Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") reflects the requirements of the European Data Protection Regulation and other applicable Data Protection Laws. StarLead's products and services are GDPR-ready and this DPA provides you with the necessary documentation of this readiness.

This DPA is an addendum to the StarLead Terms of Use ("Terms") between AWAAS (d/b/a StarLead) and StarLead's users ("User" or "you"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Terms. User enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorized Affiliates.

THIS DPA IS ACCEPTED BY YOU BY VIRTUE OF YOUR ACCEPTING THE TERMS UPON BUYING A SUBSCRIPTION FROM STARLEAD. THIS DPA CONSTITUTES PART OF THE TERMS.

1. Definitions

In this DPA, the following capitalised terms have the following meanings:

• "Affiliate" means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with an entity.
• "Authorized Affiliate" means any User Affiliate(s) permitted to or otherwise receiving the benefit of the Service pursuant to the Terms.
• "Control" (including the terms "Controlled by" and "under common Control with") means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by contract, or otherwise.
• "Controller" means an entity that determines the purposes and means of the processing of Personal Data.
• "Data Protection Laws" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Terms, including, where applicable, EU Data Protection Law.

EU Data Protection Law:

• prior to May 25, 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive"); and
• on and after May 25, 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and
• Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (in each case, as may be amended, superseded, or replaced).

• "Personal Data" means any User Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.
• "Processor" means an entity that processes Personal Data on behalf of the Controller.
• "Processing" has the meaning given to it in the GDPR and "process," "processes," and "processed" shall be interpreted accordingly.
• "SCCs" means the standard contractual clauses for processors as approved by the European Commission or Swiss Federal Data Protection Authority (as applicable), which are incorporated in Exhibit A into this DPA.
• "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Service" means any product or service provided by StarLead to User pursuant to and as more particularly described in the Terms.
• "Sub-processor" means any Processor engaged by StarLead or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Terms or this DPA. Sub-processors may include third parties or any StarLead Affiliate.
• "User Data" means any data that StarLead and/or its Affiliates processes on behalf of User in the course of providing the Service under the Terms.

2. Scope and Applicability of This DPA

2.1 Application

This DPA applies where and only to the extent that StarLead processes Personal Data on behalf of the User in the course of providing the Service and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

2.2 Role of the Parties

As between StarLead and User, User is the Controller of Personal Data and StarLead shall process Personal Data only as a Processor on behalf of User. Nothing in the Terms or this DPA shall prevent StarLead from using or sharing any data that StarLead would otherwise collect and process independently of User's use of the Service.

2.3 User Obligations

User agrees that:

• it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to StarLead; and
• it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for StarLead to process Personal Data and provide the Service pursuant to the Terms and this DPA.

2.4 StarLead Processing of Personal Data

As a Processor, StarLead shall process Personal Data only for the following purposes:

• processing to perform the Service in accordance with the Terms;
• processing to perform any steps necessary for the performance of the Terms; and
• to comply with other reasonable instructions provided by User to the extent they are consistent with the terms of this DPA and only in accordance with User's documented lawful instructions.

The parties agree that this DPA and the Terms set out the User's complete and final instructions to StarLead in relation to the processing of Personal Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between User and StarLead.

2.5 Nature of the Data

StarLead handles User Data provided by User. Such User Data may contain special categories of data depending on how the Service is used by User. The User Data may be subject to the following process activities:

• storage and other processing necessary to provide, maintain, and improve the Service provided to User;
• to provide customer and technical support to User; and
• disclosures as required by law or otherwise set forth in the Terms.

2.6 StarLead Data

Notwithstanding anything to the contrary in the Terms (including this DPA), User acknowledges that StarLead shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support, and/or use of the Service for its legitimate business purposes, such as billing, account management, technical support, product development, and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, StarLead is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.

3. Sub-processing

3.1 Authorized Sub-processors

User agrees that StarLead may engage Sub-processors to process Personal Data on User's behalf. The Sub-processors currently engaged by StarLead and authorized by User are listed in Annex III and can be requested by User.

3.2 Sub-processor Obligations

StarLead shall:

• enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and
• remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause StarLead to breach any of its obligations under this DPA.

3.3 Changes to Sub-processors

StarLead shall update the list of Authorized Sub-processors from time to time and the User shall be deemed to have accepted any changes by accepting the Terms with StarLead.

3.4 Objection to Sub-processors

User may object in writing to StarLead's appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying StarLead promptly in writing within five (5) calendar days of receipt of StarLead's notice in accordance with Section 3.3. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Service that cannot be provided by StarLead without the use of the objected-to-new Sub-processor.

4. Security

4.1 Security Measures

StarLead shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with StarLead's security standards described in Annex II ("Security Measures").

4.2 Confidentiality of Processing

StarLead shall ensure that any person who is authorized by StarLead to process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.3 Security Incident Response

Upon becoming aware of a Security Incident, StarLead shall notify User without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by User.

4.4 Updates to Security Measures

User acknowledges that the Security Measures are subject to technical progress and development and that StarLead may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the User.

5. Security Reports and Audits

StarLead shall maintain records of its security standards. Upon User's written request, StarLead shall provide (on a confidential basis) copies of relevant certifications, audit report summaries, and/or other documentation reasonably required by User to verify StarLead's compliance with this DPA.

StarLead shall further provide written responses (on a confidential basis) to all reasonable requests for information made by User, including responses to information security and audit questionnaires, that User (acting reasonably) considers necessary to confirm StarLead's compliance with this DPA, provided that User shall not exercise this right more than once per year.

6. International Transfers

6.1 Processing Locations

StarLead stores and processes EU Data (defined below) in data centers located inside and outside the European Union. All other User Data may be transferred and processed in the United States, Europe, and anywhere in the world where User, its Affiliates, and/or its Sub-processors maintain data processing operations. StarLead shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

6.2 Transfer Mechanism

Notwithstanding Section 6.1, to the extent StarLead processes or transfers (directly or via onward transfer) Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, and Switzerland ("EU Data") in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, the parties agree to abide by and process EU Data in compliance with the SCCs in the form set out in Exhibit A.

For the purposes of the descriptions in the SCCs, StarLead agrees that it is the "data importer" and User is the "data exporter" (notwithstanding that User may itself be an entity located outside Europe). User hereby authorizes any transfer of EU Data to, or access to EU Data from, such destinations outside the EU subject to any of these measures having been taken.

7. Return or Deletion of Data

Upon deactivation of the Service, all Personal Data shall be deleted within 90 days subject to full User payment of any outstanding invoices, save that this requirement shall not apply to the extent StarLead is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data StarLead shall securely isolate and protect from any further processing, except to the extent required by applicable law.

8. Cooperation

To the extent that User is unable to independently access the relevant Personal Data within the Service, StarLead shall (at User's expense) take into account the nature of the processing, provide reasonable cooperation to assist User by appropriate technical and organizational measures, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Terms.

In the event that any such request is made directly to StarLead, StarLead shall not respond to such communication directly without User's prior authorization, unless legally compelled to do so. If StarLead is required to respond to such a request, StarLead shall promptly notify User and provide it with a copy of the request unless legally prohibited from doing so.

To the extent StarLead is required under Data Protection Law, StarLead shall (at User's expense) provide reasonably requested information regarding StarLead's processing of Personal Data under the Terms to enable the User to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

9. Miscellaneous

• No limitation on data protection liability: In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.
• Conflict resolution: Except for the changes made by this DPA, the Terms remain unchanged and in full force and effect. If there is any conflict between this DPA and the Terms, this DPA shall prevail to the extent of that conflict.
• Incorporation: This DPA is a part of and incorporated into the Terms so references to "Terms" in the Terms shall include this DPA.
• Governing law: This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Terms, unless required otherwise by Data Protection Laws.
• SCC Governing Law: The SCCs in Exhibit A shall be governed by the law of Germany and the courts of Germany shall have jurisdiction, as specified in the SCCs.

Exhibit A - Standard Contractual Clauses

Execution of the Terms by the User includes execution of these Standard Contractual Clauses.

The standard contractual clauses set out in this Exhibit are considered to provide appropriate safeguards within the meaning of Article 46(1) and (2)(c) of Regulation (EU) 2016/679 for the transfer by a controller or processor of personal data processed subject to that Regulation (data exporter) to a controller or (sub-)processor whose processing of the data is not subject to that Regulation (data importer).

The standard contractual clauses also set out the rights and obligations of controllers and processors with respect to the matters referred to in Article 28(3) and (4) of Regulation (EU) 2016/679, as regards the transfer of personal data from a controller to a processor, or from a processor to a sub-processor.

Acceptance of the Terms and execution of this DPA by the User includes execution of these standard contractual clauses.

[Refer to full legal text for standard clauses 1-18 regarding obligations of parties, local laws, and final provisions]

Appendix

Annex I

1. List of Parties

2. Description of Transfer

Categories of data subjects: Employees, contractors, past, present, and prospective customers, partners, stakeholders.

Categories of personal data transferred: Any data inputted into the Service by a User.

Frequency of transfer: Continuous basis for the duration of the Service.

Nature of processing: Processed to provide the Service pursuant to the Terms and the DPA.

Retention period: For the entire duration in which the data exporter receives Service from the data importer.

Annex II - Technical and Organisational Measures

Data importer shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. That shall include:

• ensuring any of its employees or agents or other persons to whom it provides access to personal data are obliged to keep it confidential;
• the use of pseudonymisation and encryption of personal data, where appropriate;
• internal measures aiming to ensure the ongoing confidentiality, integrity, availability and resilience of the data importer's systems and services;
• the ability to restore the availability and access to personal data in a timely manner, pending back-ups every 24-48 hours, in the event of a physical or technical incident;
• assisting data exporter to comply with its own data security obligations under applicable legislation;
• securely storing data in a certified data repository, specifically Amazon Web Services (AWS);
• safeguarding data while not in operation by using the Advanced Encryption Standard (AES) along with a 256-bit encryption key;
• employing further data protection measures through use of passwords and Virtual Private Cloud (VPC);
• regulating access to the VPC through Identity and Access Management (IAM) measures, requiring users to verify their identity using Multi-Factor Authentication (MFA) and private keys for ensuring secured access; and
• generally using reputable and highly secure providers and sub-processors with robust security practices and certifications.

Annex III - List of Sub-Processors

Available on request. The current list of Sub-processors includes: