GoZupees Data Processing Addendum

This GoZupees Data Processing Addendum ("DPA") forms part of the agreement between the Customer and SILICON BIZTECH LIMITED, trading as GoZupees ("GoZupees") that references or otherwise incorporates this DPA. This DPA may be updated by GoZupees from time to time to the extent permitted by applicable law. For entities using Self-Serve Services, references to "Agreement" herein refer to the Terms of Service, and references to "Customer" herein refer to "you" as defined in the Terms of Service.

1. Definitions and Interpretation

Capitalized and undefined terms and expressions used in this DPA shall have the meanings ascribed to such terms in the Agreement (or if not defined therein, under Applicable Data Protection Laws).

• "Applicable Data Protection Laws" means any privacy or data protection legislation or regulations applicable to a Party's Processing of Personal Data under the Agreement, which may include, without limitation, European Data Protection Laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and Brazil's General Data Protection Law (Lei Geral de Proteção de Dados – LGPD).
• "Controller" shall be interpreted consistent with Applicable Data Protection Laws and includes, where applicable, "controller" under European Data Protection Laws and "business" under the CCPA.
• "Customer Personal Data" means any Personal Data Processed by GoZupees as a Processor on behalf of Customer pursuant to the Agreement.
• "Data Subject" shall be interpreted consistent with Applicable Data Protection Laws, and includes, where applicable, "data subject" under European Data Protection Laws and "consumer" under the CCPA.
• "Data Subject Rights" means the rights granted to Data Subjects under Applicable Data Protection Laws.
• "Data Transfer" means a disclosure of Customer Personal Data by an organization subject to Applicable Data Protection Laws in the EEA, UK, Switzerland, or Brazil to another organization located outside of such respective jurisdiction.
• "EEA SCCs" means the Standard Contractual Clauses annexed to the EU Commission Implementing Decision 2021/914.
• "European Data Protection Laws" means the GDPR, the e-Privacy Directive, and all other data protection laws of the EEA, the United Kingdom ("UK"), and Switzerland.
• "Personal Data" shall be interpreted consistent with Applicable Data Protection Laws.
• "Processor" shall be interpreted consistent with Applicable Data Protection Laws, and includes, where applicable, a "processor" under European Data Protection Laws and a "service provider" or "contractor" under the CCPA.
• "SCCs" means the EEA SCCs, UK Addendum, or Brazil SCCs, as applicable.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
• "Services" means the software and services provided by GoZupees to Customer under the Agreement.
• "Subprocessor" means any entity appointed by GoZupees to Process Customer Personal Data on behalf of the Customer.
• "UK Addendum" means the addendum to the SCCs issued by the UK Information Commissioner.

2. Scope

This DPA applies to the extent GoZupees Processes Customer Personal Data as a Processor on behalf of Customer. Details regarding the subject matter, nature, and purposes of the Processing are set out in Annex I.

As between the parties, Customer is responsible for compliance with the requirements of Applicable Data Protection Laws applicable to Controllers, including providing all necessary notices and obtaining all necessary consents from Data Subjects.

3. Processing of Customer Personal Data

GoZupees shall not Process Customer Personal Data other than on Customer's documented instructions as set forth in the Agreement, or as expressly permitted by Applicable Data Protection Laws.

4. Personnel

GoZupees shall ensure that any personnel who may have access to Customer Personal Data are subject to confidentiality obligations and that access is strictly limited to those individuals who need to know and access the relevant data to perform their duties.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, GoZupees shall implement appropriate technical and organizational measures as described in Annex II.

6. Subprocessing

Customer grants GoZupees a general authorization to engage Subprocessors. A list of GoZupees' Subprocessors is maintained at https://trust.gozupees.com ("Subprocessor List"). GoZupees will enter into a written agreement with such Subprocessors imposing data protection obligations that are substantially as protective as those in this DPA. GoZupees will notify Customer at least thirty (30) days prior to appointing any new Subprocessor by updating the Subprocessor List. Customer may object by providing written notice within fourteen (14) days.

7. Data Subject Rights

GoZupees shall provide commercially reasonable assistance to Customer to fulfill requests for the exercise of Data Subject Rights. GoZupees shall promptly notify Customer if it receives a request from a Data Subject and will not respond directly, except to direct the individual to the Customer.

8. Personal Data Breach

GoZupees shall notify Customer without undue delay upon confirming a Security Incident and shall provide reasonable assistance in connection with Customer's investigation and mitigation of such incident.

9. Deletion or Return of Customer Personal Data

Customer Content will be deleted from the Services within thirty (30) days of the expiration or termination of an enterprise-level Agreement. For Self-Serve Services, GoZupees reserves the right to delete Customer Content after one-hundred and eighty (180) days of inactivity. GoZupees may retain Customer Personal Data as required by applicable law or in backup systems.

10. Audit Rights and Compliance

Upon reasonable written request, GoZupees shall make available to Customer a current, industry-standard third-party audit certification (e.g., SOC 2 Type II report). Such reports shall satisfy any audit rights Customer may have under Applicable Data Protection Laws. Additional audits may be conducted under specific conditions, with costs borne by the Customer unless a material breach is found.

11. Data Transfers

Customer authorizes GoZupees to perform Data Transfers to any country deemed adequate by the European Commission or other competent authorities, or pursuant to the SCCs. For the EEA SCCs: (i) the optional docking clause (Clause 7) does not apply; (ii) Option 2 of Clause 9(a) is implemented; (iii) the optional redress clause in Clause 11(a) is struck; (iv) Option 1 in Clause 17 is implemented, and the governing law is the law of the United Kingdom; and (v) the courts in Clause 18(b) are those of the United Kingdom.

12. U.S. Data Protection Laws

To the extent Applicable Data Protection Laws in the U.S. apply, GoZupees is prohibited from Selling or Sharing Customer Personal Data, or using it for any purpose other than the specific Business Purpose permitted under the Agreement.