Data Processing Addendum

Please read the Data Processing Addendum ("DPA") carefully as they form a contract between You and Virtual EPS ("Us"). As referenced in Our Terms & Conditions or in any services agreement between You and Us ("Terms"), this DPA will apply where the Group Companies Process Personal Data on Your behalf. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail. In the event of any conflict between the terms of this DPA and the EU Standard Contractual Clauses, the terms of the EU Standard Contractual Clauses shall prevail. This DPA shall continue to be in full force and effect for the duration of Your Subscription(s) and shall cease automatically thereafter. For queries, please contact Us at support@virtualeps.com.

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including laws and regulations of the European Union, the European Economic Area and their member states, including, GDPR and any applicable national laws in force where You are established in the European Economic Area.

"Controller", "Processor", "Data Subject", “Personal Data Breach”, "Processing" or similar terms shall have the meanings given under GDPR.

"GDPR" means the General Data Protection Regulation (GDPR) (EU) 2016/679, is a regulation in European law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It became enforceable on May 25, 2018. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR’s primary aim is to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects’ citizenship or residence—that is processing the personal information of individuals inside the EEA.

"Personal Data" shall have the meaning given under Applicable Data Protection Law and GDPR and is limited to that Personal Data We Process for the provision of the Virtual EPS services only.

"EU Standard Contractual Clauses" means the standard contractual clauses (for Processors) in the form set out in the Annex of European Commission Decision 2010/87/EU, as amended or updated from time to time.

"Sub-processor" means any Processor engaged by Us. Sub-processors

"Technical and Organizational measures / TOMs" means the appropriate technical and organizational measures as set forth in Schedule B (TOMS) of this DPA, aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of Service Data over a network, and against all other unlawful forms of processing.

2. Processing of Personal Data

2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data, You may be either the Controller or the Processor of the Personal Data. Where You are the Controller, We are the Processor and where You are a Processor, We acknowledge that We will be Your sub-processor. We will further engage Sub-processors pursuant to the requirements set forth in Section 5 (Sub-processors) below.

2.2 Processing of Personal Data by You. You shall, in Your use of the Virtual EPS services, Process Personal Data in accordance with the requirements of Applicable Data Protection Law, GDPR, and all relevant applicable laws. Further, Your instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law, GDPR and all relevant applicable laws. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which You acquired Personal Data from your own customers.

2.3 Processing of Personal Data by Us. We shall Process the Personal Data solely as necessary to perform Our obligations and strictly in accordance with Your documented instructions and in accordance with Applicable Data Protection Law, GDPR and all relevant applicable laws for the following purposes: (i) Processing in accordance with the Terms and this DPA; (ii) Processing initiated by Users and/or End-Customers in their use of the Virtual EPS services; and (iii) Processing to comply with Your other documented reasonable instructions (including via email) where such instructions are consistent with the Terms.

We shall immediately inform You in writing if, in Our opinion, an instruction infringes Applicable Data Protection Law, GDPR, and all relevant applicable laws in the European Union (“EU”). We shall not be liable for any losses, fines, costs, penalties, damages, etc., arising from or in connection with any processing in accordance with Your instructions following Your receipt of any information provided by Us in accordance with the foregoing sentence. We shall provide reasonable assistance to You to assist You in complying with Articles 32 to 36 of the GDPR. We shall make available to You all information necessary to demonstrate compliance with this DPA and upon prior written notice, allow for and contribute to audits, including to inspections, by You or another auditor mandated by You for this purpose.

2.4 Details of the Processing. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule A (Details of the Processing) of this DPA.

3. Rights of Data Subjects

3.1 We shall, to the extent legally permitted, promptly notify You if We receive a request from a Data Subject to access, correct or delete their Personal Data or if a Data Subject objects to the Processing thereof (“Data Subject Request”). We shall not respond to a Data Subject Request without Your prior written consent except to confirm that such request relates to You to which You hereby agree. To the extent You, in Your use of the Virtual EPS services, do not have the ability to address a Data Subject Request, We shall upon Your request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent We are legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Applicable Data Protection Law, GDPR and all relevant applicable laws To the extent legally permitted, You shall be responsible for any reasonable costs arising from Our provision of such assistance.

4. Our Personnel

4.1 We shall ensure that Our personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements addressing relevant obligations regarding confidentiality, data protection and data security. We shall ensure that such confidentiality obligations survive the termination of the concerned personnel engagement.

5. Sub-processors

5.1 You hereby grant a general authorization: (a) to Us to appoint other members of Our Group Companies as Sub-processors, and (b) to Us and other members of Our Group Companies to appoint any other third party as Sub-processors to support the performance of the Virtual EPS services.

5.2 We will maintain a list of Sub-processors and will add the names of Sub-processors to the list. If You have a reasonable objection to any new or replacement Sub-processor, You shall notify Us of such objections in writing within ten (10) days of change in the list and the Parties will seek to resolve the matter in good faith. If You do not provide a timely objection to any new or replacement Sub-processor in accordance with this Section 5.2, You will be deemed to have consented to the Sub-processor and waived Your right to object. Where We use a Sub-processor, We shall ensure that We have in place a written contract with that Sub-Processor applying essentially the same data protection terms as are set out in this DPA. Sub-processors

5.3 Except as otherwise set forth in the Terms, We shall be liable for the acts and omissions of the Sub-processors to the same extent We would be liable if We were performing the services of each Sub-processor directly under the terms of this DPA.

6. Security Reports & Audits

6.1 Controls for the protection of Service Data. We shall maintain appropriate TOMS for protection of the Service Data from a Personal Data Breach. We regularly monitor compliance with these measures.

6.2 Third-Party Certifications and Audits. We have obtained the third-party certifications and audits. Upon Your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Terms, We may share a copy of Our most recent third-party audit reports or certifications, as applicable.

6.3 Determination of Security Requirements: You acknowledge that the Virtual EPS services include certain features and functionalities that You may elect to use that impact the security of the data processed by Your use of the Virtual EPS services, such as, but not limited to, encryption of custom fields and availability of multi-factor authentication on Your Account. You are responsible for properly configuring the Virtual EPS services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by Your use of the Virtual EPS services.

6.4 Personal Data Breach Notification: We shall, to the extent permitted by law, notify You of any Personal Data Breach no later than seventy-two (72) hours from the time We become aware of the Personal Data Breach. To the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by Us, We shall make reasonable efforts to identify and remediate the cause of such Personal Data Breach. We shall provide You reasonable assistance in the event You are required under Applicable Data Protection Law, GDPR and all relevant applicable laws to notify a supervisory authority or any Data Subjects of the Personal Data Breach.

7. Deletion of Personal Data

7.1 We shall delete Personal Data forming part of the Virtual EPS services Data after one hundred and twenty (120) days from the date of termination of the Account. You understand that Personal Data, once deleted, cannot be recovered.

8. International Data Transfer Mechanism

8.1 To the extent that We Process any Personal Data originating from the European Economic Area (“EEA”) in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection by virtue of the EU Standard Contractual Clauses, which are incorporated by reference and form an integral part of this DPA and the applicable terms Purely for the purposes of descriptions in the EU Standard Contractual Clauses and only as between You and Us, You agree that You are the “data exporter” and We are the “data importer” under the EU Standard Contractual Clauses (notwithstanding that You may be located outside the EEA and may itself be a Processor acting on behalf of third party Controllers). Further, Schedules A and B of this DPA will take the place of Appendixes 1 and 2 of the EU Standard Contractual Clauses respectively.

9. CCPA Obligations

9.1 You acknowledge and agree that You are the Business and We are the Service Provider with respect to Personal Information of Consumers (as those terms are understood under the CCPA) disclosed by You to Us forming part of Service Data.

9.2 We will not sell, retain, use, or disclose Personal Information of Consumers that We process on Your behalf when providing the Services under the Terms for any purpose other than for the specific purpose of providing the Virtual EPS services in accordance with the Terms and as part of the direct relationship between You and Us.

9.3 We certify that We understand the restrictions in Section 9.2 above and will comply with such restrictions.

9.4 You acknowledge and agree that You shall be responsible for providing the required notice to Consumers with respect to sharing their Personal Information with Us.

9.5 We shall provide reasonable cooperation to assist You to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Information under the Terms and/or this DPA when You are required to respond to such requests under Applicable Data Protection Laws, GDPR and all relevant applicable laws. In the event that any such request is made directly to Us, We shall not respond to such communication directly without Your prior authorization, unless legally compelled to do so.

Schedule A – Details of the Processing

Nature and purpose of Processing: We will Process Personal Data, as necessary to perform the Virtual EPS services, pursuant to the Terms, to the extent determined and controlled by You in Your sole discretion, which shall include but not be limited to identification data, professional life data, personal life data, or localization data (including IP addresses). Further, the Group Companies and service providers We may use shall Process and enrich the Personal Data in the systems to (i) improve, enhance, support and operate the Virtual EPS services and their availability; (ii) develop new products and services; (iii) compile statistical reports and insights into usage patterns.

Duration of Processing: We will Process the Personal Data for the duration of the Terms, unless otherwise agreed upon in writing.

Categories of Data Subjects: You may submit Personal Data (containing no Sensitive Data) while using the Virtual EPS services, the extent of which is determined and controlled by You in Your sole discretion, relating to Users and End-Customers.

Schedule B – Technical and Organizational Security Measures

We have implemented and shall maintain a security program in accordance with industry standards. We have implemented and will maintain appropriate TOMS to protect Service Data from a Personal Data Breach.

Last updated 9 October, 2021