Data Processing Addendum

1. Scope

1.1  Illumex Technologies Ltd. (“Company”) and Customer, as defined below, are parties to the Agreement, as defined below, to which this Data Protection Addendum applies.

1.2  If Company processes personal data in the course of its performance under the Agreement, Company shall comply with the terms and conditions of this Data Protection Addendum, and to the extent applicable, the Standard Contractual Clauses and related Appendixes, incorporated herein by reference (“DPA”).

1.3  By agreeing to this DPA, Company shall qualify as the Data Processor, as this term is defined under Data Protection Laws, and Customer shall qualify as the Data Controller, as this term is defined under Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

2. Definitions

All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

a. “Agreement” means the agreement between the Company and Customer;

b. “Approved Jurisdiction” means a member state of the European Economic Area (“EEA”), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.

c. “Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

d. “Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them.

e. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of personal data to data processors established in third countries adopted by the European Commission Decision EC/2021/915: Commission Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council.

f.  The terms “personal data”, “process”, “processing” and “Special Categories of Data” herein shall have the meaning ascribed to them in the GDPR.

3. Data Protection & Privacy

3.1  Customer acknowledges that: (a) the Company’s products and services as contemplated in the Agreement allow for certain functions which may require Data Subjects’ consent under GDPR, and agrees that Customer will be solely responsible for obtaining and documenting such consent if Customer chooses to utilize such features; and (b) it is Customer’s responsibility to ensure the reliability and proper training of authorized users of the services, and their commitment to confidentiality, to ensure the privacy and rights of Data Subjects.

3.2  Customer undertakes that: (a) Data Subjects to which the Link is sent will have been informed of Company’s processing of personal data to the extent required by Data Protection Laws; (b) if and to the extent applicable, it will have obtained consent from Customers for Company’s processing activities under the Agreement as required under Data Protection Laws; and (c) personal data has been and will continue to be collected, processed, and transferred by Customer in accordance with the relevant Data Protection Laws.

3.3 If Company has access to or otherwise processes personal data, then Company shall:

a. only process the personal data in accordance with Customer’s documented instructions and on its behalf, and in accordance with the Agreement and this DPA. For the sake of clarity, Company has no reason to believe that Data Protection Laws prevent Company from fulfilling Company’s obligations in regard to the processing of personal data;

b. take reasonable steps to ensure the reliability of its staff and any other person acting under Company’s supervision who may come into contact with, or otherwise have access to and process, personal data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this DPA and any Data Protection Laws (or Company’s own written binding policies are at least as restrictive as this DPA);
c. at Customer’s expense, reasonably assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information related to Company’s processing of personal data, including in dealing with reasonable inquiries from law enforcement authorities relating to its processing of the personal data;

d. notify Customer without undue delay after becoming aware of a Breach Incident;
e. provide full, reasonable cooperation, and assistance to Customer, at Customer’s expense, in:

• • • allowing data subjects to exercise their rights under the Data Protection Laws;
    • ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
    • Ensuring compliance with Customer obligation to carry out data protection impact assessments with respect to the processing of personal data, and with its prior consultation with the supervisory authority obligation (as applicable).
    • only process or use personal data on its systems or facilities to the extent necessary to perform Company’s obligations under the Agreement;
    • to the extent required under Data Protection Laws, maintain accurate written records of any and all the processing activities of any personal data carried out under the Agreement (including the categories of processing carried out and, where applicable, the transfers of personal data), and shall make such records available to the applicable supervisory authority on request and where applicable;
    • make all reasonable efforts to ensure that personal data are accurate and up to date at all times while in Company’s custody or under Company’s control, to the extent Company has the ability to do so;
    • not lease, sell, or otherwise distribute personal data;
    • promptly notify Customer of any investigation, litigation, arbitrated matter or other dispute relating to Customer’s information security or privacy practices as it relates to the processing of personal data;
    • upon termination of the Agreement, Company shall cease to process any personal data received from Customer, and within a reasonable period will at the request of Customer: (1) return the personal data; or (2) destroy or erase all personal data in its possession or control, unless the foregoing conflicts with any applicable laws.

3.4 At Customer’s expense, Customer shall have the right to: (a) require from Company all information necessary to, and (b) conduct its own audit and/or inspections of Company (including its facilities or equipment involved in the processing of personal data) in order to demonstrate compliance with this DPA. Such audit and/or inspection shall be conducted no more than once a year, with reasonable advanced notice to Company, subject to confidentiality obligations as then provided by Company, and shall take place during normal business hours to reasonably limit any disruption to Company’s business.

4.  Sub Processors

4.1 Company may engage third-party service providers to process personal data on behalf of Customer (“Sub-processors”). Customer hereby provides Company with a general authorization to engage the Sub-processors listed in Exhibit A to this DPA.

4.2 Sub-processors shall be obligated to process the personal data only on instructions from Company and subject to a written agreement imposing substantially similar obligations as set forth herein in connection with processing of personal data.

4.3 Where a Sub-processor fails to fulfill its data protection obligations in connection with the processing of personal data under this DPA, Company will remain fully liable to Customer for the performance of that Sub-processor’s obligations.

4.4 Company may engage with a new Sub-processor to process personal data on Customer’s behalf. Customer may object to the processing such personal data by the new Sub-processor, for reasonable and explained grounds, within five (5) business days following Company’s written notice to Customer of the intended engagement with the new Sub-processor. If Customer timely sends Company a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Company may immediately terminate this DPA.

5. The Transfer of Personal Data

5.1 If Company is required to transfer personal data to a third country or an international organization under applicable laws, it shall inform Customer of that legal requirement before processing; If, subject to Customer’s prior consent, Company processes personal data from the EEA in a jurisdiction that is not an Approved Jurisdiction, Company shall ensure that it has a legally approved mechanism in place to allow for the international data transfer. If Company intends to rely on Standard Contractual Clauses, the following additional terms will apply to Company:

a. If the Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this DPA, will replace the then-current Standard Contractual Clauses, and parties will promptly begin complying with such Standard Contractual Clauses. Company will abide by the obligations set forth under the Standard Contractual Clauses for data importer and/or sub-processor as the case may be.

b. If Company subcontracts any processing of personal data, Company will ensure that it has a legally approved mechanism in place to allow for the international data transfer, where relevant.

6. Security standards

6.1  Company shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to provide a level of security appropriate to the risk represented by the processing and nature of such personal data and protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate): (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

6.2  To the extent that Company processes Special Categories of Data, the security measures referred to in this DPA shall also include, at a minimum (i) routine risk assessments of Company’s information security program, (ii) regular testing and monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).

7.General

7.1 Without limiting the generality of the foregoing, the parties will (a) take commercially reasonable steps to limit access to only those employees, agents, subcontractors, data processors or consultants strictly necessary to perform their respective obligations under the Agreement; (b) have in place procedures so that any third party it authorizes to have access to personal data will respect and maintain the confidentiality and security of the personal data; and (c) promptly notify each other about (i) any legally binding request for disclosure of personal data by a law enforcement authority unless otherwise prohibited; and (ii) any received request under Data Protection Laws that is related to the products and services provided under the Agreement.

7.2 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and the parties will make commercially reasonable efforts to comply with such Data Protection Laws.

7.3 In the event and to the extent that the Data Protection Laws impose stricter obligations on the parties than under this DPA, the Data Protection Laws shall prevail.

7.4 If this DPA does not specifically address a particular data security or privacy standard or obligation, the parties will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of personal data.
ability, and accuracy of personal data.

Exhibit A