Data Processing Agreement

in relation to the data processed through RPA Trial Software

1 GENERAL PROVISION

1.1 This data processing agreement (“DPA”) is integrated by reference in the Terms of Use (“ToU") and in the Privacy Policy regulating the use of the RPA Trial Software. In the event of discrepancies, this DPA shall prevail.

1.2 Unless the context requires otherwise, the terms used herein, including capitalized terms shall have the meaning set out and shall be construed in accordance with the data protection legislation, in particular, without limitation, Regulation (EU) 2016/679 regarding the Personal Data Protection (“GDPR”).

1.3 The DPA is entered into by and between the User and us (as defined below, each a “Party” and collectively, the “Parties”). The DPA shall be effective upon granting the use for the Trial Software to the User (“Effective Date”) without any further formalities.

1.4 When we refer to as “us”, the “Company”, “Atomatik” or any similar term, that means Atomatik Inc and/or and any of its all its wholly owned subsidiaries, as the context may require. Address details for all Atomatik offices are available on the Contact us page and we can be contacted at info@atomatik.com. The specific contracting party which grants you the use of the Trial Software and is responsible towards the User is identified in the correspondence leading to the creation your user account

2 Scope of the Agreement

2.1 The User and Atomatik have concluded this DPA to establish their responsibilities regarding the protection of Personal Data which may be processed pursuant use of the RPA Trial Software (hereinafter the “Trial Software”).

2.2 The Parties agree that, under this DPA, the User acts as a Controller or a Processor for another Controller, as the case may be, and Atomatik acts as a Processor. The User acknowledges that Personal Data is not a pre-requisite or requirement for the use of the Trial Software, but Personal Data may be transferred to Atomatik. The User undertakes full liability for observing the necessary restrictions/prohibition in relation to such Personal Data transfer, with no liability to Atomatik.

2.3 This DPA applies to the Trial Software used by the User, and solely to the extent that Personal Data is transferred from the User to Atomatik, pursuant to such use of the software and under this DPA.

2.4 The User has full control over the Personal Data sent for Processing and is responsible for complying with its applicable data protection laws, for assessing whether the use of the Trial Software meets the requirements for the Processing of Personal Data in accordance with this DPA, the applicable law and contractual agreement, including where applicable approval by User’s Controllers to use Atomatik as a Processor.

2.5 This DPA does not apply to:

2.5.1 Personal Data processed as a result of the User using third party cloud integrations, which are subject to their own terms and conditions and privacy policies;

2.5.2 Any products and services made available by Atomatik that are not hosted by Atomatik or its processors on behalf of Atomatik and where there is no transfer of Personal Data from the User to Atomatik.

2.6 This DPA sets forth the general rights and obligations of the Parties, and the specific information and details regarding Personal Data Processing (i.e., purpose, duration, nature and purpose of each processing, type of Personal Data and Data Subjects), as detailed in Appendix 1 - Processing details, attached to this DPA. Any amendment to the processing details described in Appendix 1 may only be made based on a written instruction from the Controller.

3 AUTHORITY OF THE USER

3.1 Atomatik is required to process the Personal Data only subject to, and within, the limits set forth in the documented instructions received in writing from the User, including with regards to transfers of Personal Data to a Third Country, as prescribed under ToU and this DPA. Atomatik will notify the User without delay if it considers that a User’s instruction or any implementation of an instruction received from the User breaches or may breach the Applicable Data Protection Law.

3.2 If required under the law, Atomatik shall maintain the processing records and, to the extent applicable to the processing of Personal Data on behalf of User, make them available to the User upon request.

4 DATA SECURITY

4.1 Atomatik will preserve the confidentiality of the Personal Data and the Processing activities. Atomatik shall ensure that any person charged with the Processing of Personal Data by Atomatik, either an employee, a contractor, or a Sub-processor, undertakes to maintain the confidentiality of Personal Data.

4.2 Having regards to the current state of technology and the varying degrees of risks and severity for the rights and freedoms of individuals, Atomatik will implement technical and organizational practices to ensure an adequate level of security for the Personal Data Processing that it carries out, The current technical and organizational measures applied by Atomatik, which the User deems to be adequate for the processing are listed in Appendix 2 hereto.

4.3 Atomatik reserves the right to modify or update its technical and organizational measures and practices, to the extent this will not result in a lower level of security for the Processing activities.

4.4 Notwithstanding Atomatik’s security undertakings, the User is responsible to safeguard any Personal Data or information under its control, and to assess whether its privacy and security obligations are met when using the Trial Software.

5 Processor’s main duties

5.1 Subject to, and within the limits provided under the applicable data protection legislation:

a) Atomatik shall promptly inform the User of requests received by Atomatik from Data Subjects exercising their rights under the Applicable Data Protection Law.

b) To the extent technically and commercially possible to it, Atomatik shall assist the User with extracting, deleting or performing any other operations on the Personal Data, or, where possible, provide the User the ability to perform any of the aforementioned actions on the Personal Data.

c) Atomatik shall provide commercially reasonable assistance to the User, in accordance with the technical capabilities available, to enable the User to respond to: (i) any request from a Data Subject exercising its rights under the applicable data protection legislation; and (ii) any other enquiry or complaint received from a Data Subject or a Supervisory Authority in connection with the Processing of the Personal Data.

5.2 Atomatik will inform the User, without undue delay from becoming aware that a personal data breach has occurred and shall provide reasonable information and cooperation to the User, so that the User can fulfil its reporting obligations in relation to such breach under the applicable data protection legislation.

The Parties agree that, by the mere giving notice of personal data breach, Atomatik does not acknowledge any liability or fault thereof. The User acknowledges that it is responsible for complying with its own legal obligations regarding Personal Data breach notifications. If the User suspects that a personal data breach occurred, the User shall without undue delay notify Atomatik.

5.3 Upon written request from the User, Atomatik shall give reasonable assistance to the User in carrying out any assessment of the consequences or impact of Processing of Personal Data and in any consultation with the Supervisory Authority. Atomatik will notify the User without delay if a Supervision Authority contacts Atomatik directly with respect to the processing activities that fall within the subject matter of this DPA.

Atomatik processes Personal Data only on documented instructions from the User, including by allowing full control (input, modification, deletion) over the Personal Data processed through the Trial Software.

5.4 Atomatik ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Upon User’s reasonable request, Atomatik assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the processor.

5.5 At the choice of the controller (as notified by the User), Atomatik deletes or returns all the Personal Data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data.

6 Atomatik’s Compliance to the DPA

6.1 Atomatik shall make available to the User controller all information necessary to demonstrate compliance with the obligations laid down in this DPA Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. In this respect, Atomatik shall immediately inform the User if, in its opinion, an instruction infringes the relevant data protection provisions..

6.2 If the User believes, acting reasonably and in good faith, that an audit is necessary to verify compliance with this DPA, the User may request such audit, provided that:

a) It provides reasonable evidence to Atomatik as to why such audit is necessary;

b) The audit shall be organized based on the agreement on the parties and shall be limited as to ensure Atomatik’s confidentiality and security obligations towards its employees and other counterparties.

c) The audits may be performed no more than once (1) a year and must be conducted during the agreed hours, according to Atomatik’s policies, and will not interfere with Atomatik’s business activities.

d) Audits may be performed only if a confidentiality agreement is concluded with the third-party auditor and the audit results will remain confidential and will not be shared with any third party unless agreed by an authorized representative of Atomatik in writing.

e) unless prohibited by legislation binding on the Parties, the Company must provide Atomatik with a copy of the audit report free of charge.

f)audits are performed at User’s expense and Atomatik will give reasonable cooperation and assistance.

7 Sub-processors

7.1 GENERAL WRITTEN AUTHORISATION: Atomatik has the controller’s general authorisation for the engagement of sub-processors from the agreed list in Appendix 3.

7.2 Atomatik shall specifically inform in writing the User of any intended changes of that list at least 10 working days in advance, thereby giving the User controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). Atomatik shall provide the controller with the information necessary to enable the controller to exercise the right to object.

7.3 The User acknowledges its sole and exclusive remedy for objecting to any change in Sub-processors is the termination of the use of the Trial Software Agreement. If Atomatik does not receive a written notice of objection and termination in accordance with this section, it will be deemed in good faith that the User has accepted the change in Sub-processors.

7.4 Notwithstanding the foregoing rules setting out the procedure for changes in Sub-processors, Atomatik may replace a Sub-processor without advance notice to User where the reason for the change is outside of the Atomatik’s reasonable control and prompt replacement is required for regulatory, security, system integrity, business continuity purposes or other urgent reasons. Atomatik will inform the User of the replacement Sub-processor as soon as possible following such change, and the procedure set out above will apply accordingly.

7.5 Notwithstanding the foregoing rules setting out the procedure for changes in Sub-processors, the User acknowledges, agrees, and hereby gives a written authorization under Article 28 of the GDPR to Atomatik to engage its affiliates as Sub-processors. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means the direct or indirect control of greater than 50% of the voting rights or equity interests of a Party or the power to direct or cause the direction of the management and/or business strategy of that Party.

7.6 Where Atomatik processor engages a sub-processor for carrying out specific processing activities (on behalf of the User), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these DPA. Atomatik shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these DPA and the applicable data protection legislation.

8 International Transfers of Personal Data

8.1 For the purposes of this article 8 an international data transfer shall mean a transfer of personal data by a person (“the exporter”) to another person (“the importer”) based in a third country (“third country”) – namely outside the European Union or the European Economic Area.

8.2 Atomatik will also process Personal Data, including by using Sub-processors, outside the country in which the User using the Trial Software is located, in accordance with this DPA and as permitted under the applicable data protection legislation, and only by offering appropriate safeguards and ensuring that all transfers are made in accordance with transfer safeguards, within the meaning of the applicable data protection legislation.

8.3 Where Atomatik is not located in a third country and acts as an exporter of Personal Data, Atomatik has in place appropriate safeguards, which may include SCC in connection to each sub-processor located in a third country that acts as Personal Data importer. For the purposes of the DPA, SCC shall mean the Standard Contractual Clauses (or “SCC”) for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council approved by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as available here (or successor website): https://eurlex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.

8.4 Where Atomatik is located in a third country and acts as an importer of Personal Data Atomatik and User, as a Personal Data exporter, hereby enter into, and agree that, the SCC shall apply and will be incorporated into this DPA, as follows: a) Module 2 (Controller to Processor) shall apply where User is a Controller; and b) Module 3 (Processor to Processor) shall apply where User is a Processor.

8.5 The details required by the SCC, and by Annexes I and II thereto, are specified in Appendix 2 below.

8.6 Unless Atomatik notifies the User to the contrary, if the European Commission amends the SCCs after the Effective Date, the amended SCCs will supersede and replace the SCCs executed between the Parties by virtue of this section. In addition, if and to the extent a court of competent jurisdiction or Supervisory Authority orders (for whatever reason) that the measures described in this DPA cannot be relied on for the purpose of lawfully transferring Personal Data to third countries, the User agrees that Atomatik may implement any additional measures or safeguards that may be reasonably required to enable a lawful transfer.

9 Term and Termination

9.1 This DPA is effective at the Effective Date and will be in force for as long as the User uses the Trial Software, without exceeding the duration of the ToU Agreement. The Parties may agree to terminate this DPA in writing.

9.2 Following termination of the Trial Software use and upon express written instructions from the User, Atomatik will delete the Personal Data, unless and to the extent retention is required by applicable law, or the Personal Data has been archived on back-up systems due to the service functionalities.

10 Liability

10.1 Each Party will be liable for its own actions and/or omissions under this DPA. Atomatik will remain liable to the User for the performance of the obligations that its appointed Sub-processors fail to comply with.

10.2 Atomatik’s aggregate liability in relation to this DPA shall be subject to the limitations set out in the ToU.

11 Miscellaneous

11.1 This DPA shall be interpreted and construed in accordance with the laws of the state Delaware, USA, unless otherwise expressly mandated by the applicable data protection legislation laws. Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Delaware, unless a different mandatory jurisdiction is established by the mandatory applicable law.

11.2 This DPA constitutes the entire agreement between the Parties with respect to the subject matter hereof and takes prevalence over any prior written or oral agreement between them with respect to such subject matter or in the event of conflicting provisions regarding any rights and obligations granted or incurred by the Parties for purposes of this DPA.

11.3 We may change the DPA to reflect changes in the Trial Software, the legislation or our commercial practices.

11.4 We will notify you by e-mail of any of material changes to the DPA and the updated Agreement will be effective within 5 (five) days from the notification date unless otherwise specified in the notification. If you continue to use the Trial Software after any change has taken effect, we will assume that you have agreed with said change. If you do not agree with the amendments, you may terminate this agreement for convenience, with no claims against Atomatik.

Appendix 1 Processing details

Atomatik shall process the Personal Data received from the User in accordance with the details set out below.

I. Categories of data subjects whose personal data is processed

The data subjects whose date are made available by the User such as: employees, clients or commercial partners thereof.

II. Categories of personal data processed

User determines the categories of data, depending on the specific process automated through the Trial Software. Such data may include: name, surname, personal details and other personal data that may be stored on the platform, under User’s responsibility.

III. Nature of the processing

The Personal Data is processed electronically as part of the User Generated Data which hosted and organized by Processor, pursuant to the use of the Trial Software by Controller.

The data may also be accessed by the Processor as part of the maintenance activities meant to ensure the use of the Trial Software.

IV. Purpose(s) for which the personal data is processed on behalf of the controller

Ensuring the use of the Trial Software. The purpose of the processing may include: maintenance of the Trial Software and solving support tickets raised by the User when the software is not working properly. This may include phone calls and performance of basic troubleshooting.

V. Duration of the processing

Atomatik will store User’s Personal Data for a limited period of time, as necessary to achieve the purposes of the Personal Data processing, as described in this DPA and the Privacy Policy, and in accordance with Atomatik’s legal and contractual obligations, or industry practices. This means Atomatik retains different categories of data for different periods of time depending on the type of data, the category of data subject to whom the data relates, and the purposes for which Atomatik collected the data. Once the retention period expires for a specific category of data, Atomatik we will delete, archive, anonymize or destroy it, in accordance with its internal policies and procedures, unless prohibited by the applicable law. User may request Atomatik to have all its information deleted at any time by contacting us to that effect.

VI. For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

The data User processes and generates with help of the Trial Software (“User generated Data”) will be stored on the infrastructure of the specialized hosting providers contracted by Atomatik (presently, the EU servers of Amazon Web Services). The access to such data bases shall be made via the public Internet and will be dependent upon the service availability of such providers, as undertaken in their respective terms and conditions (https://aws.amazon.com/service-terms.

Appendix 2a Details required by the Standard Contractual Clauses for transfers from Economic European Area

I. Applicable modules from the SCC

Module Two (transfer controller to processor) applies where User is a Controller.

Module Three (transfer processor to processor) applies where User is a Processor, acting under the instructions of its Controller(s).

II. Option for certain clauses

Clause 9 (Use of sub-processors) – Parties opt for a general written authorization from the User for Atomatik to designate sub-processors (see art. 7.1 et seq.) in both the cases of Module Two and Module Three;

Clause 17 (Governing law) – Parties elect OPTION 2: These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Romania.

Clause 18 (Choice of forum and jurisdiction) – Parties agree the following:

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Romania.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

III. Details requested by Annex I of the SCCs regarding the transfer

A. Parties

Data exporter:

a) Identity and contact details of the data exporter(s): the User as defined in the ToU an and the DPA. The contact details are the ones specified by the User in its User account or thereafter in the correspondence with Atomatik;

b) Activities relevant to the data transferred under these Clauses: The data User processes and generates with help of the Trial Software (“User generated Data”) will be stored on the infrastructure of the specialized hosting providers contracted by Atomatik (presently, the EU servers of Amazon Web Services Amazon Web Services);

c) Role of the date exporter: Controller or Processor;

Data importer:

a) Identity and contact details of the data importer exporter(s): Atomatik User as defined in the ToU an and the DPA. The contact details are available on the Contact Us page and Atomatik can be contacted at info@atomatik.com;

c) Role of the date importer: Processor.

B. Description of the transfer

a) Categories of data subjects whose personal data is transferred

The data subjects whose date are made available by the controller such as: employees, clients or commercial partners thereof.

b) Categories of personal data transferred

c) Sensitive data transferred (if applicable):

Not applicable.

d) The frequency of the transfer:

Continuous or intermittent depending on the necessity for ensuring the use of the Trial Software.

e) Nature of the processing:

Ensuring the use of the Trial Software.

f) Purpose(s) of the data transfer and further processing

The purpose of the transfer may include: maintenance of the Trial Software and solving support tickets raised by the User when the software is not working properly. This may include phone calls and performance of basic troubleshooting

g) The period for which the personal data will be retained

h) For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The details are in Appendix 2 to the DPA

C. COMPETENT SUPERVISORY AUTHORITY

The applicable supervisory authority is the authority in the EU Member State where the data exporter is established, or other supervisory authority with the right by operation of law to supervise compliance.

Appendix 2 b Technical and Organisational Measures Including Technical and Organisational

Measures to Ensure the Security of the Data

Description of the technical and organisational measures implemented by the data importer(s)

Atomatik will maintain at least the technical and organizational security measures set out in the DPA and its internal policies.

User acknowledges and agrees that such measures are appropriate for the purposes of this DPA.

Such measures do not apply if Atomatik performs services on the User’s premises and Atomatik is provided access to User’s systems and data. In such case, Atomatik shall comply with User’s reasonable policies for the protection of data against unauthorized access.

Appendix 3 – List of sub-processors

List of sub-processors

EXPLANATORY NOTE:

The controller has authorised the use of the following sub-processors:

Name: Amazon Web Services EMEA SARL

Address: 38 Avenue John F. Kennedy, L-1855, Luxembourg

Contact person’s name, position and contact details: The data protection officer for Amazon Web Services EMEA SARL can be contacted at aws-EU-privacy@amazon.com. Facsimile 352 2789 0057

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

The data User processes and generates with help of the Trial Software (“User generated Data”) will be stored on the infrastructure of the specialized hosting providers contracted by the Company (presently, Amazon Web Services). The access to such data bases shall be made via the public Internet and will be dependent upon the service availability of such providers, as undertaken in their respective terms and conditions (https://aws.amazon.com/service-terms.