Data Processing Addendum (EN)

In the event of any conflict between this DPA and the Main Agreement with respect to the subject matter of this DPA, the terms of this DPA will control. Each of Gmelius and the Customer may be referred to in this DPA as a “Party,” and together as the “Parties.” The Parties are entering into this DPA to ensure that adequate safeguards are in place to protect Personal Data in accordance with Applicable Data Protection Laws.

Definitions

For purposes of this DPA, the following terms have the meanings set forth below:

• (a) “Adequate Country” means any country or territory that is recognized under European Data Protection Laws as providing an adequate level of protection for Personal Data.
• (b) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a subject entity. For purposes of this definition, “control” refers to the power to direct or cause the direction of the management or policies of an entity, whether through ownership of voting securities, by contract, or otherwise.
• (c) “Applicable Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Main Agreement, including European Data Protection Laws and the CCPA.
• (d) “European Data Protection Laws” means all data protection and privacy laws of the European Union, the European Economic Area and their member states, Switzerland, and the United Kingdom applicable to the processing of Personal Data under the Main Agreement. This includes, where applicable: (i) Regulation (EU) 2016/679 (the General Data Protection Regulation, “EU GDPR”); (ii) the EU GDPR as incorporated into United Kingdom law by virtue of Section 3 of the UK’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws enacted under or in conjunction with any of the foregoing.
• (e) “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100–1798.199), as amended.
• (f) “Controller” means the entity that determines the purposes and means of the processing of Personal Data.
• (g) “Data Subject Request” means a request made by or on behalf of a Data Subject to exercise any rights afforded to data subjects under Applicable Data Protection Laws (for example, rights of access, rectification, objection, or erasure of that Data Subject’s Personal Data).
• (h) “Personal Data” means any information that is defined as “personal data,” “personal information,” or any analogous term under Applicable Data Protection Laws.
• (i) “Processor” means an entity that processes Personal Data on behalf of a Controller, including any entity to which a Controller discloses a natural person’s personal information for a business purpose pursuant to a contract, provided that the entity receiving the information is obligated to only retain, use, or disclose the Personal Data for purposes of providing the Service.
• (j) “processing”, “Data Subject”, and “supervisory authority” shall have the meanings given to them under European Data Protection Laws.
• (k) “Restricted Transfer” means: (i) where the EU GDPR or the Swiss Federal Act on Data Protection (as amended or replaced) applies, any transfer of Personal Data from the European Economic Area or Switzerland (as applicable) to a country outside of the European Economic Area or Switzerland that is not subject to an adequacy decision by the European Commission or the Swiss Federal Data Protection and Information Commissioner (as applicable); and (ii) where the UK GDPR applies, any transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations under Section 17A of the UK Data Protection Act 2018.
• (l) “Service” means the software products and all related services provided by Gmelius that involve the processing of Personal Data covered by this DPA.
• (m) “SCCs” means the standard contractual clauses for transfer of Personal Data to third countries: (i) where the EU GDPR or Swiss Federal Act on Data Protection applies, the standard contractual clauses approved by the European Commission in Decision 2021/914 of 4 June 2021 (“EU SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses adopted or approved under Article 46 of the UK GDPR (“UK SCCs”).
• (n) “UK Addendum” means the template International Data Transfer Addendum issued by the UK Information Commissioner’s Office and laid before the UK Parliament in accordance with Section 119A of the UK Data Protection Act 2018 on 2 February 2022 (as may be revised under Section 18 thereof), which amends the SCCs for purposes of UK GDPR compliance.

No Sale of Personal Data

With respect to all Personal Data that Gmelius processes in its role as a Processor or sub-processor, Gmelius warrants that it will not do any of the following:

• Sell, retain, use, or disclose the Personal Data for any purpose other than the specific purpose of providing the services to which the Customer has subscribed (i.e. the Service).
• Use the Personal Data for any commercial purpose other than providing the Service.
• Use the Personal Data for the purpose of marketing or advertising.

For the avoidance of doubt, Gmelius shall not “sell” or “share” Personal Data as those terms are defined under the CCPA.

Duration of Processing / Term of DPA

This DPA (and Gmelius’s processing of Personal Data under it) will terminate automatically upon termination or expiration of the Main Agreement, including any post-termination period during which Gmelius makes Personal Data available for Customer to export or delete, up until the point such Personal Data is finally deleted from Gmelius’s systems.

Controller and Processor Roles

For purposes of this DPA, the Parties acknowledge that, as between the Parties, Customer is acting as a data Controller (or, in certain contexts, as a Processor acting on behalf of a third-party controller) and Gmelius is acting as a Processor of the Personal Data (or as a sub-processor, where Customer is itself a processor). Customer represents and warrants that it has the right and authority to appoint Gmelius as a Processor of Personal Data and to provide all necessary instructions to Gmelius in that capacity, and that such appointment has been authorized by the appropriate Controller of the Personal Data (if applicable). Gmelius will process all Personal Data only in accordance with its obligations under this DPA and the lawful instructions of Customer, and Customer confirms that it discloses Personal Data to Gmelius solely for the performance of the Service. Customer bears sole responsibility for the legality, appropriateness, accuracy, and quality of the Personal Data that it provides to Gmelius, as well as for the means by which Customer obtained such Personal Data.

Processing of Personal Data

Gmelius will process Customer’s Personal Data only on and in accordance with Customer’s documented instructions. By entering into this DPA, the Customer instructs Gmelius to process Customer Personal Data for the following purposes:

• (a) To provide the Service and any related technical or administrative support to Customer, consistent with the Main Agreement and this DPA.
• (b) As further directed or configured by Customer through its use of the Service (including through Customer’s use of the Service’s features and settings).
• (c) To comply with other reasonable instructions provided by Customer (for example, via email or support ticket), provided such instructions are consistent with the terms and scope of the Main Agreement and this DPA.

If Gmelius becomes aware that, in Gmelius’s opinion, a Customer instruction infringes or violates Applicable Data Protection Laws, Gmelius will inform Customer as soon as reasonably practicable.

Subject Matter and Nature of Processing

The subject matter and scope of the processing under this DPA is Gmelius’s provision of the Service to Customer (including any related technical or administrative support services, whether through online portals or otherwise) as described in the Main Agreement. Gmelius will process Personal Data that is provided or made available to Gmelius, directly or indirectly, by Customer or Customer’s clients or end users, solely for the purpose of providing and supporting the Service under the Main Agreement.

Security

Gmelius implements and maintains commercially reasonable technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing of Personal Data, including protections against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. Gmelius may update or modify its security measures from time to time, provided that such updates and modifications do not result in a material reduction of the overall security of the Service. The measures maintained by Gmelius include, at a minimum, the security measures described in Annex 2 (Technical and Organizational Security Measures).

The Service may provide certain security features and controls that Customer can elect to use (for example, multi-factor authentication, administrative access controls, and encryption options for data at rest). Customer is responsible for properly implementing and configuring the Service’s security features and safeguards within its control, and for otherwise taking appropriate measures to secure the Personal Data in its possession or control.

Personal Data Breach

If Gmelius becomes aware of and confirms an incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Gmelius’s possession or control (including Personal Data processed by Gmelius’s sub-processors) in connection with the Service, Gmelius will notify Customer of the incident without undue delay. Gmelius will promptly take reasonable steps to contain, investigate, and mitigate the effects of the incident and to minimize any damage resulting from it.

Customer acknowledges that an unsuccessful attempt or security incident that does not result in unauthorized access to Personal Data or to Gmelius’s systems (including systems used to process Personal Data) will not be subject to the notification requirements of this section. Examples of such unsuccessful security incidents include, without limitation: pings or other broadcast attacks on firewalls or network perimeter devices, port scans, denial-of-service attacks, failed login attempts, packet sniffing (or other unauthorized access to network traffic data) that does not result in access beyond IP addresses or headers, or similar incidents.

Any notification by Gmelius under this section is not an acknowledgement or admission by Gmelius of any fault or liability with respect to the security incident. Customer agrees that Gmelius’s obligation to report or respond to a security incident under this section will not apply to incidents that are caused by Customer or by individuals to whom Customer has provided access to the Service.

Duty of Confidentiality

Gmelius will ensure that any personnel whom it authorizes to process Personal Data on its behalf are subject to appropriate obligations of confidentiality (whether by contract or by statute) with respect to that Personal Data.

Data Subject Requests

If Gmelius receives a Data Subject Request relating to Personal Data processed in connection with the Service, Gmelius will, to the extent permitted by law and practicable for Gmelius, either (i) notify Customer of the request and await further instructions from Customer, or (ii) inform the requestor (the Data Subject) that such request should be submitted directly to Customer. Customer is responsible for responding to Data Subject Requests and for fulfilling any applicable legal obligations in relation to such requests.

Taking into account the nature of the processing and the information available to Gmelius, Gmelius will assist Customer with reasonable measures in responding to Data Subject Requests, to the extent such assistance is required under Applicable Data Protection Laws and is legally permissible. For example, Gmelius may provide relevant information about the Service or enable certain functionality (such as data export or deletion capabilities) to support Customer’s handling of Data Subject Requests. Except where such assistance is required by Applicable Data Protection Laws, Customer shall be responsible for any reasonable costs arising from Gmelius’s provision of assistance in connection with Data Subject Requests. If Applicable Data Protection Laws require Gmelius to provide information or assistance for Data Subject Requests, Gmelius will do so at no additional charge to Customer.

Data Deletion

Upon expiration or termination of the Main Agreement (or completion of the Services provided thereunder), Gmelius will, within a reasonable time, delete all Personal Data processed on Customer’s behalf pursuant to this DPA, except to the extent that applicable law requires further retention of such data. In such a case, Gmelius will continue to protect the Personal Data in accordance with this DPA and Applicable Data Protection Laws.

Audit

Gmelius will cooperate with Customer’s reasonable requests to verify Gmelius’s compliance with its obligations under this DPA. In particular, Gmelius will make available to Customer (subject to reasonable confidentiality restrictions) such information, documentation, and third-party audit reports as Gmelius has available—such as SOC 2 or similar audit certifications, summaries of penetration tests or security assessments, and descriptions of Gmelius’s security controls—that are reasonably necessary for Customer to assess Gmelius’s compliance with this DPA and Applicable Data Protection Laws. To the extent additional information is needed by Customer, the Parties will work together in good faith to provide such information, and any on-site audits shall be conducted in accordance with any conditions set forth in the Main Agreement or as otherwise agreed by the Parties.

Governing Law

Unless otherwise specified in the Main Agreement, this DPA shall be governed by and construed in accordance with the laws of Switzerland, without regard to its conflict of laws principles. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Geneva, Switzerland. The Parties agree to submit to the personal jurisdiction of these courts for the purpose of litigating any such disputes.

‍

Sub-Processing

Customer authorizes Gmelius to engage third-party sub-processors to assist in the performance of the Service, provided that Gmelius will impose data protection obligations on any sub-processor that are at least as protective as those set forth in this DPA. Gmelius will not sell Personal Data or disclose it to any third party for commercial purposes unrelated to the provision of the Service. Customer hereby consents to Gmelius’s use of sub-processors as described in this section.

Current Sub-Processors: Gmelius maintains an up-to-date list of the sub-processors it uses to process Personal Data on behalf of Customer. As of the Effective Date of this DPA, that list includes the following organizations:

• Alphabet Inc. (Mountain View, CA, USA) – Google Cloud Platform (GCP). Gmelius uses GCP to host the Service, including the storage and processing of Customer data.
• Stripe, Inc. (San Francisco, CA, USA) – Gmelius uses Stripe to process payments and manage subscription billing and invoicing for the Service.
• Attio Limited (London, UK) – Gmelius uses Attio to manage and automate sales processes and communications.
• Gmelius SA (Geneva, Switzerland) – Gmelius uses the Gmelius platform to manage and automate customer support and helpdesk communications.

Gmelius will provide advance notice to Customer of any intended addition or replacement of its sub-processors. Gmelius may fulfill this obligation by updating the online list of sub-processors and notifying Customer through the Service or via email (or other appropriate means) prior to authorizing the new sub-processor to access Customer’s Personal Data. If Customer has a reasonable objection to any new sub-processor, Customer must notify Gmelius in writing within ten (10) business days of Gmelius’s notice, explaining the grounds for the objection. The Parties will then discuss the objection in good faith with the aim of achieving a commercially reasonable resolution. For example, Gmelius may choose to not use the proposed sub-processor for Customer’s Personal Data or recommend an alternative solution to address Customer’s concerns. If no such resolution can be reached within a reasonable period of time (not to exceed 30 days from Gmelius’s receipt of Customer’s objection), either Party may choose to terminate the portion of the Service affected by the proposed new sub-processor. In the event of such termination, Gmelius will refund to Customer any pre-paid fees for the terminated portion of the Service that would have been provided after the termination date.

Gmelius will ensure that all sub-processors engaged in processing Personal Data on its behalf have executed written agreements that impose obligations no less protective of Personal Data than those imposed on Gmelius under this DPA. Gmelius remains liable to Customer for the performance of its sub-processors to the same extent that Gmelius would be liable if it were performing the Service directly.

Transfers of Personal Data

Certain Gmelius services give Customer the option to use data centers located in the European Economic Area and/or in the United Kingdom (together, “European Data Centers”) for the hosting and processing of Personal Data. Customer acknowledges that some ancillary data related to the Service’s operation – for example, certain technical or support metadata for the Service or its administration portal (“Metadata”) – may be stored or processed in the United States, even if Customer has selected a European Data Center for primary data hosting.

If any transfer of Personal Data from Customer to Gmelius is a Restricted Transfer, the Parties agree that such transfer shall be governed by the appropriate Standard Contractual Clauses (“SCCs”) as follows:

• 1.1 With respect to Personal Data protected by the EU GDPR, the EU SCCs shall apply, and are hereby incorporated into this DPA. The EU SCCs shall be deemed completed as follows:
  
  • (a) Module Two (Controller-to-Processor SCCs) will apply where Customer is a Controller of the Personal Data, and Module Three (Processor-to-Processor SCCs) will apply where Customer is a Processor acting on behalf of a third-party Controller.
  • (b) In Clause 7 (Docking Clause), the optional docking clause shall apply (allowing for additional parties to join the SCCs, as needed).
  • (c) For Clause 9 (Use of Sub-processors), Option 2 (General Written Authorization) shall apply. The period for prior notice of sub-processor changes shall be the notice period stated in the Sub-Processing section of this DPA (above).
  • (d) In Clause 11 (Redress), the optional language allowing the data subject to lodge a complaint with an independent dispute resolution body shall not apply.
  • (e) For Clause 13 and Annex I.C (Supervisory Authorities), the competent supervisory authority shall be determined in accordance with the GDPR. Customer (as data exporter) shall maintain a record of the Member State(s) in which the data exporter and relevant data subjects are located, and of the competent supervisory authority(ies), and shall provide this information to Gmelius upon request.
  • (f) For Clause 17 (Governing law), Option 1 shall apply. The EU SCCs will be governed by the law of Ireland.
  • (g) For Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Ireland.
  • (h) In Annex I.A of the EU SCCs, the “data importer” is Gmelius and the “data exporter” is Customer (including any Affiliates of Customer that are authorized to use the Service and have agreed to be bound by this DPA).
  • (i) In Annex I.B of the EU SCCs, the description of the transfer (categories of data subjects, Personal Data, processing activities, etc.) shall be as set out in Annex 1 to this DPA.
  • (j) In Annex II of the EU SCCs, the description of the technical and organizational measures implemented by the data importer shall be as set out in Annex 2 to this DPA.
  • (k) For Annex III of the EU SCCs (List of Sub-processors), the sub-processor list shall be as provided in the Sub-Processing section of this DPA (above).

• 1.2 With respect to Personal Data protected by the UK GDPR (United Kingdom), the UK SCCs (UK International Data Transfer Addendum) shall apply. Specifically:
  
  
  • (a) The EU SCCs, as completed above in Section 1.1, shall be deemed amended as specified by Part 2 (Mandatory Clauses) of the UK Addendum, which is hereby incorporated into this DPA.
  • (b) For the purposes of the UK Addendum: Table 1 (List of Parties), Table 2 (Selected SCCs), and Table 3 (Appendices) shall be deemed completed using the information set forth in Annex 1 and Annex 2 of this DPA; and Table 4 (Ending the Addendum when the Approved Addendum Changes) shall be deemed completed by selecting “neither Party” (leaving both Option 1 and Option 2 unchecked).
  • (c) In the event of any conflict between the EU SCCs and the UK Addendum, the provisions of the UK Addendum shall prevail, as per Sections 10 and 11 of the UK Addendum.

• 1.3 With respect to Personal Data protected by the Swiss Federal Act on Data Protection (as amended or superseded) that is transferred outside of Switzerland in circumstances constituting a Restricted Transfer, the EU SCCs (completed as set out in Section 1.1 above) shall apply mutatis mutandis, with the following modifications:
  
  
  • (a) The competent supervisory authority, for purposes of Annex I.C of the SCCs, shall be the Swiss Federal Data Protection and Information Commissioner (to the extent the transfer is governed by Swiss law).
  • (b) References to the “law of the Member State” in Clause 17 of the SCCs shall be interpreted as referring to the laws of Switzerland, and Clause 17 Option 1 shall thus specify the law of Switzerland. Similarly, references to the “courts” in Clause 18 shall be interpreted as the courts of Switzerland (and disputes shall be resolved in Switzerland).
  • (c) References to “Member State” in the SCCs shall be understood to include Switzerland. Data subjects located in Switzerland shall be entitled to exercise their rights under the SCCs and to initiate legal proceedings in Switzerland.
  • (d) Any references to the “GDPR”, “Regulation (EU) 2016/679”, or “EU GDPR” in the SCCs shall be understood as references to the Swiss Federal Act on Data Protection (as amended or replaced), to the extent applicable to the transfer.

• 1.4 In the event that any provision of this DPA (including any Annexes or appendices hereto) contradicts or conflicts with the SCCs, the terms of the SCCs shall prevail to the extent of the inconsistency.
  
  

Legal Requests

In its role as a Processor (or sub-processor, as applicable), if Gmelius receives any legally binding request or order from a public authority (such as a subpoena, court order, warrant, or other legal demand issued by a court or law enforcement agency) seeking disclosure of Personal Data, Gmelius will, to the extent permitted by law, promptly notify Customer and take reasonable steps to redirect the requesting authority to seek the information directly from Customer. For example, Gmelius may provide the requesting authority with the Customer’s basic contact information so that the request can be made directly to Customer. If, despite Gmelius’s efforts, the authority insists on obtaining the Personal Data from Gmelius, Gmelius will only disclose such data to the extent it is legally compelled to do so. Unless legally prohibited from doing so, Gmelius will provide Customer with reasonable notice of the demand before disclosing any Personal Data, so that Customer has an opportunity to seek a protective order or other appropriate remedy to prevent or limit the disclosure.

Limitation of Liability

Notwithstanding anything to the contrary in the Main Agreement or this DPA, and to the maximum extent permitted by applicable law, the liability of each Party and all of its Affiliates, taken together in aggregate, arising from or related to this DPA (including the SCCs and any other data protection agreements executed in connection with the Service) shall be subject to the limitations and exclusions of liability set forth in the Main Agreement. In no event shall the total combined liability of a Party and its Affiliates under this DPA (and related data protection obligations) exceed the liability cap (and types of damages limitations) that apply under the Main Agreement. For purposes of this paragraph, any liability arising under this DPA shall be deemed to accrue against the aggregate liability cap in the Main Agreement and not to any separate cap.

Customer further agrees that if Gmelius or its Affiliate incurs any fines or penalties from a supervisory authority or other regulator in connection with Customer’s failure to comply with its obligations under Applicable Data Protection Laws or this DPA, such fines or penalties will count toward and reduce the liability of Gmelius under the Main Agreement (as if those fines or penalties were owed by Gmelius to Customer under the Main Agreement). This provision does not limit Customer’s own liability to regulatory authorities for its compliance failures.

Notices

Any notice to Gmelius under this DPA shall be delivered via email to [email protected] (or to such other contact as Gmelius may designate in writing for this purpose).

If Customer is not the primary administrator of the Service account (for example, if Customer is an end-user client and the Service was obtained through a reseller or managed service provider), Customer acknowledges that Gmelius will direct all notices required or permitted under this DPA to the entity that is the primary administrator of the Service. Such notices may be provided by Gmelius via email or through the Service’s user interface, and once delivered to the primary administrator they shall be deemed received by Customer. It is the responsibility of that primary administrator to pass relevant notices on to Customer (end client).

If Customer is the primary administrator of the Service account (for example, a reseller or provider managing the Service on behalf of an end client), then Customer agrees that it will be responsible for receiving all notices from Gmelius under this DPA and promptly forwarding any such notices to other affected parties (including any end clients, if applicable), as necessary.

Customer is responsible for ensuring that current and accurate contact information (including administrative and technical contact details) are maintained in the Service’s administration portal. Gmelius shall be entitled to rely on the contact information provided in the Service portal when issuing notices under this DPA.

General

Gmelius reserves the right to update or modify this DPA from time to time as reasonably required. For example, Gmelius may make amendments to align with new or revised data protection frameworks, standards, or certification mechanisms approved under Applicable Data Protection Laws, or as necessary to reflect changes in law. Any material modifications will be communicated to Customer in accordance with the notice provisions of the Main Agreement or this DPA, and continued use of the Service after the effective date of any such modifications will constitute acceptance of the updated DPA.

‍

Annex 1.

Description of the Details of Processing

Data Exporter: The data exporter is the Customer, as identified in the signature block of this DPA. In the context of the SCCs, the data exporter (Customer) is the controller of Personal Data (or a processor acting on behalf of a third-party controller) that transfers Personal Data to Gmelius for the use of the Service.

Data Importer: The data importer is Gmelius SA (“Gmelius”), a provider of cloud-based collaboration and communication services. Gmelius provides the Service (as defined in the DPA) and processes Personal Data on behalf of the data exporter in accordance with the Main Agreement and this DPA.

Data Subjects: Customer and/or its end users may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion. Such Personal Data may relate to the following categories of data subjects, among others:

• Prospects, customers, business partners, or vendors of the Customer who are natural persons.
• Employees, officers, agents, advisors, contractors, or other staff of Customer (who are natural persons).
• Individuals who are employees or contact persons of Customer’s prospects, customers, business partners, or vendors.

Categories of Personal Data: Customer may submit Personal Data to the Service, the nature and scope of which is determined by Customer. Such data may include, but is not limited to, the following categories of Personal Data:

• Identifiers and contact information (e.g. first and last name, employer, job title/position, company name, business email address, phone number, physical business address).
• Identification data (e.g. employee or account IDs, or other identification details).
• Professional life data (e.g. work history, professional qualifications, or other employment-related information).
• Personal life data (e.g. personal details that may be provided by data subjects in the course of using the Service).
• Localization data (e.g. location-related information or data indicating a person’s geographic location).

Special Categories of Data: In general, Customer is not required to submit special categories of Personal Data to use the Service. However, the Service does not actively prevent the input of such data. Therefore, Customer may, at its discretion, include certain special categories of Personal Data in the data submitted to the Service, to the extent permitted by Applicable Data Protection Laws. Special categories of Personal Data include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, as well as personal data relating to health, sex life or sexual orientation, genetic data, or biometric data for the purpose of uniquely identifying an individual. Customer is solely responsible for ensuring that any submission of special category data is lawful and in accordance with Applicable Data Protection Laws.

Nature and Purpose of Processing: The processing of Personal Data by Gmelius (data importer) on behalf of Customer (data exporter) is performed for the purpose of providing the Service and related support as described in the Main Agreement. This includes all such processing operations as are necessary to technically deliver the Service, to maintain and support the Service, and to fulfill Customer’s instructions and use cases within the Service. The Personal Data will be processed for no other purpose aside from providing the Service and fulfilling Gmelius’s obligations under the Main Agreement and this DPA, in accordance with Customer’s instructions.

Competent Supervisory Authority: The competent supervisory authority in respect of the data exporter shall be determined in accordance with the European Data Protection Laws (for example, the supervisory authority in the EU or UK member state where the data exporter is established, or, if applicable, the authority indicated in SCC Annex I.C based on the data exporter’s location).

Frequency of the Transfer: Personal Data may be transferred on a continuous or routine basis for the duration of the Main Agreement (for as long as Customer is using the Service), including any period of data export or deletion upon termination, as provided in the DPA.

Annex 2.

Technical and Organizational Security Measures

This Annex forms part of the SCCs and describes the technical and organizational security measures implemented by Gmelius (the data importer) to protect Personal Data, in accordance with Clause 8.6 and Clause 9 of the EU SCCs (and equivalent provisions of the UK Addendum, where applicable).

Gmelius is committed to maintaining a level of security appropriate to the risk associated with the Personal Data it processes. To that end, Gmelius has implemented a robust privacy and security program, following principles of “privacy by design” and industry best practices. The security measures in place include administrative, physical, and technical safeguards designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Key measures are summarized below:

• Encryption in Transit: All Customer data transmitted between the data exporter and data importer (and between components of the Service) is encrypted in transit using up-to-date encryption protocols (TLS 1.3 or higher). This helps ensure that Personal Data cannot be read or altered by unauthorized parties while being transferred over networks.
  
  
• Encryption at Rest: All Personal Data stored at rest by Gmelius is encrypted using strong encryption algorithms (for example, AES-256 encryption). No Customer content is stored in an unencrypted form on persistent storage media. In addition, where supported, customers have the option to manage their own encryption keys (e.g., via cloud provider Key Management Services such as Google Cloud KMS) for added control over data-at-rest encryption.
  
  
• Storage and Hosting Security: Gmelius’s production infrastructure (including application servers and data storage) is hosted on secure, industry-leading cloud platforms (such as Google Cloud Platform). These cloud hosting providers maintain a broad range of independent certifications and audits, such as SOC 1, SOC 2, SOC 3, ISO 9001, ISO 27001, and others, demonstrating their adherence to high security standards. The data centers employ robust physical security controls to prevent unauthorized access, and Gmelius leverages the provider’s built-in security features (including identity and access management, firewalling, and network segregation). Gmelius’s cloud environment is designed such that no Service data is stored on local or end-user devices; the Service operates entirely from secure cloud infrastructure.
  
  
• Multi-Factor Authentication (MFA) and Access Management: Access to Gmelius systems (both for Gmelius personnel and for Customer users of the Service) is protected with multi-factor authentication wherever feasible. Customer user access to the Service is facilitated via trusted identity providers (e.g., Google), which support two-factor authentication for account login. Internally, Gmelius mandates the use of 2FA for all employees when accessing company systems or production environments. Access rights to systems and databases are granted on a role-based, least-privilege basis, and are regularly reviewed. Privileged account access is tightly controlled and logged. Furthermore, Gmelius does not store account passwords in plaintext – any credentials are stored using strong cryptographic hashing or encryption, and sensitive keys/secrets are stored securely.
  
  
• Audit and Assessment: Gmelius undergoes regular security assessments to evaluate and improve the effectiveness of its security measures. At least once per year, Gmelius engages independent third-party auditors to perform comprehensive audits and certifications of its security controls (for example, SOC 2 Type II audits evaluating Security, Availability, Confidentiality, etc.). Gmelius also performs periodic vulnerability scans and penetration testing on its applications and infrastructure (no less than annually, and more frequently as needed). Identified issues are documented and remediated based on severity. Summary results or reports from third-party audits and penetration tests are available to customers upon request, under appropriate non-disclosure obligations.
  
  
• Security Policies and Awareness: Gmelius maintains internal security and privacy policies that outline expected practices and responsibilities for employees and contractors. All Gmelius personnel receive training on these policies and on general data protection principles. Security and privacy training is conducted for all new hires during onboarding and on a recurring basis for all staff (at least annually). Employees are required to acknowledge their understanding of and adherence to the company’s security policies. Topics covered include data confidentiality, safe data handling, proper use of systems, incident reporting procedures, and adherence to Applicable Data Protection Laws (such as GDPR and CCPA). By fostering a culture of security awareness, Gmelius helps ensure that personnel remain vigilant and properly handle Customer Personal Data in accordance with this DPA.

‍