Annex I: Data Processing Agreement (DPA) xpath Platform

This data protection agreement (“DPA”) is an annex to the ” xpath Platform Terms and Conditions ” (“Terms and Conditions”) between xpath as the Technology Provider and the Beneficiary, aiming to clarify the roles and responsibilities for data protection, based on obligations imposed by Article 28 of European Union Regulation 2016/679 (GDPR). This DPA applies solely to personal data processed by the Beneficiary within the Platform and not to any other data processing activities.

1. Terms

1.1. In the context of this contract, for all personal data processed by the Beneficiary in the xpath Platform as defined in the Terms and Conditions, depending on the legal data processor status of the Beneficiary:

a) The Beneficiary is the Data Controller, and the Technology Provider is the Data Processor; or

b) The Beneficiary is the Data Processor, and Technology Provider is the Data Sub-Processor.

1.2 If the Beneficiary is located outside the European Economic Area, the EU Standard Contractual Clauses from Article 14, adopted by the European Commission on 4 June 2021, will apply, with Modules 3 or 4 being applicable based on whether the Beneficiary is a Data Controller or a Data Processor according to Article 1.1. The appendices from the EU Standard Contractual Clauses will correspond to the content of this Data Processing Annex.

1.3. “Applicable Law” shall mean (i) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data (the “GDPR”), and (ii) any data protection laws or regulations in the jurisdiction in which the Personal Data is processed.

1.4. In this agreement, all definitions from GDPR Article 4 will apply accordingly, as well as the All definitions found in the xpath Platform Terms and Conditions

2. Subject matter and duration

The subject matter is as per the Terms and Conditions between the contracting parties. The duration of this agreement corresponds to the duration of the Terms and Conditions.

3. Nature and Purpose of the processing of Data

The processing of personal data by the Technology Provider for the Beneficiary is made for the sole purpose of providing the xpath Platform services. The processing includes all operations performed on the collected personal data, solely by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, alignment or combination, restriction, erasure, or destruction.

4. Collected data

The data collected for the purposes of this agreement includes all data imported or uploaded to the Platform directly or indirectly (for example via marketplace or Expatriate Mobile app) by the Beneficiaries directly or indirectly (by their appointed or invited employees, expatriates, affiliates, commercial partners, consultants, etc.), as foreseen in the Terms and Conditions.

5. Categories of data subjects

The categories of data subjects are any Platform users created or invited by the Beneficiary, that may include – depending on the case their employees, expatriates, affiliates, commercial partners, consultants, etc.

6. Specific Instructions

6.1. The Beneficiary instructs the Technology Provider on processing all personal data specified in Article 4 to provide the selected services, according to the xpath Platform Terms and Conditions. 6.2. The Beneficiary instructs the Technology Provider to directly transfer certain data (that might include personal data) to other companies selected by the Beneficiary, by providing them with relevant credentials (e.g., API keys) for each of them. For the avoidance of doubt, these companies are not sub-processors based on this contract.

7. Obligations of the Beneficiary

The Beneficiary:

•Confirms and guarantees that, concerning the processing of personal data for this contract, it acts as a Data Controller or Data Processor, depending on its particular situation, and thus, the following articles will apply accordingly;

•Complies with Applicable Law when processing personal data, including when inviting other parties to the xpath Platform and only gives lawful instructions to the Technology Provider;

•Guarantees that its data subjects have been informed of the uses of personal data as required by Applicable Law, including about sharing their data with the Technology Provider, if required, or using it for specific purposes;

•Confirms it relies on a valid legal ground for the processing of personal data under Applicable Law, including, if required, obtaining consent from data subjects;

•Confirms it has performed its own data protection analysis on processing the personal data, depending on which specific services uses from Technology Provider and with what data;

•Complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of processing, and objection to the processing;

•Implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of personal data is performed in accordance with Applicable Law, including for securing the transfer of data from its data subjects to the Technology Provider;

•Cooperates with the Technology Provider to fulfill their respective data protection compliance obligations in accordance with Applicable Law;

•By providing an API key for integration to other data processors according to art 5.2, it confirms and guarantees its instruction to send the selected data to these companies and that the security of the transfer is being guaranteed by the Beneficiary or the other data processors. It also confirms that it has a proper legal basis for transferring the personal data to these companies.

8. Obligations of the Technology Provider The Technology

Provider shall only process personal data on behalf of the Beneficiary in accordance with specific instructions as outlined in Article 6 and for no other purposes than those specified in Article 3 or as mutually agreed upon in writing. For the avoidance of doubt, the Beneficiary authorizes the Technology Provider to utilize statistical data, based on information from the accounts of the Beneficiaries, to enhance our services or create benchmarks for internal or public presentations of relevant aggregated information for the selected domains. These shall always be based on aggregated data, making it impossible to link to any individual Beneficiary or personal data as per this agreement.

The Technology Provider will promptly inform the Beneficiary if, in its opinion, the Beneficiary’s instructions infringe upon GDPR and/or if the Technology Provider is unable to comply with the Beneficiary’s instructions. The Technology Provider will notify the Beneficiary without undue delay upon becoming aware of a personal data breach when the data is processed by the Technology Provider. The Technology Provider will take immediate steps to mitigate the effects and minimize any damage resulting from the personal data breach.

The Technology Provider will assist the Beneficiary in complying with data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities’ requirements under GDPR, if necessary, taking into account the nature of the processing and the information available to the Technology Provider. To the extent authorized under applicable law, the Beneficiary shall be responsible for any costs arising from the Technology Provider’s provision of such assistance. To the extent authorized by Applicable Law, the Beneficiary shall be responsible for any costs arising from the Technology Provider’s provision of such assistance.

The Technology Provider, taking into account the nature of the processing, will assist the Beneficiary with appropriate technical and organizational measures, insofar as this is possible, to fulfill Beneficiary obligations to respond to data subjects’ requests to exercise their rights as provided under Applicable Law.

Upon termination of the contract, the Technology Provider will delete or anonymize all personal data within a maximum of 90 days from the expiration date, unless the Data Controller requests them to be kept or agrees to be kept by the Platform users for their own purposes or if Romanian law prevents the return or destruction of all or part of the personal data, or requires the storage of the personal data (in which case the Technology Provider must keep them confidential).

9. Sub-processors

9.1. The Beneficiary agrees to the usage of the following specific sub-processors by the Technology Provider for IT services: Amazon Web Services (AWS) – for web hosting, Stripe (in case of online payments).In case the Beneficiary selects the OCR services, the data will be processed by our processor Google Cloud Platform and Google Cloud AI for OCR. In case the Beneficiary selects any services that use RPA, the data will be processed with the subprocessor RoboCorp.

9.2. By this article, the Beneficiary grants a general authorization to the Technology Provider to share personal data with future Sub-Processors under the conditions set below:

The Technology Provider guarantees that it will have an agreement with its Sub-Processors imposing on the Sub-Processor the same data protection obligations as are imposed on the Technology Provider under this agreement or by Applicable Law, particularly providing sufficient guarantees to implement appropriate technical and organizational measures to ensure the processing meets requirements under Applicable Law, to the extent applicable to the nature of the service provided by the Sub-Processors. In case the Sub-Processor fails to fulfill its data protection obligations under such agreement, the Technology Provider shall remain fully liable towards the Beneficiary for the performance of the Sub-Processor’s obligations under such agreement.

The Technology Provider guarantees that all the sub-processors will process data exclusively within a Member State of the European Union (EU), within a Member State of the European Economic Area (EEA), or in any state with an adequate data protection regime as recognized by the European Commission or have signed adequate SCCs.

The Technology Provider shall inform the Beneficiary of any addition or replacement of Sub-Processors and allow the Beneficiary to reasonably object to such changes by notifying the Technology Provider in writing within five business days after receipt of Technology Provider’s notice of the addition or replacement of a Sub-Processor. The Beneficiary’s objection should explain the reasonable grounds for the objection.

10. Security of the processing and confidentiality

The Technology Provider implemented appropriate technical and organizational measures to ensure standard industry security measures appropriate to the risk, according to Article 28 and 82 of GDPR. In assessing the appropriate level of security, the Technology Provider took into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and the risks presented by the processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. The Technology Provider shall take steps to ensure that any person acting under its authority who has access to personal data is bound by enforceable contractual or statutory confidentiality obligations.

In the case of transferring data to other companies as requested by the Beneficiary per Article 6.2, the Technology Provider is responsible for the security of the data only until the data has left its server.

11. Data Protection Audit

11.1. Upon prior written request by any Beneficiary, the Technology Provider agrees to cooperate and provide, within a reasonable timeframe, to any Beneficiary: (a) a summary of the audit reports demonstrating the Technology Provider’s compliance with its obligations under this Exhibit, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in the Technology Provider’s systems, or to the extent that any such vulnerability was detected, that the Technology Provider has fully remedied such vulnerability.

11.2. If the above measures are insufficient to confirm compliance with GDPR or reveal any material issues, subject to the strictest confidentiality obligations, the Technology Provider allows the Beneficiary to request an audit of the Technology Provider’s data protection compliance program by external independent auditors, jointly selected by the parties. The external independent auditor cannot be a competitor of the Technology Provider, and the parties will mutually agree upon the scope, timing, and duration of the audit. The audit may not commence less than 30 days from the first request of the Beneficiary. The Technology Provider will make available to the Beneficiary the result of the audit of its data protection compliance program. The Beneficiary must fully reimburse the Technology Provider for all expenses and costs for such audit.

12. Liability to data subjects

12.1. Each party agrees that it will be liable to data subjects for the entire damage resulting from a violation of Applicable Law.

12.2. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s responsibility for the damage. For this purpose, both parties agree that the Beneficiary will be liable to data subjects for the entire damage resulting from a violation of GDPR concerning the processing of personal data for which it is a Beneficiary. The Technology Provider will only be liable to data subjects for the entire damage resulting from a violation of the GDPR obligations directed to the Technology Provider or where it has acted outside or contrary to the Beneficiary’s lawful instructions.

12.3. The Technology Provider will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage