Data Processing Addendum (DPA)

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement (the "Agreement") between Outmarket AI ("Processor") and the Customer ("Controller"). This DPA reflects the parties' agreement with regard to the processing of Data in accordance with applicable data protection laws and regulations.

2. Definitions

2.1 "Customer"

means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.

2.2 "Customer Data"

means Customer's content, application data, data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Outmarket AI on behalf of Customer. For the avoidance of doubt, Customer Content does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Customer Content.

2.4 "Customer Personal Data"

means Personal Data that is contained within Customer Content.

2.5 "Personal Data"

means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.

2.6 "Data"

means any Customer Data, Customer Content, Customer Personal Data, and Personal Data processed by Processor as part of providing the Services to Controller.

2.7 "Processing"

means any operation or set of operations performed on Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.8 "Sub-processor"

means any third party appointed by or on behalf of Processor to process Data in connection with the Agreement.

2.9 "Data Protection Laws"

means all applicable legislation protecting the fundamental rights and freedoms of individuals and their right to privacy with respect to the processing of Data.

3. Processing of Data

3.1 Processor's Obligations

Processor shall process Data only on documented instructions from Controller, including with regard to transfers of Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject. In such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2 Controller's Obligations

Controller shall provide documented instructions that are compliant with Data Protection Laws. Controller shall ensure that it has obtained all necessary consents, permissions, and notices required for Processor to process Data in accordance with this DPA.

4. Security Measures

4.1 Confidentiality

Processor shall ensure that persons authorized to process Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Security

Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

• The pseudonymization and encryption of Data

• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

• The ability to restore the availability and access to Data in a timely manner in the event of a physical or technical incident

• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

5. Multi Tenant Secure System Measures

Processor shall ensure the highest level of measures to maintain data confidentiality and security in a multi tenant secure system, including but not limited to:

• Data Isolation: Ensuring logical data isolation between tenants to prevent unauthorized access to other tenants' Data

• Access Control: Implementing strict access control measures, including role-based access control and multi-factor authentication, to limit access to Data to only those individuals who need it to perform their job duties

• Encryption: Encrypting Data both in transit and at rest using industry-standard encryption algorithms and protocols

• Monitoring and Logging: Continuously monitoring and logging access to Data and system activities to detect and respond to security incidents promptly

• Regular Audits: Conducting regular security audits and vulnerability assessments to identify and mitigate potential security risks

• Data Minimization: Ensuring that only the minimum necessary amount of Data is processed for the specified purposes

6. Sub-processors

6.1 General Authorization

Controller provides general authorization to Processor to engage Sub-processors. Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Controller the opportunity to object to such changes.

6.2 Sub-processor Obligations

Processor shall ensure that the Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.