Data Processing Agreement

Last updated January 2020

1.BACKGROUND

1.1 As part of Keepit's provision of Services to Customer, Keepit will be processing personal data on behalf ofCustomer. The purpose of the assignment is described in the Terms of Service. Accordingly, the Parties haveentered into this Data Processing Agreement (as defined below).

2.DEFINITIONS

2.1 In this Data Processing Agreement, unless the context otherwise requires:

2.1.1 'Data Processing Agreement' means this agreement on processing of personal data, including any schedules.

2.1.2 'Data Protection Legislation' means all the laws and rules governing the processing and protection ofpersonal data throughout the European Economic Area (EEA) as amended, supplemented and/or modifiedfrom time to time, relevant national legislation, the GDPR (as defined below) and, where relevant, theguidelines and rules issued by the Danish Data Protection Agency or other competent supervisory authoritiesin the EEA (including the national supervisory authorities).

2.1.3 'GDPR' means 'Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the freemovement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)' asamended, supplemented and/or modified from time to time.

2.1.4 'Services' means the services and supplies provided by Keepit as provider to Customer as customer of theKeepit solution.

2.2 The terms 'personal data', 'special categories of personal data', 'process/processing', 'controller','processor', 'data subject', 'supervisory authority', 'pseudonymisation', 'technical and organisationalmeasures' and 'personal data breach' as used in this Data Processing Agreement shall be understood inaccordance with the Data Protection Legislation, including the GDPR.

3.PROCESSING OF PERSONAL DATA

3.1 Keepit shall process personal data on behalf of Customer in accordance with Customer’s instruction. TheTerms of Service along with the Customers configuration and use of the Service constitute Customerscomplete and documented instructions to Keepit.

3.2 Keepit must ensure that the persons involved in the processing of personal data under the Data ProcessingAgreement have either committed themselves to confidentiality or are subject to a proper statutory duty of

confidentiality, and that they only process personal data in compliance with the given instructions and the Data Protection Legislation. 

3.3 Keepit shall, upon request from Customer, provide access to all necessary information in order for Customer to ensure compliance with the obligations laid down in the Data Protection Legislation. 

3.3.1 Keepit will conduct independent third-party audits of its organisational procedures, security and assets on a yearly basis as part of maintaining its ISAE 3402 Type II certification. The results of the most recent audit can be requested by the Customer. Keepit may, at its discretion, discontinue its ISAE 3402 certification in favour of ISO 27001 certification. 

3.3.2 Customer agrees to exercise its audit right by requesting a third-party audit as described here or by requesting the most recent audit report. 

3.4 In the event Keepit becomes aware of a breach of security which has led to accidental or malicious destruction, loss, alteration or distribution of Customer Data while processed by Keepit, Keepit will: 

•notify the Customer without undue delay,

•investigate the incident and provide the Customer with detailed information about the incident,

•take reasonable steps to mitigate the effects and minimize the damage from the incident.

3.5 Notification of a security incident will be delivered to a registered contact person with the Customer by any means available (including e-mail). 

3.6 Customer is solely responsible for fulfilling any third-party notification obligations, such as GDPR Article 33 or any other applicable law or regulation. 

3.7 Notification by Keepit of a security incident does not in itself constitute an acknowledgment of any wrongdoing, fault or liability by Keepit. 

4.SECURITY MEASURES

4.1 Keepit implements and maintains appropriate organisational and technical measures to protect thepersonal data processed under this Data Processing Agreement pursuant to GDPR Articles 28(3)(c) and 32.These measures are based on industry best practices such as ISO 27001, ISO27002, NIST SP800-30, NISTSP800-39 and FEMA guidelines. The Keepit undergoes and maintains an ISAE 3402 Type II certificationannually. Any facility in which Customer Data is physically located undergoes equivalent or strictercertifications annually as well. Keepit may, at its discretion, discontinue its ISAE 3402 certification in favorof ISO 27001 certification.

5.RECORDS OF PROCESSING ACTIVITIES5.1 Keepit maintains records of processing activities as per GDPR Article 30(2) and makes these records available to the Customer upon request or directly as part of the Service. 

6.DISCLOSURE OF DATA6.1 Keepit will not disclose Customer Data except; 

•as instructed by the Customer,

•as described in these Terms of Service,

•as required by law.

6.2 Notwithstanding the provisions of this Agreement, Keepit is entitled to process the Customer Data without instructions from Customer, if, and to the extent, such processing is prescribed pursuant to European Union and/or member state law. In such an event, Keepit shall, to the extent permitted by law, inform the Customer of such injunction beforehand and, to the extent possible, allow for the Customer to object thereto. 

7.KEEPIT'S GENERAL OBLIGATIONS

7.1 Keepit shall apply and comply with the Data Protection Legislation and shall not perform its obligations under the Master Agreement and the Data Processing Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Legislation. 

7.2 Taking into account the nature of the processing, the information available and insofar it is possible, Keepit provides reasonable assistance to Customer by appropriate technical and organisational measures, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in GDPR Chapter III. Keepit shall be compensated for the time devoted in relation to the assistance with responses to requests regarding the data subject's rights. The compensation shall be agreed upon separately. 

7.3 Keepit must assist Customer in ensuring compliance with any of Customer's obligations pursuant to GDPR Articles 32-36. Keepit is entitled to receive separate compensation regarding such assistance and the specific compensation will be agreed upon separately. 

7.4 Keepit must immediately notify Customer if, in Keepit's opinion, an instruction from Customer is contrary to the Data Protection Legislation. 

8.SUB-PROCESSING

8.1 Customer agrees that Keepit may engage sub-processors. In case of engagements of sub-processors, Keepit shall notify the change on its website, at HTTPS://STATUS.KEEPIT.COM/ . In addition to the notification on the website, Keepit will notify the Customer directly in writing about such change. Customer will have thirty (30)calendar days to object to the change in writing to Keepit. The objection of the Customer must be well-founded. Absence of any objections from the Customer shall be deemed a consent to the sub-processing.

8.2 Keepit warrants and ensures that in case sub-processing is carried out, the sub-processing will be lawful and that any and all sub-processors will undertake and be subject to the same terms and obligations as Keepit as set out in this Data Processing Agreement. Should the sub-processors not comply with their obligations, Keepit shall remain responsible for all acts and omissions of such sub-processors. 

9.TRANSFERS OF PERSONAL DATA TO A THIRD COUNTRY

9.1 Customer accepts that Keepit may transfer personal data to a third country, i.e. a country outside the EEA. Keepit will be required to ensure that such transfer is at all times lawful, including i.e. that there is an adequate level of protection of the transfer of the personal data. 

9.2 The Service is provided in several regions; currently EU, USA and Australia. Keepit may add new regions to the offering at any time but will not remove an existing region without negotiating an exit from that region with Customer. 

9.3 The Customer can choose (upon Service provisioning) from which region the Service must be provided. 

9.4 Customer Data transferred to the Service will be stored and processed exclusively in the region as chosen by the Customer. Customer appoints Keepit to transfer Customer Data to the chosen region and to store and process Customer Data in the chosen region. 

9.5 Keepit may remotely manage data storage and processing facilities in the regions from non-regional offices. Organizational measures are in place to ensure that Customer Data is never transferred from its region. 

9.6 Keepit's support organization may, as part of an ongoing support issue with the Customer, request access to the Customer Data from the Customer. It is the responsibility of the Customer to determine if such access can be granted under applicable laws and regulations, for example under GDPR Article 49, before granting such access. 

9.7 It is the responsibility of the Customer to choose a region suitable for the storage of Customer Data. For example, if Customer Data may not be exported from the EU, then the Customer must choose the EU region for the Service. 

9.8 Keepit does not control or limit the locations from which the Service can be accessed by the Customer and to or from which location transfers can be made by the Customer. 

9.9 Any Keepit personnel engaged in the maintenance, support or processing of Customer Data is instructed and obligated to maintain the confidentiality of Customer Data, including after the termination of the Service. 

10.TERMINATION

10.1 The provisions of this Data Processing Agreement and the obligations of the Parties shall remain in force, as long as Keepit processes personal data on behalf of Keepit under the Terms of Service. 

10.2 The Parties agree that upon termination or expiry of this Data Processing Agreement, Keepit shall, at the choice of Customer, (i) re-turn all data processed under this Data Processing Agreement and any copies thereof to Customer, or (ii) delete all data processed under this Data Processing Agreement and certify to Customer that this has been done, including for avoidance of doubt delete such data from any computer, server, and/or any other storage device or media, unless European Union and/or relevant member state law requires storage of such personal data. Keepit shall be entitled to an hourly fee for the work performed in connection herewith. 

10.3 Notwithstanding Appendix 1, clause 10.2 above, Keepit will retain all data processed under this Data Processing Agreement for 30 days after the deletion of Customer's account or termination thereof. This “deletion retention” will ensure that Customer's access to its personal data can be re-established after any conceivable targeted attack against Customer's primary data and backup data. After expiration of the retention period, Keepit will delete all records of Customer's personal data without undue delay. SCHEDULE 1 

Processing activities, categories of data subjects and types of personal data