-Processing) of this Addendum;
  • 6.2.1.3. in Clause 11, the optional language will not apply;
  • 6.2.1.4. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law;
  • 6.2.1.5. in Clause 18(b), disputes shall be resolved before the courts of The Netherlands;
  • 6.2.1.6. Annex I of the SCCs shall be deemed completed with the information set out in Annex I to this Addendum;
  • 6.2.1.7. Annex II of the SCCs shall be deemed completed with the information set out in Annex II to this Addendum;
• 6.2.2. The transfer of the Personal Data that is subject to the UK Data Protection Laws (the "UK Data") shall be governed by Annex IV – UK Addendum to the SCCs.

Merchant agrees that any Authorised User of the Merchant may be contacted and shall be entitled to receive any communication in relation to this Addendum.

8.1. Applicability. Bizzon acknowledges that, where law of the State of California applies, it acts as a Service Provider in respect of the Personal Data.

8.2. Bizzon's obligations. Unless prescribed by applicable law or expressly agreed between the Parties, Bizzon shall not:

• 8.2.1. sell the Personal Data;
• 8.2.2. retain, use, or disclose the Personal Data for any purpose other than the specific purpose of performing the Services;
• 8.2.3. retain, use, or disclose the Personal Data for a commercial purpose other than specified in the Agreement; or
• 8.2.4. retain, use, or disclose the Personal Data outside of the direct business relationship between Bizzon and the Merchant.

8.3. Commitment. Bizzon certifies that it understands and will comply with the responsibilities and restrictions imposed by this Addendum, CCPA, and other applicable data protection laws and regulations.

8.4. In this Clause 8:

• 8.4.1. "CCPA" means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this Addendum; and
• 8.4.2. "Service Provider" has the meaning set forth in Section 1798.140(v) of CCPA.

9.1. Applicability. This Clause 9 applies only if the Merchant is incorporated in the United States of America.

9.2. COPPA. Protecting the privacy of children is especially important. The Children’s Online Privacy and Protection Act ("COPPA") requires that online service providers obtain parental consent before they knowingly collect Personal Data from children in the United States of America who are under 13 online. Bizzon respects the role of parents or guardians in the monitoring of their children's online activities. Accordingly, Bizzon limits its collection of Personal Data from children to no more than is reasonably necessary to participate in the Services and to improve it. Bizzon does not collect any Personal Data from children other than as set out in the Agreement. Bizzon reserves the right to refuse to Process data supplied by the Merchant that is in violation of this Clause.

9.3. Third party use of the merchant data. Unless agreed otherwise, all data provided to Bizzon by the Merchant is Confidential Information and Bizzon will not use any data for any other purposes than to exercise its rights and perform its obligations in connection with the Services. The Merchant acknowledges that in order to properly carry out the Services, information given to Bizzon by the Merchant will be made available to third parties in order to enable the performance of the Services. Merchant acknowledges that such third parties are not representatives of Bizzon and Bizzon is not responsible for the acts and omissions of those third parties. Bizzon requires third parties to which any Personal Data is made available to apply the same level of privacy protection as set forth in this Addendum and as required by applicable laws. The manner in which any Merchant data may be used is covered by the Bizzon's Privacy policy.

10.1. Third party beneficiaries. The Data Subjects are the sole third party beneficiaries to the SCCs, and there are no other third party beneficiaries to the Agreement and this Addendum. Notwithstanding the foregoing, the Agreement and the terms of this Addendum apply only to the parties and do not confer any rights to any Merchant's Affiliate, Merchant's end users, or any third-party Data Subjects.

10.2. Governing law. The Agreement governs all claims brought under this Addendum.

10.3. Liability. The Merchant's remedies, including those of its Affiliates, and Bizzon's liability, arising out of or related to this Addendum and the SCCs will be subject to limitations of liability and disclaimers in the Agreement. In case no limitations of liability are stipulated in the Agreement, the Parties agree and declare that the total damage which may arise out of the breach of this Addendum and the SCCs shall not exceed ten thousand euro.

10.4. Term. Following the termination of the Agreement, this Addendum will continue to be in effect until Bizzon ceases to process the Personal Data on behalf of the Merchant.

10.5. Termination. Bizzon may terminate this Addendum if Bizzon offers alternative mechanisms to the Merchant that comply with the obligations of the applicable data privacy laws.

10.6. Counterparts. This Addendum may be signed in multiple counterparts, which are together considered one original.

A.- List of Parties

Data exporter

The data exporter is the Merchant

Data importer

The data importer is Bizzon

B. – Description of Transfer

Categories of data subjects

The personal data transferred concerns individuals (customers or prospects) using the Merchant's services.

Categories of personal data

The personal data transferred concerns the following categories of data: contact and identification information (including name, title, email, and address), payment details, card numbers, cardholder names, and Merchant’s services details and limited connection and location data (city) in electronic form that is transferred to data importer in the context of Bizzon’ Services (provided by the relevant sub-processor/importer).

Special categories of personal data

Sensitive data such as dietary requirements may be transferred if data subjects decide to share information of such nature. Technical and Organisational measures as per Annex II apply.

Processing operations

The personal data transferred will be subject to the following basic processing activities: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The Merchant must use reasonable security precautions in connection with its use of the services, including appropriately encrypting any personal data stored on or transmitted by the hosted system.

Frequency of transfer

Continuous

Nature and subject matter of processing

• i. storage (hosting) and other processing necessary to provide, maintain and improve the Services;
• ii. customer support provided to the Merchant on a case by case basis;
• iii. disclosures in accordance with the Agreement, as compelled by law; and
• iv. collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Duration of Processing

Term

Purpose(s) of the data transfer and further processing

(i) Processing to provide, maintain, support, and improve Services provided to Merchant in accordance with the Agreement;

(ii) Processing initiated by individuals in their use of the Services; and

(iii) Processing to comply with other documented reasonable instructions provided by the Merchant (e.g., via email) where such instructions are consistent with the terms of the Agreement (including this Addendum).

C. - Competent supervisory authority

With respect to EU Data the competent supervisory authority is the Dutch Data Protection Authority (the "Dutch SA").

Below is the description of the technical and organizational security measures implemented by Bizzon in accordance with this Addendum.

1. ACCESS CONTROL

1.1. Unauthorized persons shall be prevented from gaining physical access to premises, buildings or rooms, where data processing systems are located which process personal data. Exceptions may be granted for the purpose of auditing the facilities to third party auditors as long as they are supervised by Bizzon and do not get access to the personal data themselves.

1.2. Bizzon warrants that it has (without limitation) implemented the following controls:

• 1.2.1. controls to specify authorized individuals permitted to access personal data;
• 1.2.2. implemented an access control process to avoid unauthorized access to the company’s premises;
• 1.2.3. implemented an access control process to restrict access to data centres / rooms were data servers are located;
• 1.2.4. utilises video surveillance and alarm devices with reference to access areas; and
• 1.2.5. ensured that personnel without access authorization (e.g. technicians, cleaning personnel) are accompanied all times when access data processing areas.

2. SYSTEM ACCESS CONTROL

2.1. Data processing systems must be prevented from being used without authorization.

2.2. Bizzon warrants that has (without limitation) implemented the following controls:

• 2.2.1. ensured that all systems processing personal data (this includes remote access) are password protected:
  • 2.2.1.1. after boot sequences, and
  • 2.2.1.2. when left even for a short period;
• 2.2.2. to prevent unauthorized persons from accessing any personal data;
• 2.2.3. provides dedicated user IDs for authentication against systems user management for every individual;
• 2.2.4. assigns individual user passwords for authentication;
• 2.2.5. ensured that access control is supported by an authentication system;
• 2.2.6. controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personnel to access personal data in the performance of their function;
• 2.2.7. implemented a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password and requires the regular change of passwords;
• 2.2.8. ensured that passwords are always stored in encrypted form;
• 2.2.9. implemented a proper procedure to deactivate user account, when a user leaves the company or function;
• 2.2.10. implemented a proper process to adjust administrator permissions, when an administrator leaves company or function; and
• 2.2.11. implemented a process to log all access to systems and review those logs for security incidents.

3. ACCESS CONTROL

3.1. Persons entitled to use a data processing system shall gain access only to the data to which they have a right of access, and personal data must not be read, copied, modified or removed without authorization in the course of processing.

3.2. Bizzon warrants that it has (without limitation) implemented the following controls:

• 3.2.1. restricted access to files and programs based on a "need-to-know-basis";
• 3.2.2. stored physical media containing personal data in secured areas;
• 3.2.3. controls to prevent use/installation of unauthorized hardware and/or software;
• 3.2.4. established rules for the safe and permanent destruction of data that are no longer required; and
• 3.2.5. controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personnel to access personal data in the performance of their function.

4. DATA TRANSMISSION CONTROL

4.1. Personal data must not be read, copied, modified or removed without authorization during transfer or storage, and it shall be possible to establish to whom personal data was transferred.

4.2. Bizzon warrants that it has (without limitation) implemented the following controls:

• 4.2.1. encrypt data during any transmission and at rest;
• 4.2.2. transport physical media containing personal data in sealed containers; and
• 4.2.3. have shipping and delivery notes.

5. DATA ENTRY CONTROL

5.1. Bizzon shall be able retrospectively to examine and establish whether and by whom personal data have been entered into data processing systems, modified or removed.

5.2. Bizzon warrants that it has (without limitation) implemented the following controls:

• 5.2.1. controls to log administrators' and users' activities; and
• 5.2.2. controls to permit only authorized personnel to modify any personal data within the scope of their function.

6. JOB CONTROL

6.1. Personal data being processed in the performance of a service for the Company shall be processed solely in accordance with the services agreement in place between the Company and Bizzon and in accordance with the instructions of the Company.

6.2. Bizzon warrants that it has (without limitation) implemented the following controls:

• 6.2.1. established controls to ensure processing of personal data only for contractual performance;
• 6.2.2. controls to ensure staff members and contractors comply with written instructions or contracts; and
• 6.2.3. ensured that data is always physically or logically separated so that, in each step of the processing, the client from whom personal data originates can be identified.

7. AVAILABILITY CONTROL

7.1. Personal data shall be protected against disclosure, accidental or unauthorized destruction or loss.

7.2. Bizzon warrants that it has (without limitation) implemented the following controls:

• 7.2.1. arrangements to create back-up copies stored in specially protected environments;
• 7.2.2. arrangements to perform regular restore tests from those backups;
• 7.2.3. contingency plans or business recovery strategies;
• 7.2.4. controls to ensure that personal data is not used for any purpose other than for the purposes it has been contracted to perform; and
• 7.2.5. controls to prevent removal of personal data from the data importer’s business computers or premises for any reason (unless data exporter has specifically authorized such removal for business purposes);
• 7.2.6. controls to use only authorized business equipment to perform the services;
• 7.2.7. controls to ensure that whenever a staff member leaves its desk unattended during the day and prior to leaving the office at the end of the day, he/she places materials containing personal data in a safe and secure environment such as a locked desk drawer, filing cabinet, or other secured storage space. (clean desk);
• 7.2.8. implemented a process for secure disposal of documents or data carriers containing personal data;
• 7.2.9. implemented network firewalls to prevent unauthorized access to systems and services; and
• 7.2.10. ensured that each system used to process personal data runs an up to date antivirus solution.

8. ORGANIZATIONAL REQUIREMENTS

8.1. The internal organization of the data importer shall meet the specific requirements of data protection. In particular, the data importer shall take technical and organizational measures to avoid the accidental mixing of personal data.

8.2. Bizzon warrants that it has (without limitation) implemented the following controls:

• 8.2.1. designated a data protection officer (or a responsible person if a data protection officer is not required by law);
• 8.2.2. obtained the written commitment of the employees to maintain confidentiality;
• 8.2.3. trained staff on data privacy and data security;
• 8.2.4. implemented a formal security incident response process that is consistently followed for the management of security incidents; and
• 8.2.5. trained staff in the security incident responder roles on the security incident process.

The list of approved sub-processors of Bizzon is available at Approved sub-processors.

Date of this Addendum

1. This UK Addendum is effective from: The same date as the Agreement.

Background

2. The Information Commissioner's Office considers this UK Addendum to provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of UK GDPR and, with respect to data transfers from controllers to processors, or processors to processors.

Interpretation of this UK Addendum

3. Where this UK Addendum uses terms that are defined in the SCCs those terms shall have the same meaning as in the SCCs.

4. This UK Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.

5. This UK Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.

6. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted, or replaced after this UK Addendum has been entered into.

Hierarchy

7. In the event of a conflict or inconsistency between this UK Addendum and the provisions of the SCCs or other related agreements between the Parties, existing at the time this UK Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.

Incorporation of the SCCs

8. This UK Addendum incorporates the SCCs which are deemed to be amended to the extent necessary, so they operate:

• a. for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
• b. to provide appropriate safeguards for the transfers in accordance with Article 46 of UK GDPR.
• c. where Merchant is Controller Module Two (Controller to Processor) of the SCCs will apply, where Merchant is Processor Module Three (Processor to Sub-Processor) of the SCCs will apply;
• d. in Clause 9 of the SCCs, Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Clause 5 (Sub-Processing) of this DPA;
• e. in Clause 11 of the SCCs, the optional language will not apply;

9. The amendments required by Section 7 above, include (without limitation):

• a. References to the "SCCs" means this UK Addendum as it incorporates the SCCs.
• b. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B of the Addendum where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.";
• c. Annex II of the SCCs shall be deemed completed with the information set out in Annex II to the Addendum;
• d. References to "Regulation (EU) 2016/679" or "that Regulation" are replaced by "UK Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK Data Protection Laws;
• e. References to Regulation (EU) 2018/1725 are removed;
• f. References to the "Union", "EU", and "EU Member State" are all replaced with the "UK";
• g. Clause 13(a) and Part C of Annex II are not used; the "competent supervisory authority" is the Information Commissioner's Office;
• h. Clause 17 is replaced to state "These SCCs are governed by the laws of England and Wales";
• i. Clause 18 is replaced to state: "Any dispute arising from these SCCs shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts. ";
• j. The footnotes to the SCCs do not form part of the Addendum.