EASWORKS Data Processing Agreement

This Data Processing Agreement (hereafter referred to as "DPA") is established between the User and EASWORKS, in conjunction with the Agreement, which includes the EASWORKS Terms of Service and Use Agreement. This DPA is an integral part of the Agreement and should be treated as such.

This DPA is an addendum to the EASWORKS Agreement, existing between the Customer and EASWORKS, and pertains to the extent that EASWORKS processes or subprocesses Personal Data on the Customer's behalf in the provision of Services (as defined in the Agreement). This DPA does not apply where EASWORKS is the Controller or when EASWORKS is not acting as a Processor in relation to the Customer's data.

1. PARTIES TO THIS DPA

a) The Customer party to the Agreement, defined in the Terms of Use as You (herein "Customer")

b) EASWORKS

The Customer and EASWORKS will be referred to collectively as the "Parties" and individually as a "Party" in the following paragraphs.

This DPA has been pre-signed on behalf of EASWORKS and will become operative when the Customer digitally agrees to it in accordance with its terms. According to the Agreement, the person agreeing to this DPA possesses the statutory right to agree to and enter into this agreement with EASWORKS.

2. DEFINITIONS

In this DPA, capitalized terms that appear for the first time are defined in this section or the section of the Agreement in which they appear.

a) “Controller” means the natural or legal person, public authority, agency or other body that determines the purposes and means of the processing of Personal Data.

b) “Data Protection Laws” means any data protection and privacy laws applicable to the processing of Personal Data under this Agreement including EU Data Protection Law.

c) “EU Data Protection Law” means both (i) Directive 94/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”); and (ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).

d) “The data protection legislation” for the users residing in the UK means-

i. the GDPR,

ii. the applied GDPR,

iii. this Act,

iv. regulations made under this act, and

v. regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive.

e) “EU Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission pursuant to Decision C (2010)593.

f) “Personal Data” means any information relating to an identified or identifiable natural person.

g) “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

h) “Processor” means an entity that processes Personal Data on behalf of a Controller.

i) “Services” means the services as defined in Agreement.

j) “Sub-processor” means any Processor engaged by EASWORKS or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub-processors may include third parties or any member of EASWORKS’s group of companies.

k) “Term” means the period from the DPA effective date until the end of EASWORKS’s provision of the Services in the Agreement.

l) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

3. BACKGROUND AND CONFLICT RULES

In accordance with the terms and conditions of the Agreement, EASWORKS will process Personal Data on behalf of the User in order to provide the Service. In the event of a conflict between this DPA and the Terms of Use, the terms of this DPA will take precedence; in the event of a conflict between this DPA and the Standard contractual clauses, the latter will take precedence; and in the event of a conflict between the Terms of Use and the Standard contractual clauses, the latter will take precedence.

4. DURATION OF THIS DPA

This DPA will begin on the DPA effective date and will continue in effect until the termination of EASWORKS’s provision of the Services in the Agreement and will instantaneously lapse upon the erasure of all User data by EASWORKS in accordance with the terms of this DPA, notwithstanding the termination of the Term.

5. COLLECTING, PROCESSING AND SUBPROCESSING OF DATA UNDER THE DPA

Titles-

a) Depending on the context of Personal Data, the User can act as either a Controller or a Processor. According to the Agreement and this DPA, EASWORKS will process Personal Data only as a Processor or Sub-processor on behalf of the User.

User Data Collection and Processing

a) The User will comply with its obligations under data protection laws, as well as any processing instructions it sends to EASWORKS, in accordance with applicable data protection laws. The User certifies that it possesses all required rights, consents, and authorizations for EASWORKS to process Personal Data in accordance with applicable Data Protection Laws and the Agreement.

b) EASWORKS is authorised to process Personal Data on the User's behalf in the course of providing its Services in line with applicable legislation.

c) Upon giving User written notice of its intent to terminate the Agreement, EASWORKS may terminate the Agreement if EASWORKS determines, or has reasonable grounds to believe, that User is not compliant with any data protection legislation, whether in his capacity as a Controller or Processor.

EASWORKS Data Processing

a) EASWORKS will adhere to its processor’s duties under Data Protection Laws and will process Personal Data in accordance with the User's instructions. User acknowledges and agrees that this DPA is the complete and final agreement between User and EASWORKS in relation to the processing or sub-processing of Personal Data.

b) EASWORKS will follow the instructions of the User in any processing or sub-processing of Personal Data, unless EASWORKS is required by law to handle User Personal Data differently, in which case it will notify the User.

c) User may terminate the Agreement by giving EASWORKS written notice if EASWORKS refuses to follow User's reasonable instructions that are outside the scope of, or differ from, those given or agreed to in this DPA, to the extent that such instructions are necessary for EASWORKS to comply with Data Protection Laws.

EASWORKS Data Sub-processing

a) EASWORKS contracts Freelancers to act as sub-processors and provide Services. The User agrees that ENTRAPPHUB may engage sub-processors to process Personal Data on their behalf in accordance with the Agreement. For the purposes of this DPA, EASWORKS remains liable for the acts, errors, and omissions of its sub-processors in connection with EASWORKS's obligations under this DPA.

b) EASWORKS shall ensure that each sub-processor is bound by contractual obligations to protect Personal Data that are consistent with the standards set forth in this DPA.

c) EASWORKS will comply with its sub-processor obligations under Data Protection Laws and the terms of this DPA and will subprocess Personal Data in accordance with the instructions of the User.

6. CUSTOMER'S INSTRUCTIONS

EASWORKS will process Personal Data in accordance with the written instructions of the Customer, in compliance with the terms of this DPA. The Parties acknowledge and agree that this DPA constitutes the Customer's complete written instruction to EASWORKS in the Customer's capacity as Data Controller. Additional instructions outside the scope of this DPA must be agreed to in writing by both parties before they can be implemented.

7. DATA SECURITY MEASURES

EASWORKS shall implement and maintain appropriate measures to ensure an adequate level of protection for the Personal Data and to protect the Personal Data against unauthorized or unlawful processing, as well as accidental loss, damage, alteration, or disclosure while processing Personal Data for the purposes of the Service. Upon becoming aware of a Data Breach Incident, EASWORKS shall promptly notify the Customer and take reasonable steps to mitigate any damage that may result from the Personal Data Breach. The notification shall contain information EASWORKS is reasonably able to disclose to the Customer, including the following information:

a) a description of the nature of the Personal Data breach, including, where possible, the categories and approximate number of Data Subjects affected, as well as the categories and estimated number of data records affected.

b) the name and contact details of a point of contact where additional information can be obtained.

c) a description of the likely consequences of the Personal Data Breach; and

d) a description of the measures taken or proposed to address the Personal Data Breach.

If it is not possible to provide all of the information at the same time, the information may be provided in phases. EASWORKS will cooperate with and assist the Customer, upon the Customer's written request and at the Customer's expense and risk, in connection with the Personal Data Breach notifications that are required to be made to supervisory authorities under the Data Protection Regulation as required by law.

8. DATA TRANSFERS

a) As permitted by the Agreement and this DPA, EASWORKS may transfer and process Personal Data on behalf of Users in various locations around the world where EASWORKS and its sub-processors have operations in order to provide services under the Agreement and this DPA.

b) When Personal Data is transferred from the European Economic Area ("EEA") and/or Switzerland to a country that has not been recognized by the European Commission or the Swiss Federal Data Protection Authority as offering an adequate level of protection for Personal Data, the User authorizes EASWORKS to enter into the EU Model Clauses on User's behalf with such EASWORKS entity based outside of the EEA and Switzerland and involved in the transfer of Personal Data. EASWORKS will provide a copy of those EU Model Clauses to the User upon receipt of a written request from the User. As of the day on which EASWORKS implements Binding Corporate Rules or another alternative data export solution (as recognized under EU Data Protection Law), the EU Model Clauses will no longer apply, and the EU Model Clauses will no longer apply to the User.

9. DELETION AND RETURN OF DATA

EASWORKS will delete or return to the User all Personal Data that may be in its possession in accordance with the terms of the Agreement, except to the extent that EASWORKS is required to retain Personal Data by applicable law. EASWORKS also agrees with the following:

a) Personal Data shall not be copied or duplicated without the consent or instruction of the User, or unless in the circumstances indicated in this section.

b) EASWORKS shall either return to User or destroy all documents, processing and utilization results, and data sets acquired in connection with the Agreement upon conclusion of the Services or upon User's request, in accordance with applicable Data Protection Laws.

10. AUDITING

EASWORKS shall provide the Customer with an audit report that is not more than 12 months old upon the Customer's written request to (.) in order for the User to objectively confirm EASWORKS's adherence with its responsibilities under this DPA. The report should be treated as confidential information belonging to EASWORKS at all times.

11. DUTIES OF EASWORKS

a) Unless required by law, EASWORKS is under no obligation to designate a Data Protection Officer. The following EASWORKS employees shall be the principal point of contact for any requests made under this DPA: (.)

b) EASWORKS is located outside of the EU and EEA, and its designated representative within the EU is as follows: (.)

c) The data processing described in Section 5 of this DPA will be carried out by only those employees and Freelancers who have signed a confidentiality agreement and have been previously informed of the data protection laws that apply to their job, as determined by EASWORKS. When it comes to personal data, EASWORKS and any person operating on its behalf who has access to that data must only process it on the instructions of User, which includes the powers provided in this contract, unless otherwise required to do so by law.

d) Where EASWORKS has made the personal data public and is obliged to erase the personal data, in pursuant with Article 17 of GDPR, EASWORKS, taking account of available technology measures, to inform the users which are processing the personal data that the party has requested the erasure by EASWORKS of any links to, or copy or replication of, those personal data.

12. LIMITATIONS OF LIABILITY

Unless otherwise agreed to in writing by the Parties, the total combined liability limit (including indemnifications of any sort) owed to one another must be determined in accordance with the terms of the Agreement as executed by the Parties.

13. MISCELLANEOUS

a) EASWORKS may amend the provisions of this DPA in accordance with the conditions of the Agreement. If EASWORKS makes any changes, it will notify the User of the changes and the effective date of the changes in accordance with this DPA or the Agreement. Changes to this DPA may be made in the following conditions, but are not limited to, the following:

i. Any supervisory, judicial, governmental, or regulatory authority may require or order that you comply with their requirements.

ii. Whenever it is necessary to implement or adhere to standard contractual provisions, various codes of conduct, policies, regulations, processes, or any other mechanisms mandated by data protection laws, we will do so.