This Data Processing Agreement ("Agreement") governs the processing of personal data by Crosscheck Technologies Inc. in connection with the provision of its cloud-based services and supplements the agreement between Crosscheck and the customer (the "Principal Agreement").

1. DEFINITIONS

"Personal Data," "Processing," "Controller," and "Processor" have the meanings set forth in applicable data protection laws, including the GDPR.

"Applicable Data Protection Laws" means the General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK GDPR, CCPA, and any other data protection or privacy laws applicable to the processing of personal data under this Agreement.

"Customer" refers to the entity that has entered into the Principal Agreement with Crosscheck Technologies Inc. and is acting as the data controller.

2. PURPOSE OF PROCESSING

Crosscheck Technologies Inc. ("Processor") shall process Personal Data solely to provide access to and use of the Crosscheck Audit Platform and related services as outlined in the Principal Agreement.

3. TYPE OF PERSONAL DATA AND DATA SUBJECTS

Categories of Data Subjects: Employees, suppliers, partners, and authorized users of the Customer.

Categories of Personal Data: Names, email addresses, identifiers, audit-related documents, and any data uploaded by or on behalf of the Customer.

Processor does not intentionally collect or process sensitive (special category) data unless explicitly agreed.

4. OBLIGATIONS OF THE PROCESSOR

The Processor agrees to:

* Process Personal Data only on documented instructions from the Customer.

* Ensure personnel authorized to process Personal Data are subject to confidentiality obligations.

* Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

* Assist the Customer in fulfilling obligations related to data subjects’ rights.

* Notify the Customer without undue delay upon becoming aware of a personal data breach.

* Assist with data protection impact assessments where required.

* Upon termination of services, delete or return Personal Data unless otherwise required by law.

5. SUBPROCESSORS

The Customer authorizes the use of subprocessors. Processor will:

* Maintain a list of approved subprocessors (available upon request or posted online).

* Impose data protection obligations on subprocessors equivalent to those in this Agreement.

* Remain fully liable for any acts or omissions of subprocessors.

6. INTERNATIONAL TRANSFERS

For any transfers of Personal Data outside the EEA, UK, or Switzerland, the Processor shall implement appropriate safeguards such as:

* Standard Contractual Clauses (SCCs), or

* Transfers to jurisdictions with adequate data protection decisions.

7. AUDITS

Upon reasonable request, the Processor shall provide relevant documentation to demonstrate compliance with this Agreement. The Customer may conduct audits or inspections no more than once annually, with 30 days’ notice, during business hours.

8. TERM

This Agreement remains effective as long as Crosscheck Technologies Inc. processes Personal Data on behalf of the Customer under the Principal Agreement.

9. GOVERNING LAW

This Agreement is governed by the laws of the State of Delaware, United States, and any disputes shall be subject to the exclusive jurisdiction of the courts located in Delaware.

10. MISCELLANEOUS

This Agreement forms an integral part of the Principal Agreement. In the event of conflict, this Agreement shall prevail with respect to data protection matters. If required by law or regulation, standard contractual clauses may supplement or override this Agreement.

Last Updated: May 15, 2024

For questions regarding this DPA, please contact: info@crossxcheck.com