DATA PROCESSING ADDENDUM

This Personal Data Processing Addendum (“DPA”) forms part of the Service Terms and Conditions or other agreement governing the use of Idomoo Ltd. and its affiliates (“Idomoo”) entered between you (“Customer”) and Idomoo (the “Agreement”), This DPA sets out the terms that apply to the Processing of Personal Data by Idomoo, on behalf of Customer. All capitalized terms not defined herein will have the meaning set forth in the Agreement. Customer and Idomoo will hereby also be referred to each as a “Party” and together as the “Parties”.

DATA PROCESSING TERMS

In the course of providing Idomoo’s service, which consist of the creation and mass generation of videos through Idomoo’s proprietary Next Generation Video Platform, (the “Service”) to Customer pursuant to the Agreement, Idomoo may Process Personal Data on behalf of Customer. The parties agree to comply with the following provisions with respect to Personal Data Processed by Idomoo as part of the Service for Customer.

1. DEFINITIONS

1.1. “Adequacy Recognition” means, a decision by a competent authority of a country, or statutory provisions, that recognize another country as providing an adequate level of protection to Personal Data, as determined pursuant to the Privacy Laws applicable to the country that issued the decision or enacted such statutory provisions, and in accordance with such decision or statutory provisions, the transfer of Personal Data to such other recognized country is permitted without additional measures related to the transfer of the Personal Data.

1.2. “Affiliate” means a corporation which directly controls or is controls by or is under common control with a Party. As used in this section, control means direct ownership of fifty percent (50%) or more of the shares of stock entitled to vote for the election of board members.

1.3. “Customer Data” means Personal Data that Idomoo Processes on behalf of Customer as part of the provision of Services.

1.4. “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Security Incident” and “Processing” will have the same meaning as under applicable Privacy Laws and Regulations, and will include the terms “business”, “service provider”, “consumer” or “household”, “personal information”, and “use” (respectively), and any similar terms under applicable Privacy Laws and Regulations.

1.5. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise processed.

1.6. “Personnel” means persons authorized by Idomoo to Process Customer Data.

1.7. “Privacy Laws and Regulations” means: (A) Regulation (EU) 2016/679 (“GDPR”); (B) the GDPR as saved into United Kingdom (“UK”) law by virtue of section 3 of the UK’s European Union (Withdrawal) Act 2018 (“UK GDPR”); and, (C) all federal and state laws and regulations pertaining to the protection of Personal Data and privacy of the United States (“US Privacy Laws”).

1.8. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.

2. DATA PROCESSING

2.1. Scope and Roles. This DPA applies when Customer Data is Processed by Idomoo as part of Idomoo’s provision of the Service. In this context and for the purposes of Privacy Laws and Regulations, Customer is the Data Controller and Idomoo is the Data Processor.

2.2. Subject Matter, Duration, Nature and Purpose of Processing. Idomoo processes Customer Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement, and as further detailed under EXHIBIT A to this DPA.

2.3. Type of Personal Data and Categories of Data Subjects. As detailed under EXHIBIT A to this DPA

2.4. Instructions for Idomoo’s Processing of Personal Data. Idomoo will only Process Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs Idomoo to Process Personal Data for the following purposes: (i) Processing related to the Service in accordance with the terms of the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Customer undertakes to provide Idomoo with lawful instructions only. Idomoo will inform Customer immediately, if in Idomoo’s opinion an instruction infringes any provision under the GDPR and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties. As required under the GDPR, Customer will provide all necessary notices to relevant Data Subjects and secure all necessary permissions and consents from them, for the Processing of Personal Data by Idomoo pursuant to this DPA.

2.5. US Privacy Laws Specific Provisions. To the extent that US Privacy Laws apply to the Processing of Customer Data by Idomoo, the following provisions also apply to such processing:

2.5.1. Customer and Idomoo acknowledge that: (A) Customer Data is disclosed to Idomoo only for the limited business purpose of providing Customer with the Services (the “Purpose”); and, (B) Customer is not Selling (within the meaning of US Privacy Laws) Customer Data to Idomoo.

2.5.2. Customer will notify Idomoo of any valid request received from an Individual pursuant to US Privacy Laws that Idomoo must comply with and will provide all information necessary for Idomoo to comply with such request.

2.5.3. Idomoo will: (A) comply with all provisions under applicable US Privacy Laws that apply to Idomoo, including with respect to providing the same level of protection to privacy as required under US Privacy Laws; and, (B) notify Customer no later than within five (5) business days after determining that Idomoo can no longer meet its obligations under applicable US Privacy Laws.

2.5.4. Unless otherwise permitted under applicable US Privacy Laws, Idomoo will not Sell or Share Customer Data (within the meaning thereof under US Privacy Laws), or retain, use, or disclose Customer Personal Data: (A) for any purposes other than those specified under this DPA; (B) for any commercial purpose other than the Purpose, including in providing services to other customers of Idomoo; or, (C) outside the direct business relationship between Customer and Idomoo.

2.5.5. Customer may: (A) take reasonable and appropriate steps to ensure that Idomoo uses Customer Data in a manner consistent with Customer’s obligations under US Privacy Laws; and, (B) upon notice, take reasonable and appropriate steps to stop and remediate Idomoo’s unauthorized use of Customer Data.

3. ASSISTANCE

Taking into account the nature of the Processing, Idomoo will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subjects’ rights under the GDPR. Idomoo will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Idomoo’s Processing of Personal Data under this DPA. Except for negligible costs, Customer will reimburse Idomoo with costs and expenses incurred by Idomoo in connection with the provision of assistance Customer under this DPA.

4. IDOMOO PERSONNEL

4.1. Limitation of Access. Idomoo will ensure that Idomoo’s access to Personal Data is limited to those personnel who require such access to perform the Agreement.

4.2. Confidentiality. Idomoo will impose appropriate contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Idomoo will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Idomoo will ensure that such confidentiality agreements survive the termination of the employment or engagement of its personnel.

5. OTHER PROCESSORS

5.1. Idomoo may engage third-party service providers to process Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Idomoo with a general authorization to engage the Other Processors listed in EXHIBIT C to this Agreement.

5.2. All Other Processors have entered into written agreements with Idomoo that bind them by substantially the same material obligations under this DPA.

5.3. Where Other Processor fails to fulfil its data protection obligations in connection with the Processing of Personal Data under this DPA, Idomoo will remain fully liable to Customer for the performance of that Other Processor’s obligations.

5.4. Idomoo may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Customer may object to the Processing of Customer Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Idomoo’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Idomoo a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Idomoo will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer Data.

5.5. Notwithstanding the above, Customer acknowledges that Idomoo engages Amazon Web Services (“AWS”) for generation and hosting services and that notwithstanding anything to the contrary in this Agreement, such hosting services are provided pursuant to AWS general terms of use (including AWS standard data processing terms). To the extent Idomoo is required to impose any provisions of this DPA on AWS, such requirements shall only apply to the extent Processor has equivalent rights it can enforce under AWS general terms of use.

6. DATA TRANSFER

6.1. Transfers by Idomoo, by Idomoo’s New Processors or Idomoo’s Other processors of Customer Data to a Third Country are subject to the data transfer requirements under EXHIBIT D to this DPA.

7. SECURITY

7.1. Idomoo will maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Data, and will regularly monitor compliance with such safeguards. Idomoo will not materially decrease the overall security of the Services during the term of the Agreement. Further information about Idomoo’s technical and organizational measures is detailed under EXHIBIT B to this DPA.

8. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION

8.1. Idomoo will maintain security incident management policies and procedures and will notify Customer without undue delay after becoming aware of a Personal Data Breach related to Customer Data which Idomoo, or any of Idomoo’s Other Processors, Process. Idomoo’s notice will at least: (A) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (B) communicate the name and contact details of the Idomoo’s data protection team, which will be available to provide any additional available information about the Personal Data Breach; (C) describe the likely consequences of the Personal Data Breach; (D) describe the measures taken or proposed to be taken by Idomoo to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

8.2. Idomoo will work diligently, pursuant to its incident management policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will inform Customer accordingly.

8.3. Idomoo’s liability for a Personal Data Breach toward Customer and any third party is subject to the following limitations: (A) the Personal Data Breach is a result of a breach of Idomoo’s information security obligations under this DPA; and (B) the Personal Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer (collectively “Customer Representatives”); (ii) Customer Representatives’ instructions to Idomoo; (iii) a willful, deliberate or malicious conduct by a third party; or (iv) acts of God or force major, including, without limitation, acts of war, terror, state-supported attacks, acts of state or governmental action prohibiting or impeding Idomoo from performing its information security obligations under the Agreement and natural and man-made disasters.

9. AUDIT AND DEMONSTRATION OF COMPLIANCE

9.1. Idomoo will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Personal Data under this DPA by Idomoo and its Other Processors.

9.2. Idomoo will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Idomoo’s obligations under this DPA. Idomoo may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (A) the audit will be pre-scheduled in writing with Idomoo, at least forty-five (45) days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach); (B) the auditor will execute a non-disclosure and non-competition undertaking toward Idomoo; (C) the auditor will not have access to non-Customer data (D) Customer will make sure that the audit will not interfere with or damage Idomoo’s business activities and information and network systems; (E) Absent a reasonably suspected Personal Data Breach, Customer will bear all costs and assume responsibility and liability for the audit; and (F) Customer will receive only the auditor’s report, without any Idomoo ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; (G) at the request of Idomoo, Customer will provide it with a copy of the auditor’s report; and (H) As soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.

10. DELETION OF PERSONAL DATA

Within reasonable time following the end of the provision of the Services, Idomoo will return Customer Data to Customer or delete such data. Notwithstanding, Customer acknowledges and agrees that Idomoo may retain copies of Customer Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain data pursuant to legal requirements and to use such data to protect Idomoo, its Affiliates, agents, and any person on their behalf in court and administrative proceedings.

11. ANONYMIZED AND AGGREGATED DATA

Idomoo may process data based on extracts of Personal Data on an aggregated and non-identifiable forms, for Idomoo’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Idomoo’s discretion.

12. DISPUTE RESOLUTION

The parties agree to communicate regularly about any open issues or process problems that require resolution. The parties will attempt in good faith to resolve any dispute related to this DPA as a precondition to commence legal proceedings, first by direct communications between the persons responsible for administering this DPA and next by negotiation between executives with authority to settle the controversy. Either party may give the other party a written notice of any dispute not resolved in the normal course of business. Within two (2) business days after delivery of the notice, the receiving party will submit to the other party a written response. The notice and the response will include a statement of each party’s position and a summary of arguments supporting that position and the name and title of the executive who will represent that party. Within five (5) business days after delivery of the disputing party’s notice, the executives of both parties will meet at a mutually acceptable time and place, including by phone, and thereafter as often as they reasonably deem necessary, to resolve the dispute. All reasonable requests for information made by one party to the other will be honored. All negotiations pursuant to this clause are confidential and will be treated as compromise and settlement negotiations for purposes of applicable rules of evidence.

13. TERM

This DPA will commence on the later of the date of its execution or the effective date of the Agreement to which it relates and will continue until the Agreement expires or is terminated.

14. COMPLIANCE

14.1. Idomoo is responsible to make sure that all relevant Idomoo’s personnel adhere to this DPA.

14.2. Idomoo’s compliance team can be reached at: privacy@idomoo.com.

15. MISCELLANEOUS

15.1. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.

EXHIBIT A
DETAILS OF THE PERSONAL DATA PROCESSING
(also serves as Annex I to the EU SCCs)

A. LIST OF PARTIES

Data exporter

Name, address and contact details: Customer, whose name, address, and contact details are as detailed under the Agreement.

Activities relevant to the data transferred under these Clauses: Provision of Services under the Agreement.

Signature and date: The data exporter’s signature on the DPA or agreement between the parties applies herein.

Role (controller/processor): Data Controller.

Data importer

Name, address and contact details: Idomoo, whose name, address, and contact details are as detailed under the Agreement.

Contact person’s name, position and contact details: As detailed under the Agreement.

Activities relevant to the data transferred under these Clauses: Provision of Services under the Agreement.

Signature and date: The data importer’s signature on the DPA or agreement between the parties, applies herein.

Role (controller/processor): Data Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer’s end users, employees and customers.

Categories of personal data transferred

Customer may submit Personal Data to the Service or otherwise provide Personal Data to Idomoo as part of the provision of Services, the extent of which is determined and controlled solely by Customer.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The Services are not intended to host intimate or sensitive information of any kind, including without limitation special category personal data and sensitive personal information (as defined under applicable Privacy Laws and Regulations).

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

Continuous.

Nature of the processing

Provision of the Services under the Agreement.

Purpose(s) of the data transfer and further processing

Provision of the Services under the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The duration of the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Hosting and ancillary services for the duration of the agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

Where the data exporter is established in an EU Member State – the supervisory authority of such EU Member State shall act as competent supervisory authority
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) – the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) – the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.

EXHIBIT B
TECHNICAL AND ORGANIZATIONAL MEASURES
(also serves as Annex II to the EU SCCs)

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measure	Description
Measures of pseudonymization and encryption of personal data	Idomoo will implement a procedure for encrypting Customer Data in accordance with industry standards and with the level of sensitivity of the processed Customer Data (at least AES256 CTR). Idomoo will follow this procedure throughout the term of the Agreement. Idomoo will set adequate procedures for using cloud-based storage services in a multi-tenant environment which will include encryption and adequate access criteria; Idomoo will implement a procedure for Customer Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Customer Data and the location of the backup storage;
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services	Idomoo will use measures to guarantee the integrity of Customer Data in backups, and to maintain the possibility to restore Customer Data in the event of data loss or destruction. Without limiting the above, to the extent that Idomoo uses backup media, Idomoo will store such media in a fireproof and waterproof safe environment which is located outside of the facility that contains Customer Data.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Idomoo will securely backup Customer Data that Idomoo possesses. Idomoo will implement a procedure for Customer Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Customer Data and the location of the backup storage. Idomoo will follow this procedure throughout the term of the Agreement. Idomoo will use measures to guarantee the integrity of Customer Data in backups, and to maintain the possibility to restore Customer Data in the event of data loss or destruction. Without limiting the above, to the extent that Idomoo uses backup media, Idomoo will store such media in a fireproof and waterproof safe environment which is located outside of the facility that contains Customer Data . Idomoo will conduct ongoing technical Disaster Recovery sessions to review its related technical operations and to conduct ‘fire drills’ to test it in real time. Idomoo’s disaster recovery and business continuity processes will be approved by Idomoo’s management, audited by a non-dependent third party on an annual basis and will be practiced on an ongoing basis. Idomoo’s information security officer will ensure the backup of the following data, on a weekly basis, in a manner which guarantees that the possibility to perform data restoration in any given time: Entries and departures from Idomoo’s offices and other sites that store the following Customer Data : infrastructure and hardware systems, communication, and information security components. Administration of access to the Customer Data . Identification and validation of access to the Customer Data . Control and documentation to Idomoo’s systems which store or process Customer Data , including user’s identification, time & date of the attempt at access, system’s components attempted to be accessed to and whether access was granted or denied. Security breaches (any event which raises concerns to the integrity of data or use of data without or in excess of access permission). Security of communications (implementing adequate means to protect from unauthorized access and from exploits and malware.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing	Idomoo will monitor its systems and networks for security related events and will conduct, at least once a year, penetration test by a credible external security adviser and a penetration test, in order to detect data security related risks. Idomoo will discuss the results of the assessment and test and further review the need to update information security processes. Idomoo will remediate any detected vulnerabilities. Upon Customer’s request, Idomoo will present to Customer an action plan to remediate the detected vulnerabilities, for Customer’s approval.
Measures for user identification and authorization	Idomoo will provide Idomoo’s authorized employees with a unique personal means of identification, which at least will include a user-name and password, pursuant to the password requirements set forth in this document. Idomoo undertakes that the access to Customer Data will be made via a strong identification mechanism which includes at least two identification means (2FA), based on “something you know” and “something you have”. Idomoo undertakes that an identification means provided to employee or other authorized person, will not be provided to any other employee or other authorized person, not even at a later stage. Idomoo will keep a record of all identifications allocated to authorized personnel and will operate an identification verification measures prior to the grant of access to Customer Data . Idomoo will immediately block access to the Data Systems of any user that has not been active for six months, unless such user was created for support and maintenance purposes only. Idomoo will immediately block access to the Data Systems of any of Idomoo’s authorized personnel that completed their involvement in performing the Agreement between Customer and Idomoo. Idomoo will record data logged pursuant to the above, in a secured manner for two years and will submit such records for Customer’s review upon Customer’s request. Idomoo will enforce a policy which reduces the risk for passwords’ confidentiality breach. Passwords will be stored in an encrypted manner, in a manner that will keep them illegible. Idomoo will determine an internal procedure for allocating, distributing and storing passwords. Idomoo will set passwords periodic resets. Passwords must include at least 8 characters and will not permit any string which can be easily related to a Idomoo’s employee (e.g. employee’s name, last name, family members’ name, birthdays etc.). Idomoo will appropriately instruct its authorized personnel to protect their passwords’ confidentiality. Idomoo will automatically block a user’s access after three consecutive failed access attempts. Idomoo will keep a record of the last five passwords of every authorized user.
Measures for the protection of data during transmission	Data transfer between Customer and Idomoo, if required, will be made in accordance with the acceptable standards, including through VPN, encryption, point-to-point communication or other secure and encrypted means such as TLS 1.2 or higher.
Measures for the protection of data during storage	Idomoo will encrypt Customer Personal Information at rest according to NIST best practices. Encryption standards should be at minimum AES256 CTR. Idomoo undertakes that Data Systems’ storage devices will be marked, labelled and placed in a surrounding accessible solely to Idomoo’s authorized personnel on a need-to-know basis. Idomoo will set adequate procedures for using cloud-based storage services in a multi-tenant environment which will include encryption and adequate access criteria. To the extent that Customer Data will be stored abroad, Idomoo undertakes to make sure that its subcontractors, who provide Idomoo with storage services, are carefully vetted with regard to data security, comply with EU data protection regulations are certified with known information security standards, such as ISO27001 or SOC2 Type II, and upon Customer’s request, the subcontractors will submit to Customer’s information security reports, such as: a SOC2 Report, SOA and PCI Compliance Report. Idomoo will implement a system for documenting media devices received from third parties or submitted by Idomoo to third parties. Such documentation will include the type of media, date & time of the receipt/submission of media, identity of the recipient and sender, the media’s serial number and description of the media’s content. Idomoo will conduct, prior to submitting media from Idomoo, a diligent process of validation of the media’s content and verification that there are no redundant Customer Data stored in the media. Idomoo will test any received media against anti-virus scans. Idomoo will enforce that any media destruction is made in a manner which will prevent recovery of Customer Data from the media.
Measures for ensuring physical security of locations at which personal data are processed	Idomoo undertakes to document and control access to facilities which contain Customer Data and communication racks to verify any accessed person’s identity, including denial of access. Idomoo undertakes to document all computer and network equipment transfer into and out of Idomoo’s facility, or on any other entity’s facilities on the Idomoo’s behalf, which contains Customer Data . Idomoo will store any documentation prepared pursuant to Subsection 1.1 and Subsection 1.2, in a secured manner for two years and submit such documentation to Customer upon Customer’s request. Idomoo undertakes that all suppliers and customers entry to the servers, farm’s facilities will be controlled, accompanied, and logged. Means to control physical entry: Idomoo undertakes that the servers and any equipment used for storage, processing and access to Idomoo’s services or applications, will be protected by adequate means for entry control in a manner that will ensure that only authorized employees will have access thereto. To the extent that Idomoo stores Customer Data in portable media, Idomoo undertakes to maintain the portable media in a secure and locked place. Idomoo will ensure that the portable media is not exposed to risks, including fire and water.
Measures for ensuring events logging	Idomoo will log and audit privileged operations (admin, operators) on a regular basis. Logs should be stored for at least 24 months. Logs will include at least the following data: Time Stamp Username Source IP What data was accessed Idomoo will make sure that audit logs cannot be accessed or tampered by unauthorized personnel. Idomoo will have intrusion detection solutions and the ability to generate the relevant security alerts upon detection. Idomoo will implement a procedure for responding, managing, and reporting security incidents which are related or may be related to Customer Data . Idomoo will keep a record of any security incident that Idomoo becomes aware of, which will include the date of the event, the identity of the reporter, the identity of persons reported to and consequences of the event. Idomoo will keep each security incident record for two years following the occurrence of the event. Idomoo will report the security incident immediately and will continue providing Customer with any additional information in relation to the security incident that Idomoo becomes aware of, or upon Customer’s request. Idomoo will implement a procedure for the restoration of lost or corrupted Customer Data due to security breach. The aforementioned procedures will require accurate records of all performed restoration processes and Customer’s prior written approval for any restoration processes. Idomoo will hold a discussion, on a quarterly basis, about security incidents and review the necessity to update relevant procedures
Measures for ensuring system configuration, including default configuration	Testing and development environments are separated and isolated from the production environment. Changes are pre-approved by authorized personnel and traced accordingly.
Measures for internal IT and IT security governance and management	ISO27001 \ SOC II type 2
Measures for certification/assurance of processes and products	New staff across the Customer are trained in Secure Software Development Lifecycle (SSDLC) practices. New product initiatives are reviewed by the security team according to SPbD (Security and Privacy by Design) concepts at the design phase. System code is tested against known vulnerabilities (e.g., OWASP top 10). Existing core systems and infrastructure are tested for security vulnerabilities periodically. In some cases, testing is conducted by automatic scanners as well as manually by external independent parties.
Measures for ensuring data minimization	Collection is limited only to required data to fulfil the specific purpose of the Agreement. Data minimization is assured during our SDLC process.
Measures for ensuring data quality	Data points that have not been updated for 6 months are removed to ensure data accuracy.
Measures for ensuring limited data retention	Idomoo will have in place secured destruction processes and will delete Customer Data utilizing secure methods (equivalent to or greater than that of NIST SP-800-88 Rev. 1 or its successor guidelines) that render the data unreadable and unrecoverable. Upon Customer’s request S Idomoo will issue a certification of such data destruction
Measures for ensuring accountability	Idomoo has in place internal policies containing formal instructions for data processing procedures; Idomoo carefully vets its relevant contractors with regard to data security; Idomoo personnel are being vetted prior to engagement and trained periodically to maintain awareness regarding data protection and security requirements.
Measures for allowing data portability and ensuring erasure	Data can be exported from the system by authorized customer’s users.

Exhibit C

Name of Other Processor

Type of Services

Location

Amazon Web Services

Hosting Services

US, Ireland or Germany

EXHIBIT D
CROSS BORDER PERSONAL DATA TRANSFER

1. DEFINITIONS

Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.

1.1. “EU SCCs” means the Standard Contractual Clauses pursuant to EU Commission Decision C(2021)3972.

1.2. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (Status as of 1 March 2019) as replaced by its amendment of September 25, 2020 (effective as of September 1, 2023).

1.3. “IDTA” means the International Data Transfer Agreement, issued by the ICO in accordance with section 119A of the Data Protection Act 2018, or any other applicable standard contractual clauses issued, approved, or otherwise recognized by the ICO.

1.4. “Swiss SCCs” means the applicable standard contractual clauses issued, approved, or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).

1.5. “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Switzerland, which was not acknowledged by the EU Commission, a UK Secretary of State or the FDPIC (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 45 of the UK GDPR or the equivalent.

1.6. A “Transfer” means a transfer by Idomoo, Idomoo’s New Processors or Idomoo’s Other Processors of: (1) GDPR-governed Customer Personal Data transferred outside the EEA (“EEA Transferred Data”); (2) UK-GDPR governed Customer Personal Data transferred outside the UK (“UK Transferred Data”); and, (3) FADP-governed Customer Personal Data transferred outside of Switzerland (“Swiss Transferred Data”, and with EEA and UK Transferred Data: “Transferred Data”).

1.7. “UK Addendum” means the UK addendum published by the Information Commissioner’s Office’s (“ICO”) in accordance with section 119A(1) of the Data Protection Act of 2018, incorporating the EU SCCs.

2. EEA TRANSFERS

2.1. Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:

2.1.1. In Clause 7, the optional docking clause will apply.

2.1.2. If applicable – in clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.

2.1.3. In clause 11, the optional language will not apply.

2.1.4. In clause 17, Option 1 will apply, and the EU SCC will be governed by the Irish law.

2.1.5. In clause 18(b), disputes will be resolved before the courts of Ireland.

2.1.6. Annexes (I)-(II) to the EU SCCs will be completed with the relevant details in ANNEXES A-B to this DPA.

3. UK TRANSFERS

Transfers of UK Transferred Data to a Third Country, will be made:

3.1. In accordance with the EU SCCs as detailed in section 2 above, as amended by the UK Addendum, which is incorporated by reference to this DPA, with the necessary changes made as detailed in sections 12-15 to the UK Addendum; or,

3.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer UK Transferred Data, the IDTA will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.

4. SWISS TRANSFERS

Transfers of Swiss Transferred Data to a Third Country, will be made:

4.1. In accordance with the EU SCCs as detailed in section 2 above, as recognized by the FDPIC on August 27, 2021, with the following modifications: (A) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State law’ will be interpreted as references to ‘Switzerland’, and ‘Swiss law’, as applicable; and, (B) references to ‘Competent supervisory authority’ and ‘Competent courts’ will be interpreted as references to the FDIPC and Competent courts in Switzerland; or,

4.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer Swiss Transferred Data in compliance with the FADP, the Swiss SCCs will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.

5. SUPPLEMENTAL MEASURES

In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Idomoo undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:

5.1. Technical and Organizational Measures. Idomoo will implement and maintain the technical and organizational measures, as specified in ANNEX B, which is attached and incorporated by reference to this DPA, with a purpose to protect Customer Personal Data against any processing for national security or other government purposes that go beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances.

5.2. Contractual Measures. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory authority requests access to such data (“Request”), and unless required by a valid court order or if otherwise Idomoo may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of imminent threat to lives, Idomoo will:

5.2.1. not purposefully create back doors or similar programming that could be used to access EEA Transferred Data;

5.2.2. not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data;

5.2.3. upon Customer’s written request, provide reasonable available information about the requests of access to Customer Personal Data by government agencies Idomoo has received in the 6 months preceding to Customer’s request; and,

5.2.4. notify Customer upon receiving a request by a government agency to access Customer Personal Data to enable Customer to take necessary actions, communicate directly with the relevant authority and to respond to the request. If Idomoo is prohibited by law to notify the Customer of such request, Idomoo will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.

6. FUTURE ADEQUACY

As applicable, if: (A) the Adequacy Recognition is invalidated or otherwise terminated by the EU Commission or a UK Secretary of State; (B) the EU SCC are invalidated or are no longer in effect; or (C) any other Transfer safeguard used for the Transfer of Transferred Data is no longer in effect for any reason, then Idomoo will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful Transfer of Transferred Data by Idomoo, Idomoo’s Other Processors, Idomoos’ New Processors, or equivalents thereof.