Data Processing Agreement

This Processing Agreement ("Agreement") is entered into between Customer and Civo ("Processor") (collectively referred to as the "Parties").

This Data Processing Agreement forms an integral part of the contract for the provision of Civo's services and governs instances when Civo processes Personal Data on the Customer's behalf as a Data Processor within the meaning of the GDPR.

Recitals

Customer has engaged Processor to provide certain services ("Services") that may involve the processing of personal data ("Personal Data") subject to the European Union's General Data Protection Regulation ("GDPR").

The Parties enter into this Agreement to comply with the GDPR's requirements governing the processing of Personal Data and to ensure that Personal Data is processed by Processor only in accordance with Customer's instructions.

Agreement

Definitions.

"Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the European Union, including but not limited to GDPR, as well as any other relevant legislation that replaces, amends, extends, consolidates or supersedes GDPR.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Processor on behalf of Customer pursuant to this Agreement.

"Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

"Services" means the services that Processor provides to Customer pursuant to the underlying agreement between the Parties.

Scope.

This Agreement applies to the Processing of Personal Data by Processor on behalf of Customer in the course of providing Services to Customer. This Agreement does not apply to any Personal Data that Processor collects, processes, or uses for its own purposes.

Processor's Obligations.

1.1. Processor shall process Personal Data in accordance with Customer's written instructions, including with respect to transfers of Personal Data to a third country or an international organization, unless Processor is required to do otherwise by applicable law.

1.2. Processor shall ensure that any persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

1.3. Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of GDPR.

1.4. Processor shall promptly inform Customer if it is unable to comply with Customer's written instructions, including if it believes that any such instruction would violate GDPR or other applicable Data Protection Legislation.

Customer's Obligations.

2.1. Customer shall be solely responsible for determining the purposes and means of Processing Personal Data.

2.2. Customer shall ensure that it has obtained all necessary consents and approvals, and provided all necessary notices to Data Subjects, to enable the lawful Processing of Personal Data in accordance with this Agreement and applicable Data Protection Legislation.

Data Subject Rights.

3.1. Processor shall assist Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Legislation, including the rights to access, rectification, erasure, and restriction of Processing.

3.2. Processor shall promptly inform Customer if it receives a Data Subject request to exercise any of the rights under applicable Data Protection Legislation.

Data Breach Notification.

4.1. Processor shall notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data.

4.2. Processor shall provide Customer with sufficient information about the Personal Data breach to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data breach under applicable Data Protection Legislation.

Subprocessing.

5.1. The Customer grants Processor a general authorisation to subcontract part of its obligations under this Agreement to another data processor. Processor may only use another data processor ("Sub-Processor") to carry out specific processing activities in accordance with its privacy policy listed at https://www.civo.com/legal/privacy.

5.2. Should Processor use a Sub-Processor, Processor shall ensure that each Sub-Processor has appropriate guarantees in accordance with the Data Protection Legislation with regard to the technical and organisational measures adopted for the Processing of Personal Data and shall ensure that each Sub-Processor ceases the Processing of Personal Data immediately if such guarantees should be lacking.

5.3. If Processor engages a Sub-Processor, Processor shall:

5.3.1. ensure that the Sub-Processor agrees to comply with the same obligations imposed on Processor under this Agreement, including with respect to security measures;

5.3.2. remain fully liable for the performance of the Sub-Processor's obligations under this Agreement; and

5.3.3. provide Customer with a list of all Sub-Processors upon request.

Audit and Inspection.

6.1. Processor shall allow Customer, or its designated auditor, to conduct audits or inspections of Processor's Processing activities to ensure compliance with this Agreement and applicable Data Protection Legislation.

6.2. Processor shall provide Customer with all necessary information and assistance to facilitate such audits or inspections.

Term and Termination.

7.1. This Agreement shall remain in force for the duration of the underlying agreement between the Parties that requires the Processing of Personal Data, unless terminated earlier in accordance with this Agreement.

7.2. Either Party may terminate this Agreement immediately by giving notice to the other Party if the other Party breaches any material obligation under this Agreement and fails to cure such breach within 30 days after receiving written notice from the non-breaching Party.

7.3. Upon termination of this Agreement, Processor shall, at Customer's option, delete or return all Personal Data to Customer, and delete existing copies, unless applicable law requires storage of the Personal Data.

Governing Law and Dispute Resolution.

8.1. This Agreement shall be governed by and construed in accordance with the laws of the jurisdiction in which the Processor is located.

8.2. Any dispute arising out of or in connection with this Agreement shall be resolved in accordance with the dispute resolution mechanism specified in the underlying agreement between the Parties.

Miscellaneous.

9.1. This Agreement represents the entire understanding between the Parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous agreements or understandings, whether written or oral.

9.2. Processor reserves the right to modify this Agreement from time to time, provided that any such modifications are in accordance with applicable Data Protection Legislation. Processor shall provide Customer with written notice of any modifications to this Agreement at least 30 days prior to the effective date of such modifications. Customer's continued use of the Services after the effective date of any such modifications shall constitute its acceptance of the modified Agreement. If Customer does not agree with the modified Agreement, it shall have the right to terminate this Agreement by providing written notice to Processor prior to the effective date of the modifications.

9.3. Any notices or communications required or permitted under this Agreement shall be in writing and may be sent by email to the email address provided by each Party. The address to be used for any written communication sent by post or courier shall be the registered office of each Party or such other address as may be notified in writing by either Party from time to time.