Legal V2

Version

Effective March 30th 2026

ATHINIA TERMS OF SERVICE

These Athinia Technologies LLC (“Athinia”) Terms of Service (collectively with any attachments, addenda, or exhibits referenced herein and any Order Forms (as defined below) that reference these Terms of Service, the “Agreement”) apply to any Order Form(s) between Customer and Athinia (each a “Party” and collectively the “Parties”) and are effective as of the Effective Date of the first Athinia Order Form between the Parties.

Certain Definitions.

1.1 “Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party as of the Effective Date and for as long as such entity remains directly or indirectly owned or controlled by the Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of at least 50% of the voting equity securities or other equivalent voting interests of an entity.
1.2 “AIP” or "Artificial Intelligence Platform" means Athinia’s proprietary software-as-a-service offering(s) utilizing artificial intelligence (including but not limited to language models and other modeling services) (“Models”), including the Third Party Model Services set forth in Annex A, and as set forth in the Documentation and/or the Agreement.
1.3 “Athinia Technology” means the Service, Documentation, Data Connection Software, Sample Materials, software, models, and application programming interfaces (APIs), provided or made available to Customer as a service in connection with this Agreement, and any improvements, modifications, derivative works, patches, upgrades, and updates thereto.
1.4 “Customer” means the customer identified on the Order Form who is Party to this Agreement.
1.5 “Customer Data” means any data (including aggregated or transformed versions thereof and analytical outputs), models, algorithms, analyses, transformation code, business logic or other content that is provided by, whether directly or indirectly from a third party, or created by Customer, or Users (as defined below) using the Service, for integration, use, or other processing in or through the Service. Athinia does not claim ownership of Customer Data.
1.6 “Data Connection Software” means Athinia software provided for installation locally for Customer to connect Customer Data to the Service.
1.7 “Documentation” means any technical documentation for the Service made available in connection with the Service.
1.8 “Intellectual Property Rights” means all rights, title, and interest in and to any trade secrets, patents, copyrights, service marks, trademarks, know-how, trade names, rights in trade dress and packaging, moral rights, rights of privacy, rights of publicity, and any similar rights, including any applications, continuations, or registrations with respect to the foregoing, under the laws or regulations of any governmental, regulatory, or judicial authority.
1.9 “Order Form” means an ordering document, specifying the Service and/or Professional Services (if applicable) to be provided hereunder that is entered into between Athinia and Customer, including any attachments, addenda, or exhibits thereto.
1.10 “Palantir” means Palantir Technologies Inc., a Delaware corporation.
1.11 “Sample Materials” means any technology and materials provided or made available by Athinia to Customer for use with the Service, including sample code, software libraries, command line tools, data integration code, templates, and configuration files.
1.12 “Service” means Athinia’s proprietary software-as-a-service offering(s) which may include AIP as set forth in an Order Form.
1.13 “Taxes” means any applicable sales, use, transaction, value added, goods and services tax, harmonized sales tax, withholding tax, excise or similar taxes, and any foreign, provincial, federal, state or local fees or charges, (including but not limited to environmental or similar fees) duties, costs of compliance with export and import controls and regulations, and other governmental assessments, including any penalties and interest with respect thereto, imposed on, with respect to, or otherwise associated with any transaction hereunder.
1.14 “Third Party Content” means any third party data, services, or applications that interoperate with the Service which Athinia may, at Customer’s sole discretion, facilitate the use of in connection with the Service and subject to an independent agreement between Customer and such third party.
1.15 “Third Party Services” means third party services that Athinia may use in the provision of the Service as set forth in the Documentation (or as otherwise agreed by the Parties).

Provision of Service.

2.1 Service Access. Athinia shall make available the Service to Customer during the applicable Order Term (as defined below) solely for use by Customer and its Users in accordance with the terms and conditions of this Agreement and the Documentation for Customer’s internal business purposes, or as otherwise set forth in an Order Form.
2.2 Data Connection Software License. If applicable for use of the Service, Athinia grants to Customer during the applicable Order Term a non-exclusive, nontransferable, non-sublicenseable, limited license to use the Data Connection Software for the sole purposes of using and connecting to the Service. Customer shall allow Athinia to access the Data Connection Software remotely as necessary to provide the Service.
2.3 Sample Materials License. Athinia may make available Sample Materials for use by Customer during the Order Term. If applicable, Athinia grants to Customer during the applicable Order Term a non-exclusive, nontransferable, non-sublicenseable, limited license, to copy, modify, and use the Sample Materials solely to the extent necessary for Customer’s use of the Service.
2.4 Usage Data. Athinia may collect and use metrics, analytics, statistics, or other data related to use of the Service (a) to provide and secure the Service for the benefit of Customer and (b) to analyze, maintain, support, and improve the Service (provided that in relation to (b) the data collected shall not include personal data or Customer Data).
2.5 Security. Athinia has established an Information Security Program (“ISP”) designed to ensure strong practical security controls, and compliance with industry best practice standards and frameworks. Athinia uses Palantir Foundry as the underlying platform to provide its services. A comprehensive list of Palantir’s certifications can be found at https://palantir.safebase.us/. The Palantir ISP additionally is aligned with NIST 800-53, TSC (Trust Service Criteria), and CIS (Center for Internet Security) frameworks and management systems. Athinia will make available to Customer upon written request (no more frequently than once per calendar year) Palantir’s: (a) ISAE 3000/SSAE18 SOC2 TYPE II Report, (b) Penetration Test Attestation Letter, and (c) ISO 27001 Certificate. Athinia shall provide the above audit documentation relating to Athinia’s operating practices and procedures to the extent relevant to the Service. Customer acknowledges that documentation noted in this Section and other related information are Athinia’s Confidential Information (as defined below) hereunder.
2.6 Service Levels and Support. During the applicable Order Term, Athinia will provide support services as specified in the applicable Order Form. If so specified, and subject to payment of applicable fees, Athinia will provide Customer the service levels and support consistent with the support terms and service levels in the Athinia Service Level Agreement and Support Policy. Any supplemental software code or related materials that Athinia provides to Customer as part of any support services are part of the Athinia Technology and are subject to the terms and conditions of this Agreement.
2.7 Professional Services. Athinia shall provide Customer with implementation, enablement, integration, configuration or training with respect to Customer's use of the Service solely as specified in an Order Form or otherwise in Athinia’s discretion and subject to any fees thereunder (“Professional Services”) If the Order Form specifies no Professional Services, Athinia may, at its sole discretion (without an obligation to do so absent a separate agreement providing otherwise), provide Customer Professional Services. The performance of any Professional Services shall not affect ownership of the Athinia Technology and other materials provided by Athinia under this Agreement.

Customer Use of Service.

3.1 Accounts. Customer may provision accounts to access the Service (“Accounts”) for its (a) employees, (b) contractors, or (c) other users (including its Affiliates’ employees or contractors) specified in an Order Form for the purposes authorized hereunder (collectively, “Users”). Customer shall be responsible and/or liable for (i) administering Accounts; (ii) using industry standard security measures to protect Accounts (including without limitation using multi-factor authentication); (iii) any activity on Accounts and the monitoring of such activity on Accounts (only to the extent that such monitoring does not violate any other term of this Agreement or applicable law); and (iv) any breach or violation of this Agreement by any Users. Customer shall immediately de-activate any Account upon becoming aware of the compromise or unauthorized use thereof (and in such case promptly notify Athinia of such compromise or unauthorized use), or upon Athinia’s reasonable request. If Customer does not use its own identity provider service, Athinia may, on a temporary and exceptional basis, directly provision Accounts. In such cases, Customer acknowledges and accepts that User authentication cannot be restricted to approved devices or hardware and Accounts can only be terminated manually, upon receipt of specific instructions from Customer.
3.2 Data Protection. The Parties shall comply with the Athinia Data Protection Addendum incorporated into this Agreement. Customer shall be solely responsible for the accuracy, content, and legality of Customer Data and shall ensure that any integration of Customer Data into the Service complies with applicable laws and regulations, including but not limited to data localization requirements.
3.3 Applicable Laws. Customer’s access and use of the Service will not violate applicable laws of the United States or other laws applicable in the jurisdiction in which Customer is located, in which any natural persons who can be identified (directly or indirectly) by reference to the Customer Data is located, or in which Customer Data is stored, and it is solely Customer’s responsibility to ensure such compliance.
3.4 Export Controls. The Athinia Technology and Professional Services may be subject to trade control regulations of the United States including without limitation the U.S. Export Administration Regulations administered by the Department of Commerce’s Bureau of Industry and Security and embargo and sanctions regulations administered by the U.S. Department of Treasury’s Office of Foreign Assets Control or other export control and sanctions laws, including those applicable in other jurisdictions (the “Trade Compliance Requirements”). The Service is controlled under 5D002.c.1, ENC. Customer may not use the Athinia Technology in violation of, or take any action that causes Athinia to violate, applicable Trade Compliance Requirements. Customer also represents that it is not subject to restrictions under any U.S. government restricted end user lists and that it is not 50% or more, directly or indirectly, owned or controlled by any individuals or entities identified on such lists, and it will immediately notify Athinia if Customer becomes subject to any such restrictions. Customer may not (unless expressly agreed otherwise in a signed, written instrument, including in an applicable Order Form) use or access the Service to (1) perform any activities subject to the International Traffic in Arms Regulations (“ITAR”) maintained by the U.S. Department of State, including without limitation ingesting ITAR-controlled data, and (2) ingest, access, or transmit Controlled Unclassified Information.

Proprietary Rights.

4.1 Customer Data Ownership. As between the Parties, Customer owns all rights, title, and interest, including all Intellectual Property Rights, in and to Customer Data and any modifications made thereto. Subject to this Agreement, Customer grants to Athinia a non-exclusive, worldwide, royalty-free right and license during the Term (as defined below) to process Customer Data solely to provide the Service and/or Professional Services. Customer further grants to Athinia a worldwide, perpetual, irrevocable, royalty-free right and license to use, distribute, disclose, and make and incorporate into the Athinia Technology any suggestions, enhancement request, recommendation, or other feedback provided by Customer or Users relating to the Athinia Technology.
4.2 Athinia Ownership. As between the Parties, Athinia owns all rights, title, and interest, including all Intellectual Property Rights, in and to the Athinia Technology, and any other related documentation or materials provided by Athinia and any derivative works, modifications, or improvements of any of the foregoing (including without limitation all Intellectual Property Rights embodied in any of the foregoing). Except for the express rights granted herein, Athinia does not grant any other licenses or access, whether express or implied, or any ownership rights to any Athinia Technology, software, services, or Intellectual Property Rights.
4.3 Restrictions. Customer will not (and will not allow any third party to): (a) gain or attempt to gain unauthorized access to the Service or infrastructure, or any element thereof, or circumvent or interfere with any authentication or security measures of the Service; (b) interfere with or disrupt the integrity or performance of the Service; (c) access or attempt to gain access to another customer’s data; (d) adversely impact the ability of other customers to use the Service; (e) transmit material containing software viruses or other harmful or deleterious computer code, files, scripts, agents, or programs through the Service; (f) decompile, disassemble, scan, reverse engineer, or attempt to discover any source code or underlying ideas or algorithms of any Athinia Technology (except to the extent that applicable law expressly prohibits such a reverse engineering restriction, and in such case only upon prior written notice to Athinia); (g) provide, lease, lend, use for timesharing or service bureau purposes, or otherwise use or allow others to use the Service for the benefit of any third party (except as set forth in an Order Form); (h) use the Service for any purpose that is not expressly permitted by this Agreement; (i) list or otherwise display or copy any code of any Athinia Technology, except for Sample Materials to the extent necessary for Customer’s use of the Service; (j) copy any Athinia Technology (or component thereof) or develop any improvement, modification, or derivative work thereof, except for Sample Materials to the extent necessary for Customer’s use of the Service; (k) include any portion of any Athinia Technology in any other service, equipment, or item; (l) perform penetration tests on the Service unless authorized by Athinia; (m) use, access, evaluate, or view the Athinia Technology for the purpose of designing, modifying, improving, informing, or otherwise creating any service, environment, software, models, algorithms, products, program, or infrastructure or any portion thereof, which competes with or performs functions similar to the functions of the Athinia Technology; or (n) remove, obscure, or alter, or otherwise violate the terms of any copyright notice, trademarks, logos, and trade names and any other notices (including third party open source or similar licenses) or identifications that appear on or in any Athinia Technology and any associated media; (o) use the Athinia Technology to engage in or advance any fraud or misrepresentation (including but not limited to providing fraudulent or misleading information in response to the Order Form); or (p) use or access the Service for the purposes of engaging in or supporting spamming activities or communications, or marketing activities or communications in violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (15 U.S.C. § 7701 et seq.), the Telephone Consumer Protection Act (47 U.S.C. § 227), and all other applicable laws prohibiting spam or otherwise governing transmission of marketing materials and/or communications.

Confidentiality. Each Party (the “Receiving Party”) shall keep strictly confidential all Confidential Information of the other Party (the “Disclosing Party”), shall not use such Confidential Information except for the purposes of this Agreement, and shall not disclose such Confidential Information to any third party other than disclosure on a need-to-know basis to the Receiving Party’s directors, employees, agents, attorneys, accountants, subcontractors, or other representatives who are each subject to obligations of confidentiality at least as restrictive as those herein (“Authorized Representatives”). The Receiving Party shall use at least the same degree of care as it uses to prevent disclosure of its own confidential information, but in no event less than reasonable care. The Receiving Party may, without violating the obligations of this Agreement, disclose Confidential Information to the extent required by a valid court or government order, provided that the Receiving Party: (a) to the extent legally permitted, provides the Disclosing Party with reasonable prior written notice of such disclosure and (b) uses reasonable efforts to limit disclosure and to obtain, or to assist the Disclosing Party in obtaining, confidential treatment or a protective order preventing or limiting the disclosure, while allowing the Disclosing Party to participate in the proceeding. “Confidential Information” means (i) in the case of Athinia, Athinia Technology (including any information relating thereto); (ii) in the case of Customer, Customer Data; and (iii) any other information which by the nature of the information disclosed or the manner of its disclosure would be understood by a reasonable person to be confidential, in each case, in any form (including without limitation electronic or oral) and whether furnished before, on, or after the Effective Date; provided, however, that Confidential Information shall not include any information that (1) is or becomes part of the public domain through no act or omission of the Receiving Party or its Authorized Representatives; (2) is known to the Receiving Party at the earlier of the Effective Date or the time of disclosure by the Disclosing Party (as evidenced by written records) without an obligation to keep it confidential; (3) was rightfully disclosed to the Receiving Party prior to the Effective Date from another source without any breach of confidentiality by the third party discloser and without restriction on disclosure or use; or (4) the Receiving Party can document by written evidence that such information was independently developed without any use of or reference to Confidential Information. The Receiving Party shall be liable for any breaches of this Section by any person or entity to which the Receiving Party is permitted to disclose Confidential Information pursuant to this Section. The Receiving Party’s obligations with respect to Confidential Information shall survive termination of this Agreement for five (5) years; provided, that the Receiving Party’s obligations hereunder shall survive termination and continue in perpetuity, or as long as permitted by applicable law, with respect to any Confidential Information that is a trade secret under applicable law.

Fees and Payment; Taxes. The Service is deemed delivered upon the provision of access to Customer or for Customer’s benefit. If there are fees set forth in an Order Form, such fees will be invoiced and payable on an annual upfront basis, or as otherwise set forth in the Order Form. Any usage-based fees set forth in an Order Form, including if payable in excess of any applicable included usage specified in an Order Form, will be calculated in accordance with the usage rates set forth in the Order Form (as applicable) and invoiced and payable quarterly in arrears, or as otherwise set forth in the Order Form. All payments shall be made via wire transfer to an account designated by Athinia in the currency set forth on the corresponding invoice within thirty (30) days after the date of issuance of Athinia’s invoice. Any late payments shall be subject to a service charge equal to the lesser of 1.5% per month of the amount due or the maximum amount of interest allowed by applicable law. Unless otherwise stated in an Order Form, fees are exclusive of applicable Taxes. Customer shall be responsible for all Taxes arising under this Agreement (except taxes on or measured by the net income of Athinia) so that after payment of such Taxes the amount Athinia receives is not less than the fees set forth in an Order Form. In the event a double taxation treaty applies, which provides a zero or reduced withholding tax rate, Customer agrees (a) not to withhold taxes in case of a zero withholding tax rate or (b) to withhold at the reduced tax rate in accordance with the double taxation treaty.

Term and Termination; Suspension.

7.1 Term. This Agreement is effective as of the Effective Date and shall continue in effect for six (6) months from the date of expiration of the last to expire Order Form, unless otherwise terminated as provided herein (the “Term”). The term of each Order Form shall continue for the duration set forth in the Order Form (the “Order Term”), unless otherwise terminated as provided herein.
7.2 Termination for Cause. Without limiting either Party’s other rights, either Party may terminate this Agreement for cause (including any then-current Order Forms) (a) in the event of any material breach by the other Party of any provision of this Agreement and failure to remedy the breach (and provide reasonable written notice of such remedy to the non-breaching Party) within thirty (30) days following written notice of such breach from the non-breaching Party or (b) if the other Party seeks protection under any bankruptcy, receivership or similar proceeding or such proceeding is instituted against that Party and not dismissed within ninety (90) days. Except where an exclusive remedy is specified in this Agreement, the exercise by either Party of the right to terminate under this provision shall be without prejudice to any other remedies it may have under this Agreement or by law. In the event of termination of this Agreement by Customer for cause pursuant to Section 7.2(a), Athinia shall provide a pro-rated refund of any fees pre-paid for the Service after the effective date of termination.
7.3 Effect of Termination. Upon any termination or expiration of this Agreement, except as specifically set forth below, all of Customer’s rights, access, and licenses granted to Athinia Technology shall immediately cease, and Customer shall promptly return or destroy all Data Connection Software, Sample Materials, Documentation, and all other Athinia Confidential Information and, upon written request, certify its compliance with the foregoing to Athinia in writing within ten (10) days of such request. Upon termination or expiration of all Order Forms, if requested by Customer, Customer shall, subject to the terms of this Agreement, have access to the Service for thirty (30) days solely for the purpose of retrieving Customer Data. Athinia shall thereafter delete or otherwise render inaccessible all Customer Data. Notwithstanding the foregoing, Athinia shall retain, subject to the other terms of this Agreement, and solely for security purposes, usage information and metadata related to the security of the Service, excluding Customer Data (except for security-related information such as IP addresses, usernames, log-in attempts, and search queries), for a period of two (2) years following the last event logged. No termination or expiration of this Agreement shall limit or affect rights or obligations that accrued prior to the effective date of termination or expiration (including without limitation payment obligations). Sections 1, 3.3, 3.4, 4, 5, 6, 7, 8, 9, 11, 12, 13 and 14 shall survive any termination or expiration of this Agreement.
7.4 Suspension of Service. If Athinia reasonably determines or suspects that: (a) Customer’s access or use of the Service and/or any Model violates applicable law or regulation (including but not limited to the Trade Compliance Requirements) or otherwise violates a material term of this Agreement (including but not limited to Section 3 (Customer Use of Service), Section 4.3 (Restrictions), Section 5 (Confidentiality), Section 6 (Fees and Payment; Taxes), Section 10 (Customer Warranty) and Section 13 (AIP)); or (b) Athinia providing any part of the Service would violate applicable (in force or forthcoming) law or regulation or (c) Customer’s use of the Service or Athinia’s provision of any part of the Service poses undue security risk or a risk of material harm to Athinia or its other customers, Athinia reserves the right to disable, suspend or terminate Customer’s access to all or any part of the Athinia Technology. Athinia will provide Customer notice of such suspension concurrent with or prior to such suspension.

Indemnification.

8.1 Athinia Indemnification. Athinia shall defend Customer against any claim of infringement or violation of any Intellectual Property Rights asserted against Customer by a third party based upon Customer’s use of Athinia Technology in accordance with the terms of this Agreement and indemnify and hold harmless Customer from and against reasonable costs, attorneys’ fees, and damages, if any, finally awarded against Customer pursuant to a non-appealable order by a tribunal of competent jurisdiction in such claim or settlement entered into by Athinia. If Customer’s use of any of the Athinia Technology is, or in Athinia’s opinion is likely to be, enjoined by a court of competent jurisdiction due to the type of infringement specified above, or if required by settlement approved by Athinia in writing, Athinia may, in its sole discretion: (a) substitute substantially functionally similar products or services; (b) procure for Customer the right to continue using the Athinia Technology; or (c) if Athinia reasonably determines that options (a) and (b) are commercially impracticable, terminate this Agreement and refund to Customer a pro-rated portion of the fees paid hereunder for the terminated Service that reflects the remaining portion of the Order Terms of any Order Forms in effect at the time of termination. The foregoing indemnification obligations of Athinia shall not apply: (i) if Athinia Technology is modified by or at the direction of Customer or Users, but only to the extent the alleged infringement would not have occurred but for such modification; (ii) if Athinia Technology is combined with non-Athinia products not authorized by Athinia, but only to the extent the alleged infringement would not have occurred but for such combination; (iii) to any unauthorized use of Athinia Technology, any use that is not consistent with the Documentation, any use that violates Section 3 (Customer Use of Service) or use during any period of suspension (as set forth in Section 7.4); (iv) to any Customer Data; or (v) to any non-Athinia products or services.
8.2 Customer Indemnification. Customer shall defend Athinia against any third party claim asserted against Athinia arising from or relating to (a) Customer’s violation of applicable law, (b) Customer Data, (c) Customer’s breach of Section 3 (Customer Use of Service), (d) Customer’s breach of Section 4.3 (Restrictions) or (e) any Customer-offered product or service (except if such claim is primarily attributable to the Service as offered by Athinia) and indemnify and hold harmless Athinia from and against related costs, attorneys’ fees, and damages, if any, finally awarded against Athinia pursuant to a non-appealable order by a tribunal of competent jurisdiction in such claim or settlement entered into by Customer.
8.3 Indemnification Procedure. The obligations of the indemnifying Party shall be conditioned upon the indemnified Party providing the indemnifying Party with: (a) prompt written notice (in no event to exceed twenty (20) days) of any claim, suit, or demand of which it becomes aware; (b) the right to assume the exclusive defense and control of any matter that is subject to indemnification (provided that the indemnifying Party will not settle any claim unless it unconditionally releases the indemnified Party of all liability and does not admit fault or wrongdoing by the indemnified Party, unless the indemnified Party otherwise consents in writing); and (c) cooperation with any reasonable requests assisting the indemnifying Party’s defense and settlement (at the indemnifying Party’s expense). This Section sets forth each Party’s sole liability and obligation and the sole and exclusive remedy with respect to any claim of Intellectual Property Rights infringement.

Athinia Warranty and Disclaimer.

91. Athinia Warranty. Athinia warrants that during the applicable Order Term (a) the Service will be provided substantially in accordance with the applicable Documentation and (b) the Professional Services will be provided in a professional and workmanlike manner. In the event of a breach of an above warranty, Customer may give Athinia written notice of termination of this Agreement, which termination will be effective thirty (30) days after Athinia’s receipt of the notice, unless Athinia is able to remedy the breach prior to the effective date of termination. This warranty shall not apply to the extent such breach is caused by Customer Data or misuse or unauthorized modification of the Service (including but not limited to Customer’s violation of Section 3 (Customer Use of Service)) or any Customer selected hardware used in connection with the Service. In the event of termination of this Agreement pursuant to Customer’s exercise of its right under this Section, Customer shall be entitled to receive from Athinia, as its sole and exclusive remedy, a pro-rata refund of any fees pre-paid for the Services after the effective date of termination.
9.2 Disclaimer. NO AMOUNTS PAID HEREUNDER ARE REFUNDABLE OR OFFSETTABLE EXCEPT AS OTHERWISE EXPRESSLY SET FORTH HEREIN. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE ATHINIA TECHNOLOGY AND PROFESSIONAL SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY OTHER WARRANTIES OF ANY KIND AND ATHINIA AND ITS SUPPLIERS AND SERVICE PROVIDERS HEREBY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, RELATING TO THE ATHINIA TECHNOLOGY AND PROFESSIONAL SERVICES PROVIDED HEREUNDER OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, TITLE, OR FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITING THE FOREGOING LIMITATION, ATHINIA DOES NOT WARRANT THAT THE ATHINIA TECHNOLOGY AND PROFESSIONAL SERVICES WILL MEET CUSTOMER REQUIREMENTS OR GUARANTEE ANY RESULTS, OUTCOMES, OR CONCLUSIONS OR THAT OPERATION OF THE SERVICE WILL BE UNINTERRUPTED OR ERROR FREE. ATHINIA SHALL NOT BE RESPONSIBLE OR LIABLE FOR ANY ACTIONS TAKEN OR CONCLUSIONS DRAWN BY CUSTOMER BASED ON CUSTOMER'S USE OF THE SERVICE ATHINIA IS NOT RESPONSIBLE OR LIABLE FOR ANY THIRD PARTY SERVICES (INCLUDING WITHOUT LIMITATION UPTIME GUARANTEES, OUTAGES, OR FAILURES), CUSTOMER DATA, OR ANY THIRD PARTY CONTENT. ATHINIA DOES NOT CONTROL THE TRANSFER OF INFORMATION OR CUSTOMER DATA OVER COMMUNICATIONS FACILITIES, THE INTERNET, OR THIRD PARTY SERVICES, AND THE SERVICE MAY BE SUBJECT TO DELAYS AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. ATHINIA IS NOT RESPONSIBLE FOR ANY DELAYS, FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS.

Customer Warranty. Customer warrants that (a) Customer has provided all necessary notifications and obtained all necessary consents, authorizations, approvals, and/or agreements as required by any applicable laws or policies, and has informed Athinia of any obligations applicable to Athinia’s processing of Customer Data, in order to enable Athinia to process Customer Data, including personal data, according to the scope, purpose, and instructions specified by Customer and that Customer will not direct the processing of Customer Data by Athinia in violation any laws or regulations (including localization requirements) or rights of third parties; and (b) it will not use the Service for any unauthorized or illegal purposes.

Limitations of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY OR ITS AFFILIATES FOR ANY (A) COST OF PROCUREMENT OF ANY SUBSTITUTE PRODUCTS OR SERVICES (EXCEPT FOR ATHINIA’S OBLIGATIONS PURSUANT TO SECTION 8.1(a)), OR COST OF REPLACEMENT OR RESTORATION OF ANY CUSTOMER DATA, (B) ECONOMIC LOSSES, EXPECTED OR LOST PROFITS, REVENUE, OR ANTICIPATED SAVINGS, LOSS OF BUSINESS, LOSS OF CONTRACTS, LOSS OF OR DAMAGE TO GOODWILL OR REPUTATION, AND/OR (C) INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL LOSS OR DAMAGE, WHETHER ARISING OUT OF PERFORMANCE OR BREACH OF THIS AGREEMENT OR THE USE OR INABILITY TO USE THE ATHINIA TECHNOLOGY, EVEN IF THE PARTY HAS BEEN ADVISED AS TO THE POSSIBILITY OF SUCH LOSS OR DAMAGES. EXCEPT FOR THE PARTIES’ OBLIGATIONS SET FORTH IN SECTIONS 4 AND 8 OF THIS AGREEMENT AND CUSTOMER’S PAYMENT OBLIGATIONS HEREUNDER, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY AGREES THAT THE MAXIMUM AGGREGATE LIABILITY OF EITHER PARTY AND ITS AFFILIATES TO THE OTHER PARTY AND ITS AFFILIATES FOR ALL CLAIMS OF ANY KIND SHALL NOT EXCEED THE GREATER OF (A) THE FEES PAID OR PAYABLE TO ATHINIA BY CUSTOMER UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM FOR THE SERVICE OR PROFESSIONAL SERVICES THAT GAVE RISE TO SUCH CLAIM AND (B) ONE HUNDRED THOUSAND DOLLARS (USD 100,000), AND THAT SUCH REMEDY IS FAIR AND ADEQUATE. THE LIMITATIONS SET FORTH IN THIS SECTION 11 SHALL APPLY REGARDLESS OF WHETHER AN ACTION IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY.

Dispute Resolution. Any dispute, controversy, or claim arising from or relating to this Agreement, including arbitrability, that cannot be resolved following good faith discussions within sixty (60) days after notice of a dispute shall be finally settled by arbitration. If Customer is located in the Americas, then the governing law shall be the substantive laws of the State of New York, without regard to conflicts of law provisions thereof, and arbitration shall be administered in New York, New York, United States under the Comprehensive Arbitration Rules and Procedures of the Judicial Arbitration and Mediation Services, Inc. (“JAMS”) and the Federal Rules of Evidence (notwithstanding JAMS Rule 22(d) or any other JAMS Rule to the contrary). If Customer is located outside of the Americas, then the governing law shall be the substantive laws of England and Wales, without regard to conflicts of law provisions thereof, and without regard to the United Nations Convention on Contracts for the International Sale of Goods, and arbitration shall be administered in London, United Kingdom under the Rules of Arbitration of the International Chamber of Commerce. Notwithstanding the foregoing, each Party shall have the right to institute an action at any time in a court of proper jurisdiction for preliminary injunctive relief pending a final decision by the arbitrator(s), provided that (a) the Party instituting the action shall seek an order to file the action under seal (or at a minimum do so for any filings containing Confidential Information or trade secrets) in order to limit disclosure as provided in Section 5 of this Agreement; and (b) a permanent injunction and damages shall only be awarded by the arbitrator(s).

AIP.

13.1 AIP use. AIP employs artificial intelligence and machine learning techniques, including use of Models. Customer acknowledges that because of the statistical methods underlying the foregoing techniques, output of AIP may be incorrect, incomplete, or biased. Accordingly, Customer agrees that its use of AIP is at its own risk and Customer shall be solely responsible for any decisions, actions, or omissions it takes on the basis of any AIP output. Customer further agrees to evaluate (including through review by a natural person) any AIP output prior to taking any decisions, actions, or omissions on its basis. Access to AIP forms part of the Service and is subject to relevant terms and conditions of the Agreement applicable to the Service, and Customer’s right and/or license (as applicable) to use AIP is determined by its right and/or license to use and/or access the Service as provided in the Agreement. Customer may only use data in connection with AIP for which Customer and/or its user has received all consents, authorizations, approvals, and/or agreements necessary to permit such use and/or processing under applicable law, regulation, or agreement(s). Customer shall not use AIP to attempt to obtain any information that may violate third party rights or applicable laws or regulations, including classified information. Customer’s access and use of AIP shall comply with all applicable laws and regulations. Customer shall be fully responsible and liable for its Users’ use of and access to AIP. Customer’s use of AIP utilizing a Third Party Model Service shall comply with all applicable Additional Terms set forth in Annex A.
13.2 AIP Restrictions. Customer will not (and will not allow any third party to): (a) decompile, disassemble, scan, reverse engineer, or attempt to discover any source code, algorithms, weights of the underlying models, or underlying ideas of AIP; (b) use AIP in attempt to train or develop another Model; or (c) represent that any output from AIP was generated by a natural person when it was not.
13.3 AIP Feedback. Customer may share and provide feedback, suggestions, comments, ideas, data, including prompts, reports, or other information related to Customer’s use of AIP in the form of feedback report(s) to Athinia (“AIP Feedback”) and Athinia can directly request AIP Feedback from Users of AIP. Customer acknowledges that any AIP Feedback shared to Athinia is done so voluntarily. Customer grants to Athinia a worldwide, perpetual, irrevocable, and royalty-free right and license to use, distribute, disclose, and make and incorporate into AIP any AIP Feedback to provide, secure, and improve AIP.
13.4 AIP Fees. Customer’s use of AIP shall accrue fees on the same terms as Customer’s use of the Service pursuant to the Agreement.
13.5 AIP Disclaimer. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, AIP IS PROVIDED “AS-IS” WITHOUT ANY OTHER WARRANTIES OF ANY KIND AND ATHINIA HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, TITLE, SATISFACTORY QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITING THE FOREGOING LIMITATION, ATHINIA DOES NOT WARRANT THAT AIP WILL MEET CUSTOMER REQUIREMENTS OR GUARANTEE ANY QUALITY, RESULTS, OUTCOMES, OR CONCLUSIONS OR THAT OPERATION OF AIP WILL BE UNINTERRUPTED OR ERROR FREE. ATHINIA IS NOT RESPONSIBLE FOR ANY DECISIONS, ACTIONS, OR OMISSIONS CUSTOMER TAKES BASED UPON OR INFORMED BY OUTPUT FROM AIP. ATHINIA IS NOT RESPONSIBLE OR LIABLE FOR ANY THIRD PARTY SERVICES PROVIDED IN THE COURSE OF DELIVERING AIP, INCLUDING (IF APPLICABLE) ANY THIRD PARTY MODEL SERVICE (INCLUDING WITHOUT LIMITATION, UPTIME GUARANTEES, OUTAGES, FAILURES, OR ANY OTHER GUARANTEES IN ANY SERVICE LEVEL AGREEMENT BETWEEN THE PARTIES), CUSTOMER’S INPUT TO AIP, OR OUTPUT FROM AIP (INCLUDING BUT NOT LIMITED TO COMPLETENESS, OR ACCURACY OF OUTPUT FROM AIP, OR WHETHER THE OUTPUT FROM AIP INFRINGES OR VIOLATES ANY THIRD PARTY’S RIGHTS, INCLUDING INTELLECTUAL PROPERTY AND CONTRACTUAL RIGHTS).

Miscellaneous. Athinia shall provide the Service and Professional Services consistent with laws and regulations applicable to Athinia’s provision of such Service and Professional Services generally (including but not limited to those regarding data protection and international transfers of personal data), without regard to Customer’s specific utilization of the Service except to the extent set forth in an Order Form, and subject to Customer’s compliance with this Agreement. Except with Athinia’s prior written consent, neither this Agreement nor the access or licenses granted hereunder may be assigned, transferred, or sublicensed by Customer, including, without limitation, pursuant to a direct or indirect change of control of Customer, a merger involving Customer where Customer is not the surviving entity, or a sale of all or substantially all of the assets of Customer (collectively, a “Change of Control”); and any attempt to do so shall be void. Customer must provide written notice to Athinia prior to a Change of Control, and Athinia may terminate this Agreement in the event of a Change of Control. Athinia may subcontract this Agreement or portions thereof. Any notice required or permitted hereunder shall be in writing to the parties at the addresses set forth in the applicable Order Form and if by email, notifications to Athinia shall be sent to legalnotices@Athinia.com. If any provision of this Agreement shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and be enforceable. Any and all modifications, waivers or amendments must be made by mutual agreement and shall be effective only if made in writing and signed by each Party. No waiver of any breach shall be deemed a waiver of any subsequent breach. Except for the obligation to pay money, neither Party will be liable for any failure or delay under this Agreement due to any cause beyond its reasonable control, including without limitation acts of war, acts of God, earthquake, flood, embargo, riot, sabotage, labor shortage or dispute, governmental act, or failure of the Internet, telecommunications, or hosting service provider, computer attacks, or malicious acts; provided that the delayed Party: (a) gives the other Party prompt notice of such cause; and (b) uses commercially reasonable efforts promptly to correct such failure or delay in performance. There are no third party beneficiaries under this Agreement, whether express or implied. For the avoidance of doubt, nothing in this Agreement shall be construed to create a joint venture, employment, partnership, strategic alliance, formal alliance, or strategic partnership relationship between the Parties. This Agreement is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and terminates all previous written and oral agreements and communications relating to the subject matter of this Agreement. Any terms and conditions attached to any purchase order or invoicing portal of Customer, or equivalent, will not be binding on Athinia, and notwithstanding anything to the contrary in any such terms and conditions, Customer shall have no right to audit or inspect Athinia unless and only to the extent required by applicable law. In the event of a conflict between these Terms of Service and any Order Forms or exhibit, the terms of such Order Form or exhibit will prevail. Athinia is in no way affiliated with, or endorsed or sponsored by, The Saul Zaentz Company d.b.a. Tolkien Enterprises or the Estate of J.R.R. Tolkien.

ANNEX A

Customer’s use of AIP may leverage the following Models hosted in a third party environment (each a “Third Party Model Service”).

Third Party Model Service	Additional Terms
Anthropic Models hosted in Athinia’s Anthropic Environment (“Anthropic Model Service”)	Customer’s use of AIP leveraging Anthropic Model Service (a) shall comply with the Anthropic Usage Policy (available at https://www.anthropic.com/legal/aup); and (b) shall not facilitate or engage in the following: (i) design, market, help distribute or utilize weapons, explosives, dangerous materials or other systems designed to cause harm to or loss of human life; (ii) covertly tracking, targeting, or surveilling individuals, i.e., searching for or gathering information on an individual or group in order to track, target or report on their identity, including using the product for facial recognition, covert tracking, battlefield management applications or predictive policing; (iii) automated determination of financing eligibility of individuals, i.e., making automated decisions about the eligibility of individuals for financial products and creditworthiness; (iv) automated determination of employment and housing decisions, i.e., making automated decisions about the employability of individuals or other employment determinations or decisions regarding eligibility for housing, including leases and home loans; (v) any law enforcement application, except for the following permitted applications by U.S. law enforcement organizations: back office uses including call center support, document summarization, and accounting; (vi) analysis of data for the location of missing persons and other applications, provided that such applications do not otherwise violate or impair the liberty, civil liberties, or human rights of natural persons; (vii) shall not be for the purpose of building a product or service to the Anthropic Model Service (including to train competing Models or to resell the Models); and (viii) shall not involve reverse engineering or duplicating the Anthropic Model Service. Customer acknowledges that Anthropic, PBC may collect and temporarily retain pseudonymized security classifier metadata related to Customer’s use of AIP leveraging the Anthropic Model Service (which metadata, for the avoidance of doubt, shall not include the contents of Customer’s prompts provided to or output received from the Anthropic Model Service).
OpenAI Models hosted in Athinia’s Microsoft Azure Environment (“Azure OpenAI Model Service”)	(a) Customer’s use of AIP leveraging the Azure OpenAI Model Service shall comply with the Azure OpenAI Code of Conduct (https://learn.microsoft.com/en-us/legal/cognitive-services/openai/code-of-conduct?context=%2Fazure%2Fcognitive- services%2Fopenai%2Fcontext%2Fcontext); (b) Customer shall only use AIP leveraging the Azure OpenAI Model Service to (i) submit content to be summarized for pre-defined topics built into AIP and cannot use AIP as an open-ended summarizer (examples of such permitted use include but are not limited to summarization of call center transcripts, technical reports, and product reviews); (ii) analyze inputs using classification, sentiment analysis of text, or entity extraction (examples of such permitted use include but are not limited to analyzing product feedback sentiment, analyzing support calls and transcripts, and refining text-based search with embeddings); (iii) search trusted source documents such as internal Customer documentation; (iv) ask questions and receive answers from trusted source documents such as internal Customer documentation; or (v) code generation or transformation scenarios (examples of such permitted use include but are not limited to converting one programming language to another, generating docstrings for functions, or converting natural language to SQL); and (c) Customer shall not use AIP leveraging the Azure OpenAI Model Service (i) to generate, distribute, or modify any output from the Azure OpenAI Model Service that the Customer knew or should have known was infringing or likely to infringe a third party’s intellectual property or other proprietary rights (including if such infringement is caused by Customer’s combination of such output with third party products or services); or (ii) while disabling, ignoring, or otherwise circumventing, without authorization, any relevant citation, filtering, or safety features or restrictions provided by Azure or Athinia applicable to the Azure OpenAI Model Service.
Models hosted in Athinia’s Amazon Web Services Environment (“AWS Model Service”)	Customer’s use of AIP leveraging Anthropic Models through the AWS Model Service (a) shall comply with the Anthropic Code of Conduct (https://console.anthropic.com/legal/aup), (b) shall comply with the Anthropic Bedrock AI Services Agreement (available at https://s3.amazonaws.com/EULA/Anthropic-EULA-1023.pdf), and (c) shall not facilitate or engage in the following: (i) design, market, help distribute or utilize weapons, explosives, dangerous materials or other systems designed to cause harm to or loss of human life; (ii) covertly tracking, targeting, or surveilling individuals, i.e., searching for or gathering information on an individual or group in order to track, target or report on their identity, including using the product for facial recognition, covert tracking, battlefield management applications or predictive policing; (iii) automated determination of financing eligibility of individuals, i.e., making automated decisions about the eligibility of individuals for financial products and creditworthiness; (iv) automated determination of employment and housing decisions, i.e., making automated decisions about the employability of individuals or other employment determinations or decisions regarding eligibility for housing, including leases and home loans; (v) any law enforcement application, except for the following permitted applications by U.S. law enforcement organizations: back office uses including call center support, document summarization, and accounting; or (vi) analysis of data for the location of missing persons and other applications, provided that such applications do not otherwise violate or impair the liberty, civil liberties, or human rights of natural persons. Customer hereby agrees that its use of AIP leveraging Models (other than Anthropic Models) through the AWS Model Service shall comply with any acceptable use policies or codes of conduct applicable to such Models, as made available to Customer through AIP or the Documentation. Customer acknowledges that Amazon Web Services, Inc. may collect and temporarily retain pseudonymized security classifier metadata related to Customer’s use of AIP leveraging the AWS Model Service (which metadata, for the avoidance of doubt, shall not include the contents of Customer’s prompts provided to or output received from the AWS Model Service).
Google Provided Models hosted in Athinia’s Google Cloud Services Environment (“Google Model Service”)	Customer’s use of AIP leveraging the Google Model Service (a) shall comply with the Google Generative AI Prohibited Use Policy (https://policies.google.com/terms/generative-ai/use-policy); (b) shall comply with the Google Cloud Platform Acceptable Use Policy (https://cloud.google.com/terms/aup); (c) shall comply with the Anthropic on Vertex - Commercial Terms of Service (available at https://www-cdn.anthropic.com/471bd07290603ee509a5ea0d5ccf131ea5897232/anthropic-vertex-commercial-terms-march-2024.pdf), with respect to any Anthropic models used or accessed via the Google Model Service; (d) shall not reasonably be expected to lead to death, personal injury, or environmental damage, including operation of nuclear facilities, air traffic control, life support systems, or weaponry; and (e) shall, with respect to Customer’s use of applicable models that meet the definition of “Pre-GA Offerings” in the Google Model Service Pre-GA Offerings Terms (defined below) made available via the Google Model Service, comply with Google’s “Pre-GA Offerings Terms” subsection in the “General Service Terms” section of the Google Cloud Platform Service Specific Terms, available at https://cloud.google.com/terms/service-terms (the “Google Model Service Pre-GA Offerings Terms”). Customer acknowledges that Google LLC may collect and temporarily retain pseudonymized security classifier metadata related to Customer’s use of AIP leveraging the Google Model Service (which metadata, for the avoidance of doubt, shall not include the contents of Customer’s prompts provided to or output received from the Google Model Service).
OpenAI Models hosted by OpenAI (“OpenAI Model Service”)	Customer’s use of AIP leveraging the OpenAI Model Service (a) shall comply with the OpenAI Usage Policies (https://openai.com/policies/usage-policies); (b) if and only as applicable, shall comply with the applicable OpenAI Service Terms (https://openai.com/policies/service-terms); (c) Customer shall only use AIP leveraging the OpenAI Model Service to (i) submit content to be summarized for pre-defined topics built into AIP and cannot use AIP as an open-ended summarizer (examples of such permitted use include but are not limited to summarization of call center transcripts, technical reports, and product reviews); (ii) analyze inputs using classification, sentiment analysis of text, or entity extraction (examples of such permitted use include but are not limited to analyzing product feedback sentiment, analyzing support calls and transcripts, and refining text-based search with embeddings; (iii) search trusted source documents such as internal Customer documentation; (iv) ask questions and receive answers from trusted source documents such as internal Customer documentation; (v) code generation or transformation scenarios (examples of such permitted use include but are not limited to converting one programming language to another, generating docstrings for functions, or converting natural language to SQL); or (vi) fine-tune Models as provided as part of AIP and the OpenAI Model Service; and (d) Customer shall not use AIP leveraging the OpenAI Model Service (i) to generate, distribute, or modify any output from the OpenAI Model Service that the Customer knew or should have known was infringing or likely to infringe a third party’s intellectual property or other proprietary rights (including if such infringement is caused by Customer’s combination of such output with third party products or services); or (ii) while disabling, ignoring, or otherwise circumventing, without authorization, any relevant citation, filtering, or safety features or restrictions provided by OpenAI applicable to the OpenAI Model Service. Customer acknowledges that OpenAI, LLC may collect and temporarily retain pseudonymized security classifier metadata related to Customer’s use of AIP leveraging the OpenAI Model Service (which metadata, for the avoidance of doubt, shall not include the contents of Customer’s prompts provided to or output received from the OpenAI Model Service).
Meta’s Llama 4 Model, Meta's Llama 3.3 Model, Meta's Llama 3.2 Model, and Meta's Llama 3.1 Model (and Meta’s Llama Models now existing or released in the future) hosted in Athinia's model hub environment(s) (“Llama Model Service”)	Customer’s use of AIP leveraging the Llama Model Service shall comply with (a) the Llama 4 Community License Agreement (https://www.llama.com/llama4/license/), which includes the Llama 4 Acceptable Use Policy incorporated by reference (https://www.llama.com/llama4/use-policy/); (b) the Llama 3.3 Community License Agreement (https://www.llama.com/llama3_3/license/), which includes the Llama 3.3 Acceptable Use Policy incorporated by reference (https://www.llama.com/llama3_3/use- policy/); (c) the Llama 3.2 Community License Agreement (https://github.com/meta-llama/llama-models/blob/main/models/llama3_2/LICENSE), which includes the Llama 3.2 Acceptable Use Policy (https://www.llama.com/llama3_2/use-policy/); (d) the Llama 3.1 Community License Agreement (https://github.com/meta-llama/llama-models/blob/main/models/llama3_1/LICENSE), which includes the Llama 3.1 Acceptable Use Policy (https://llama.meta.com/llama3_1/use-policy/); and (e) any license terms and/or acceptable use policies applicable to any other Llama Model(s) (now existing or released in the future) made available as part of the Llama Model Service.
X.AI LLC’s Grok Models hosted by X.AI LLC (“xAI Model Service”)	Customer’s use of AIP leveraging the xAI Model Service shall (a) comply with applicable law (this includes not taking unlawful action on behalf of others); (b) not promote or engage in (i) the sexualization or exploitation of children, (ii) violating copyright, trademark, or other intellectual property law, (iii) compromising others’ privacy, (iv) violating a person’s right to publicity, (v) operating in a regulated industry without complying with those regulations, or (vi) defrauding, defaming, scamming, or spamming; (c) not harm people or property (this includes but is not limited to not perpetrating hacking, doxing, phishing or other malicious attacks, and not developing any kind of weapon); (d) not mislead or circumvent technical safeguards or other technical guardrails; (e) not represent that output of the xAI Model Service is human generated; and (f) not use output of the xAI Model Service to train generative artificial intelligence models similar to or competitive with the xAI Model Service.

ATHINIA TERMS OF SERVICE

1. Certain Definitions.

1.1 “Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party as of the Effective Date and for as long as such entity remains directly or indirectly owned or controlled by the Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of at least 50% of the voting equity securities or other equivalent voting interests of an entity.

1.2 “AIP” or "Artificial Intelligence Platform" means Athinia’s proprietary software-as-a-service offering(s) utilizing artificial intelligence (including but not limited to language models and other modeling services) (“Models”), including the Third Party Model Services set forth in Annex A, and as set forth in the Documentation and/or the Agreement.

1.3 “Athinia Technology” means the Service, Documentation, Data Connection Software, Sample Materials, models, and application programming interfaces (APIs), provided or made available to Customer as a service in connection with this Agreement, and any improvements, modifications, derivative works, patches, upgrades, and updates thereto.

1.4 “Customer” means the customer identified on the Order Form who is Party to this Agreement.

1.5 “Customer Data” means any data (including aggregated or transformed versions thereof and analytical outputs), models, algorithms, analyses, transformation code or other content that is provided by, whether directly or indirectly from a third party, or created by Customer, or Users using the Service, for integration, use, or other processing in or through the Service.

1.6 “Data Connection Software” means Athinia software provided for installation locally for Customer to connect Customer Data to the Service.

1.7 “Documentation” means any technical documentation for the Service made available in connection with the Service.

1.8 “Intellectual Property Rights” means all rights, title, and interest in and to any trade secrets, patents, copyrights, service marks, trademarks, know-how, trade names, rights in trade dress and packaging, moral rights, rights of privacy, rights of publicity, and any similar rights, including any applications, continuations, or registrations with respect to the foregoing, under the laws or regulations of any governmental, regulatory, or judicial authority.

1.9 “Order Form” means an ordering document, specifying the Service and/or Professional Services (if applicable) to be provided hereunder that is entered into between Athinia and Customer, including any attachments, addenda, or exhibits thereto.

1.10 “Palantir” means Palantir Technologies Inc., a Delaware corporation.

1.11 “Sample Materials” means any technology and materials provided or made available by Athinia to Customer for use with the Service, including sample code, software libraries, command line tools, data integration code, templates, and configuration files.

1.12 “Service” means Athinia’s proprietary software-as-a-service offering(s) which may include AIP as set forth in an Order Form.

1.13 “Taxes” means any applicable sales, use, transaction, value added, goods and services tax, harmonized sales tax, withholding tax, excise or similar taxes, and any foreign, provincial, federal, state or local fees or charges, (including but not limited to, environmental or similar fees) duties, costs of compliance with export and import controls and regulations, and other governmental assessments , including any penalties and interest in respect thereof, imposed on, in respect of or otherwise associated with any transaction hereunder.

1.14 “Third Party Content” means any third party data, services, or applications that interoperate with the Service which Athinia may, at Customer’s sole discretion, facilitate the use of in connection with the Service and subject to an independent agreement between Customer and such third party.

1.15 “Third Party Services” means third party services that Athinia may use in the provision of the Service as set forth in the Documentation (or as otherwise agreed by the Parties).

2. Provision of Service.

2.1 Service Access. Athinia shall make available the Service to Customer, subject to the condition precedent set forth in Section 7.4, during the applicable Order Term solely for use by Customer and its Users in accordance with the terms and conditions of this Agreement and the Documentation for Customer’s internal business purposes or as otherwise set forth in an Order Form.

2.2 Data Connection Software License. If applicable for use of the Service, and subject to the condition precedent set forth in Section 7.4, Athinia grants to Customer during the applicable Order Term a non-exclusive, nontransferable, non-sublicenseable, limited license to use the Data Connection Software for the sole purposes of using and connecting to the Service. Customer shall allow Athinia to access the Data Connection Software remotely as necessary to provide the Service.

2.3 Sample Materials License. Athinia may make available Sample Materials for use by Customer during the Order Term. If applicable, and subject to the condition precedent set forth in Section 7.4, Athinia grants to Customer during the applicable Order Term a non-exclusive, nontransferable, non-sublicenseable, limited license, to copy, modify, and use the Sample Materials solely to the extent necessary for Customer’s use of the Service.

2.4 Usage Data. Athinia may collect and use metrics, analytics, statistics, or other data related to Customer’s use of the Service (a) to provide and secure the Service for the benefit of Customer and (b) to analyze, maintain, support, and improve the Service (provided that in relation to (b) the data collected shall not include personal data or Customer Data).

2.5 Security. Athinia has established an Information Security Program (“ISP”) designed to ensure strong practical security controls, and compliance with industry best practice standards and frameworks. Athinia uses Palantir Foundry as the underlying platform to provide its services. A comprehensive list of Palantir’s certifications can be found at https://www.palantir.com/information-security/ under “Compliance and Accreditation.” The Palantir ISP additionally is aligned with NIST 800-53, TSC (Trust Service Criteria), and CIS (Center for Internet Security) frameworks and management systems. Athinia will make available to Customer upon written request (no more frequently than once per calendar year) Palantir’s: (a) ISAE 3000/SSAE18 SOC2 TYPE II Report, (b) Penetration Test Attestation Letter, and (c) ISO 27001 Certificate. Athinia shall provide the above audit reports relating to Athinia’s operating practices and procedures to the extent relevant to the Service. Customer acknowledges that Athinia’s documentation noted in this Section and other related information are Athinia’s Confidential Information hereunder.

2.6 Service Levels and Support. During an Order Term, Athinia has no obligation to provide any support services under this Agreement unless specified otherwise in the applicable Order Form. If so specified, and subject to applicable fees, Athinia will provide Customer the service levels and support consistent with the support terms and service levels in the Athinia Service Level Agreement and Support Policy. Any supplemental software code or related materials that Athinia provides to Customer as part of any support services are to be considered part of the Athinia Technology and are subject to the terms and conditions of this Agreement.

2.7 Professional Services. Athinia shall provide Customer with implementation, enablement, training, or other professional services as specified in an Order Form or otherwise in Athinia’s discretion and subject to any fees thereunder (“Professional Services”). The performance of any Professional Services shall not affect ownership of the Athinia Technology and other materials provided by Athinia under this Agreement.

3. Customer Use of Service.

3.1 Accounts. Customer may provision accounts to access the Service (“Accounts”) for its (a) employees, (b) contractors, (c) other users (including its Affiliates’ employees or contractors) specified in an Order Form for the purposes authorized hereunder (collectively, “Users”). Customer shall be responsible for (i) administering Accounts; (ii) using industry standard security measures to protect Accounts (including, without limitation, using multi-factor authentication); and (iii) any activity on Accounts. Customer shall immediately de-activate any Account upon becoming aware of the compromise or unauthorized use thereof (and in such case promptly notify Athinia of such compromise or unauthorized use), or upon Athinia’s reasonable request.

3.2 Data Protection. The Parties shall comply with the Athinia Data Protection Addendum incorporated into this Agreement. Customer shall be solely responsible for the accuracy, content, and legality of Customer Data and shall ensure that any integration of Customer Data into the Service complies with applicable laws and regulations, including but not limited to data localization requirements.

3.3 Applicable Privacy Laws. Customer is solely responsible for ensuring that its access to and use of the Service does not violate applicable laws of the United States or other laws applicable in the jurisdiction in which Customer is located, in which any natural persons who can be identified (directly or indirectly) by reference to the Customer Data is located, or in which Customer Data is stored.

3.4 Export Controls. The Athinia Technology and Professional Services may be subject to trade control regulations of the United States, such as the U.S. Export Administration Regulations administered by the Department of Commerce’s Bureau of Industry and Security and embargo and sanctions regulations administered by the U.S. Department of Treasury’s Office of Foreign Assets Control or other export control and sanctions laws applicable in other jurisdictions (the “Trade Compliance Requirements”). The Service is controlled under 5D002.c.1, ENC. Customer will ensure that all exports, reexports, transfers, end-uses, and Users of the Athinia Technology comply with and do not use the Athinia Technology in violation of, or take any action that causes Athinia to violate, applicable Trade Compliance Requirements. This includes, without limitation, the following:

(a) Customer may not use or access the Service if Customer is or are working on behalf of a Specially Designated National as defined by the United States Department of the Treasury or a person subject to similar blocking or denied party prohibitions administered by a U.S. government agency;

(b) Customer may not use or access the Service to perform any activities subject to the International Traffic in Arms Regulations (ITAR) maintained by the United States Department of State, including without limitation, ingesting ITAR-controlled data; and

(c) Customer represents that it is not subject to restrictions under any U.S. government restricted end user lists, and that it is not 50% or more, directly or indirectly, owned or controlled by any individuals or entities identified on such lists and that it will immediately notify Athinia if Customer becomes subject to any such restrictions.

Customer will immediately notify Athinia if Customer becomes subject to any such restrictions.

4. Proprietary Rights.

4.1 Customer Data Ownership. As between the Parties, Customer owns all rights, title, and interest, including all Intellectual Property Rights, in and to Customer Data and any modifications made thereto. Subject to the Agreement, Customer grants to Athinia a non-exclusive, worldwide, royalty-free right and license during the Term to process Customer Data solely to provide the Service and/or Professional Services. Customer further grants to Athinia a worldwide, perpetual, irrevocable, royalty-free right and license to use, distribute, disclose, and make and incorporate into the Athinia Technology any suggestions, enhancement request, recommendation, or other feedback provided by Customer or Users relating to the Athinia Technology.

4.2 Athinia Ownership. As between the Parties, Athinia owns all rights, title, and interest, including all Intellectual Property Rights, in and to the Athinia Technology, and any other related documentation or materials provided by Athinia and any derivative works, modifications, or improvements of any of the foregoing (including without limitation all Intellectual Property Rights embodied in any of the foregoing). Except for the express rights granted herein, Athinia does not grant any other licenses or access, whether express or implied, or any ownership rights to any Athinia Technology, software, services, or Intellectual Property Rights.

4.3 Restrictions. Customer will not (and will not allow any third party to): (a) gain or attempt to gain unauthorized access to the Service or infrastructure, or any element thereof, or circumvent or interfere with any authentication or security measures of the Service; (b) interfere with or disrupt the integrity or performance of the Service; (c) access or attempt to gain access to another customer’s data; (d) adversely impact the ability of other customers to use the Service; (e) transmit material containing software viruses or other harmful or deleterious computer code, files, scripts, agents, or programs through the Service; (f) decompile, disassemble, scan, reverse engineer, or attempt to discover any source code or underlying ideas or algorithms of any Athinia Technology (except to the extent that applicable law expressly prohibits such a reverse engineering restriction, and in such case only upon prior written notice to Athinia); (g) provide, lease, lend, use for timesharing or service bureau purposes, or otherwise use or allow others to use the Service for the benefit of any third party (except as set forth in an Order Form); (h) use the Service for any purpose that is not expressly permitted by this Agreement; (i) list or otherwise display or copy any code of any Athinia Technology, except for Sample Materials to the extent necessary for Customer’s use of the Service; (j) copy any Athinia Technology (or component thereof) or develop any improvement, modification, or derivative work thereof, except for Sample Materials to the extent necessary for Customer’s use of the Service; (k) include any portion of any Athinia Technology in any other service, equipment, or item; (l) perform penetration tests on the Service unless authorized by Athinia; (m) use, evaluate, or view the Athinia Technology for the purpose of designing, modifying, or otherwise creating any environment, software, models, algorithms, products, program, or infrastructure or any portion thereof, which performs functions similar to the functions of the Athinia Technology; or (n) remove, obscure, or alter, or otherwise violate the terms of any copyright notice, trademarks, logos, and trade names and any other notices (including third party open source or similar licenses) or identifications that appear on or in any Athinia Technology and any associated media; (o) use the Athinia Technology to engage in or advance any fraud or misrepresentation (including but not limited to providing fraudulent or misleading information in response to the Order Form); or (p) use or access the Service for the purposes of engaging in or supporting spamming activities or communications, or marketing activities or communications in violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (15 U.S.C. § 7701 et seq.), the Telephone Consumer Protection Act (47 U.S.C. § 227), and all other applicable laws prohibiting spam or otherwise governing transmission of marketing materials and/or communications. Notwithstanding the foregoing, or any statement to the contrary herein, Third Party Content may be made available with notices and open source or similar licenses from such communities and third parties that govern the use of those portions, and Customer hereby agrees to be bound by and fully comply with all such licenses; however, the disclaimer of warranty and limitation of liability provisions in this Agreement will apply to all such Third Party Content.

5. Confidentiality. Each Party (the “Receiving Party”) shall keep strictly confidential all Confidential Information of the other Party (the “Disclosing Party”), and shall not use such Confidential Information except for the purposes of this Agreement, and shall not disclose such Confidential Information to any third party other than disclosure on a need-to-know basis to the Receiving Party’s directors, employees, agents, attorneys, accountants, subcontractors, or other representatives who are each subject to obligations of confidentiality at least as restrictive as those herein (“Authorized Representatives”). The Receiving Party shall use at least the same degree of care as it uses to prevent disclosure of its own confidential information, but in no event less than reasonable care. The Receiving Party may, without violating the obligations of the Agreement, disclose Confidential Information to the extent required by a valid court or government order, provided that the Receiving Party: (a) provides the Disclosing Party with reasonable prior written notice of such disclosure and (b) uses reasonable efforts to limit disclosure and to obtain, or to assist the Disclosing Party in obtaining, confidential treatment or a protective order preventing or limiting the disclosure, while allowing the Disclosing Party to participate in the proceeding. “Confidential Information” means (i) in the case of Athinia, Athinia Technology (including any information relating thereto); (ii) in the case of Customer, Customer Data; and (iii) any other information which by the nature of the information disclosed or the manner of its disclosure would be understood by a reasonable person to be confidential, in each case, in any form (including without limitation electronic or oral) and whether furnished before, on, or after the Effective Date; provided, however, that Confidential Information shall not include any information that (1) is or becomes part of the public domain through no act or omission of the Receiving Party or its Authorized Representatives; (2) is known to the Receiving Party at the earlier of the Effective Date or the time of disclosure by the Disclosing Party (as evidenced by written records) without an obligation to keep it confidential; (3) was rightfully disclosed to the Receiving Party prior to the Effective Date from another source without any breach of confidentiality by the third party discloser and without restriction on disclosure or use; or (4) the Receiving Party can document by written evidence that such information was independently developed without any use of or reference to Confidential Information. The Receiving Party shall be liable for any breaches of this Section by any person or entity to which the Receiving Party is permitted to disclose Confidential Information pursuant to this Section. The Receiving Party’s obligations with respect to Confidential Information shall survive termination of this Agreement for five (5) years; provided, that the Receiving Party’s obligations hereunder shall survive termination and continue in perpetuity, or as long as permitted by applicable law, with respect to any Confidential Information that is a trade secret under applicable law.

6. Fees and Payment; Taxes. The Service is deemed delivered upon the provision of access to Customer or for Customer’s benefit. If there are fees set forth in an Order Form, such fees will be invoiced and payable on an annual upfront basis, or as otherwise set forth in the Order Form. All payments shall be made via wire transfer to an account designated by Athinia in the currency set forth on the corresponding invoice within thirty (30) days after the date of issuance of Athinia’s invoice. Any late payments shall be subject to a service charge equal to the lesser of 1.5% per month of the amount due or the maximum amount of interest allowed by applicable law. Unless otherwise stated in an Order Form, fees are exclusive of applicable Taxes. Customer shall be responsible for all Taxes arising under this Agreement (except taxes on or measured by the net income of Athinia) so that after payment of such Taxes the amount Athinia receives is not less than the fees set forth in an Order Form. In the event a double taxation treaty applies, which provides a zero or reduced withholding tax rate, Customer agrees (a) not to withhold taxes in case of a zero withholding tax rate or (b) to withhold at the reduced tax rate in accordance with the double taxation treaty.

7. Term and Termination; Suspension.

7.1 Term. This Agreement is effective as of the Effective Date and shall continue in effect for six (6) months from the date of expiration of the last to expire Order Form (the “Term”), unless otherwise terminated as provided herein. The term of each Order Form shall continue for the duration set forth in the Order Form (the “Order Term”), unless otherwise terminated as provided herein.

7.2 Termination for Cause. Without limiting either Party’s other rights, either Party may terminate this Agreement for cause (including any then-current Order Forms) (a) in the event of any material breach by the other Party of any provision of this Agreement and failure to remedy the breach (and provide reasonable written notice of such remedy to the non-breaching Party) within thirty (30) days following written notice of such breach from the non-breaching Party or (b) if the other Party seeks protection under any bankruptcy, receivership or similar proceeding or such proceeding is instituted against that Party and not dismissed within ninety (90) days. Except where an exclusive remedy is specified in this Agreement, the exercise by either Party of the right to terminate under this provision shall be without prejudice to any other remedies it may have under this Agreement or by law. In the event of termination of this Agreement by Customer for cause pursuant to Section 7.2(a), Athinia shall provide a pro-rated refund of any fees pre-paid for Services not utilized as of the effective date of termination.

7.3 Effect of Termination. Upon any termination or expiration of this Agreement, except as specifically set forth below, all Customer’s rights, access, and licenses granted to Athinia Technology shall immediately cease and Customer shall promptly return or destroy all Data Connection Software, Sample Materials, and Documentation, and all other Athinia Confidential Information, and, upon written request, certify its compliance with the foregoing to Athinia in writing within ten (10) days of such request. Upon termination or expiration of all Order Forms, if requested by Customer, Customer shall, subject to the terms of this Agreement, have access to the Service for thirty (30) days solely for the purpose of retrieving Customer Data. Athinia shall thereafter delete all Customer Data. Notwithstanding the foregoing, Athinia shall retain, subject to the other terms of this Agreement, and solely for security purposes, usage information and metadata related to the security of the Service, excluding Customer Data (except for security-related information such as IP addresses, usernames, log-in attempts, and search queries), for a period of two (2) years following the last event logged. No termination or expiration of this Agreement shall limit or affect rights or obligations that accrued prior to the effective date of termination or expiration (including without limitation payment obligations). Sections 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 and 14 shall survive any termination or expiration of this Agreement.

7.4 Suspension of Services. If Athinia reasonably determines that: (a) Customer’s access or use of the Service and/or any Model violates applicable law or regulation (including but not limited to the Trade Compliance Requirements) or otherwise violates a material term of this Agreement (including Section 3 (Customer Use of Service), Section 4.3 (Restrictions), Section 5 (Confidentiality), Section 6 (Fees and Payment; Taxes), Section 10 (Customer Warranty) and Section 13 (AIP)); or (b) Athinia providing any part of the Service would violate applicable (in force or forthcoming) law or regulation or (c) Customer’s use of the Service or Athinia’s provision of any part of the Service poses undue security risk or a risk of material harm to Athinia or its other customers, Athinia reserves the right to disable, suspend or terminate Customer’s access to all or any part of the Athinia Technology. Athinia will provide Customer notice of such suspension concurrent with or prior to such suspension.

8. Indemnification.

8.1 Athinia Indemnification. Athinia shall defend Customer against any claim of infringement or violation of any Intellectual Property Rights asserted against Customer by a third party based upon Customer’s use of Athinia Technology in accordance with the terms of this Agreement and indemnify and hold harmless Customer from and against reasonable costs, attorneys’ fees, and damages, if any, finally awarded against Customer pursuant to a non-appealable order by a court of competent jurisdiction in such claim or settlement entered into by Athinia. If Customer’s use of any of the Athinia Technology is, or in Athinia’s opinion is likely to be, enjoined by a court of competent jurisdiction due to the type of infringement specified above, or if required by settlement approved by Athinia in writing, Athinia may, in its sole discretion: (a) substitute substantially functionally similar products or services; (b) procure for Customer the right to continue using the Athinia Technology; or (c) if Athinia reasonably determines that options (a) and (b) are commercially impracticable, terminate this Agreement and refund to Customer a pro-rated portion of the fees paid hereunder for the terminated Athinia Technology that reflects the remaining portion of the Order Terms of any Order Forms in effect at the time of termination. The foregoing indemnification obligations of Athinia shall not apply: (i) if Athinia Technology is modified by or at the direction of Customer or Users, but only to the extent the alleged infringement would not have occurred but for such modification; (ii) if Athinia Technology is combined with non-Athinia products not authorized by Athinia, but only to the extent the alleged infringement would not have occurred but for such combination; (iii) to any unauthorized use of Athinia Technology, any use that is not consistent with the Documentation, any use that violates Section 3 (Customer Use of Service) or use during any period of suspension (as set forth in Section 7.4); (iv) to any Customer Data; or (v) to any non-Athinia products or services.

8.2 Customer Indemnification. Customer shall defend Athinia against any third party claim asserted against Athinia arising from or relating to (a) Customer’s violation of applicable law, (b) Customer Data, (c) Customer’s breach of Section 3 (Customer Use of Service), (d) Customer’s breach of Section 4.3 (Restrictions) or (e) any Customer-offered product or service (except if such claim is attributable to the Service as offered by Athinia) and indemnify and hold harmless Athinia from and against related costs, attorneys’ fees, and damages, if any, issued by a competent authority or finally awarded pursuant to a non-appealable order.

8.3 Indemnification Procedure. The obligations of the indemnifying Party shall be conditioned upon the indemnified Party providing the indemnifying Party with: (a) prompt written notice (in no event to exceed twenty (20) days) of any claim, suit, or demand of which it becomes aware; (b) the right to assume the exclusive defense and control of any matter that is subject to indemnification (provided that the indemnifying Party will not settle any claim unless it unconditionally releases the indemnified Party of all liability and does not admit fault or wrongdoing by the indemnified Party); and (c) cooperation with any reasonable requests assisting the indemnifying Party’s defense and settlement (at the indemnifying Party’s expense). This Section sets forth each Party’s sole liability and obligation and the sole and exclusive remedy with respect to any claim of Intellectual Property Rights infringement.

9. Athinia Warranty and Disclaimer.

9.1 Athinia Warranty. Athinia warrants that during the Term (a) the Service will be provided substantially in accordance with the applicable Documentation and (b) the Professional Services will be provided in a professional and workmanlike manner. In the event of a breach of an above warranty, Customer may give Athinia written notice of termination of this Agreement, which termination will be effective thirty (30) days after Athinia’s receipt of the notice, unless Athinia is able to remedy the breach prior to the effective date of termination. This warranty shall not apply to the extent such breach is caused by Customer Data or misuse or unauthorized modification of the Service (including but not limited to Customer’s violation of Section 3 (Customer Use of Service)) or any Customer selected hardware used in connection with the Service. In the event of termination of this Agreement pursuant to Customer’s exercise of its right under this Section, Customer shall be entitled to receive from Athinia, as its sole and exclusive remedy, a refund of a pro-rated portion of the fees paid hereunder that reflects the remaining portion of the Order Terms of any Order Forms in effect at the time of termination.

9.2 Disclaimer. NO AMOUNTS PAID HEREUNDER ARE REFUNDABLE OR OFFSETTABLE EXCEPT AS OTHERWISE EXPLICITLY SET FORTH HEREIN. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE ATHINIA TECHNOLOGY AND PROFESSIONAL SERVICES ARE PROVIDED “AS-IS” WITHOUT ANY OTHER WARRANTIES OF ANY KIND AND ATHINIA AND ITS SUPPLIERS AND SERVICE PROVIDERS HEREBY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, RELATING TO THE ATHINIA TECHNOLOGY AND PROFESSIONAL SERVICES PROVIDED HEREUNDER OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, TITLE, OR FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITING THE FOREGOING LIMITATION, ATHINIA DOES NOT WARRANT THAT THE ATHINIA TECHNOLOGY AND PROFESSIONAL SERVICES WILL MEET CUSTOMER REQUIREMENTS OR GUARANTEE ANY RESULTS, OUTCOMES, OR CONCLUSIONS OR THAT OPERATION OF THE SERVICE WILL BE UNINTERRUPTED OR ERROR FREE. ATHINIA IS NOT RESPONSIBLE OR LIABLE FOR ANY THIRD PARTY SERVICES (INCLUDING WITHOUT LIMITATION, UPTIME GUARANTEES, OUTAGES, OR FAILURES), CUSTOMER DATA, OR ANY THIRD PARTY CONTENT. ATHINIA DOES NOT CONTROL THE TRANSFER OF INFORMATION OR CUSTOMER DATA OVER COMMUNICATIONS FACILITIES, THE INTERNET, OR THIRD PARTY SERVICES, AND THE SERVICE MAY BE SUBJECT TO DELAYS AND OTHER PROBLEMS INHERENT IN THE USE OF SUCH COMMUNICATIONS FACILITIES. ATHINIA IS NOT RESPONSIBLE FOR ANY DELAYS, FAILURES, OR OTHER DAMAGE RESULTING FROM SUCH PROBLEMS. ATHINIA SHALL NOT BE RESPONSIBLE OR LIABLE FOR ANY ACTIONS TAKEN OR CONCLUSIONS DRAWN BY CUSTOMER BASED ON CUSTOMER’S USE OF THE SERVICE

10. Customer Warranty. Customer warrants that (a) Customer has provided all necessary notifications and obtained all necessary consents, authorizations, approvals, and/or agreements as required by any applicable laws or policies, and has informed Athinia of any obligations applicable to Athinia’s processing of Customer Data, in order to enable Athinia to process Customer Data, including personal data, according to the scope, purpose, and instructions specified by Customer and that Customer will not direct the processing of Customer Data by Athinia in violation any laws or regulations (including localization requirements) or rights of third parties; (b) it will not use the Service for any unauthorized or illegal purposes; and (c) it will not upload or import Customer Data to the Service requiring additional documentation without first executing such documentation. All Customer Data that Customer integrates, uses, or otherwise makes available in or through use of the Service and the conclusions drawn therefrom are done at Customer’s own risk and Customer will be solely liable and responsible for any damage or losses to any party resulting therefrom. All Customer Data that Customer integrates, uses, or otherwise makes available in or through use of the Service and the conclusions drawn therefrom are done at Customer’s own risk and Customer will be solely liable and responsible for any damage or losses to any party resulting therefrom.

11. Limitations of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, AND NOTWITHSTANDING ANY OTHER PROVISION OF THIS AGREEMENT, NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY OR ITS AFFILIATES FOR ANY (A) COST OF PROCUREMENT OF ANY SUBSTITUTE PRODUCTS OR SERVICES, OR COST OF REPLACEMENT OR RESTORATION OF ANY CUSTOMER DATA, (B) ECONOMIC LOSSES, EXPECTED OR LOST PROFITS, REVENUE, OR ANTICIPATED SAVINGS, LOSS OF BUSINESS, LOSS OF CONTRACTS, LOSS OF OR DAMAGE TO GOODWILL OR REPUTATION, AND/OR (C) INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL LOSS OR DAMAGE, WHETHER ARISING OUT OF PERFORMANCE OR BREACH OF THIS AGREEMENT OR THE USE OR INABILITY TO USE THE ATHINIA TECHNOLOGY, EVEN IF THE PARTY HAS BEEN ADVISED AS TO THE POSSIBILITY OF SUCH LOSS OR DAMAGES. EXCEPT FOR THE PARTIES’ OBLIGATIONS SET FORTH IN SECTIONS 4 AND 8 OF THIS AGREEMENT AND CUSTOMER’S PAYMENT OBLIGATIONS HEREUNDER, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY AGREES THAT THE MAXIMUM AGGREGATE LIABILITY OF EITHER PARTY AND ITS AFFILIATES TO THE OTHER PARTY AND ITS AFFILIATES FOR ALL CLAIMS OF ANY KIND SHALL NOT EXCEED THE GREATER OF A) THE FEES PAID OR PAYABLE TO ATHINIA BY CUSTOMER UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM FOR THE SERVICE OR PROFESSIONAL SERVICES THAT GAVE RISE TO SUCH CLAIM OR B) ONE HUNDRED THOUSAND DOLLARS (USD 100,000), AND THAT SUCH REMEDY IS FAIR AND ADEQUATE. THE LIMITATIONS SET FORTH IN THIS SECTION 11 SHALL APPLY REGARDLESS OF WHETHER AN ACTION IS BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY.

12. Dispute Resolution. Any dispute, controversy, or claim arising from or relating to this Agreement, including arbitrability, that cannot be resolved following good faith discussions within sixty (60) days after notice of a dispute shall be finally settled by arbitration. If Customer is located in the Americas, then the governing law shall be the substantive laws of the State of New York, without regard to conflicts of law provisions thereof, and arbitration shall be administered in New York, New York, United States under the Comprehensive Arbitration Rules and Procedures of the Judicial Arbitration and Mediation Services, Inc. (“JAMS”) and the Federal Rules of Evidence (notwithstanding JAMS Rule 22(d) or any other JAMS Rule to the contrary). If Customer is located outside of the Americas, then the governing law shall be the substantive laws of England and Wales, without regard to conflicts of law provisions thereof, and without regard to the United Nations Convention on Contracts for the International Sale of Goods, and arbitration shall be administered in London, United Kingdom under the Rules of Arbitration of the International Chamber of Commerce (“ICC Rules”). Notwithstanding the foregoing, each Party shall have the right to institute an action at any time in a court of proper jurisdiction for preliminary injunctive relief pending a final decision by the arbitrator(s), provided that (a) the Party instituting the action shall seek an order to file the action under seal (or at a minimum do so for any filings containing Confidential Information or trade secrets) in order to limit disclosure as provided in Section 5 of this Agreement; and (b) a permanent injunction and damages shall only be awarded by the arbitrator(s).

13. AIP.

13.1 AIP use. AIP employs artificial intelligence and machine learning techniques, including use of Models. Customer acknowledges that because of the statistical methods underlying the foregoing techniques, output of AIP may be incorrect, incomplete, or biased. Accordingly, Customer agrees that its use of AIP is at its own risk and Customer shall be solely responsible for any decisions, actions, or omissions it takes on the basis of any AIP output. Customer further agrees to evaluate (including through review by a natural person) any AIP output prior to taking any decisions, actions, or omissions on its basis. Access to AIP forms part of the Service and is subject to relevant terms and conditions of the Agreement applicable to the Service, and Customer’s right and/or license (as applicable) to use AIP is determined by its right and/or license to use and/or access the Service as provided in the Agreement. Customer may only use data in connection with AIP for which Customer and/or its user has received all consents, authorizations, approvals, and/or agreements necessary to permit such use and/or processing under applicable law, regulation, or agreement(s). Customer shall not use AIP to attempt to obtain any information that may violate third party rights or applicable laws or regulations, including classified information. Customer’s access and use of AIP shall comply with all applicable laws and regulations. Customer shall be fully responsible and liable for its Users’ use of and access to AIP. Customer’s use of AIP shall comply with all applicable Additional Terms set forth in Annex A.

13.2 AIP Restrictions. Customer will not (and will not allow any third party to): (a) decompile, disassemble, scan, reverse engineer, or attempt to discover any source code, algorithms, weights of the underlying models, or underlying ideas of AIP; (b) use AIP in attempt to train or develop another Model; or (c) represent that any output from AIP was generated by a natural person when it was not.

13.3 AIP Feedback. Customer may share and provide feedback, suggestions, comments, ideas, data, including prompts, reports, or other information related to Customer’s use of AIP in the form of feedback report(s) to Athinia (“AIP Feedback”) and Athinia can directly request AIP Feedback from Users of AIP. Customer acknowledges that any AIP Feedback shared to Athinia is done so voluntarily. Customer grants to Athinia a worldwide, perpetual, irrevocable, and royalty-free right and license to use, distribute, disclose, and make and incorporate into AIP any AIP Feedback to provide, secure, and improve AIP.

13.4 AIP Fees. Customer’s use of AIP shall accrue fees on the same terms as Customer’s use of the Service pursuant to the Agreement. Notwithstanding the foregoing, if the Agreement does not include separate fees for use of AIP, Athinia reserves the right to begin charging for use of AIP upon providing Customer 30 days’ notice.

13.5 AIP Disclaimer. NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, AIP IS PROVIDED “AS-IS” WITHOUT ANY OTHER WARRANTIES OF ANY KIND AND ATHINIA HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, ORAL OR WRITTEN, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, TITLE, SATISFACTORY QUALITY, OR FITNESS FOR A PARTICULAR PURPOSE. WITHOUT LIMITING THE FOREGOING LIMITATION, ATHINIA DOES NOT WARRANT THAT AIP WILL MEET CUSTOMER REQUIREMENTS OR GUARANTEE ANY QUALITY, RESULTS, OUTCOMES, OR CONCLUSIONS OR THAT OPERATION OF AIP WILL BE UNINTERRUPTED OR ERROR FREE. ATHINIA IS NOT RESPONSIBLE FOR ANY DECISIONS, ACTIONS, OR OMISSIONS CUSTOMER TAKES BASED UPON OR INFORMED BY OUTPUT FROM AIP. ATHINIA IS NOT RESPONSIBLE OR LIABLE FOR ANY THIRD PARTY SERVICES PROVIDED IN THE COURSE OF DELIVERING AIP, INCLUDING (IF APPLICABLE) ANY THIRD PARTY MODEL SERVICE (INCLUDING WITHOUT LIMITATION, UPTIME GUARANTEES, OUTAGES, FAILURES, OR ANY OTHER GUARANTEES IN ANY SERVICE LEVEL AGREEMENT BETWEEN THE PARTIES), CUSTOMER’S INPUT TO AIP, OR OUTPUT FROM AIP (INCLUDING BUT NOT LIMITED TO COMPLETENESS, OR ACCURACY OF OUTPUT FROM AIP, OR WHETHER THE OUTPUT FROM AIP INFRINGES OR VIOLATES ANY THIRD PARTY’S RIGHTS, INCLUDING INTELLECTUAL PROPERTY AND CONTRACTUAL RIGHTS).

14. Miscellaneous. Athinia shall provide the Service and Professional Services consistent with laws and regulations applicable to Athinia’s provision of such Service and Professional Services generally, including but not limited to, regarding data protection and international transfers of personal data, without regard to Customer’s specific utilization of the Service except to the extent set forth in an Order Form, and subject to Customer’s compliance with this Agreement. Except with Athinia’s prior written consent, neither this Agreement nor the access or licenses granted hereunder may be assigned, transferred, or sublicensed by Customer, including, without limitation, pursuant to a direct or indirect change of control of Customer, a merger involving Customer where Customer is not the surviving entity, or a sale of all or substantially all of the assets of Customer (collectively, a “Change of Control”); any attempt to do so shall be void. Customer must provide written notice to Athinia prior to a Change of Control, and Athinia may terminate this Agreement in the event of a Change of Control. Athinia may subcontract this Agreement or portions thereof. Any notice required or permitted hereunder shall be in writing to the parties at the addresses set forth in the applicable Order Form and if by email, notifications to Athinia shall be sent to legalnotices@Athinia.com. If any provision of this Agreement shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and be enforceable. Any and all modifications, waivers or amendments must be made by mutual agreement and shall be effective only if made in writing and signed by each Party. No waiver of any breach shall be deemed a waiver of any subsequent breach. Except for the obligation to pay money, neither Party will be liable for any failure or delay under this Agreement due to any cause beyond its reasonable control, including without limitation acts of war, acts of God, earthquake, flood, embargo, riot, sabotage, labor shortage or dispute, governmental act, or failure of the Internet, telecommunications, or hosting service provider, computer attacks, or malicious acts; provided that the delayed Party: (a) gives the other Party prompt notice of such cause; and (b) uses commercially reasonable efforts promptly to correct such failure or delay in performance. Athinia has the right to immediately suspend access to the Service: (a) if Customer is in material breach of this Agreement; (b) to prevent a security incident impacting Customer, Customer Data, or the Service; or (c) if continued access would violate applicable laws or if required to do so pursuant to applicable law or regulation or requests or orders of governmental, regulatory, or judicial authorities. There are no third party beneficiaries under this Agreement, whether express or implied. For the avoidance of doubt, nothing in this Agreement shall be construed to create a joint venture, employment, partnership, strategic alliance, formal alliance, or strategic partnership relationship between the Parties. This Agreement is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements and communications relating to the subject matter of this Agreement. In the event of a conflict between these Terms of Service and any Order Forms or exhibit, the terms of such Order Form or exhibit will prevail. Athinia is in no way affiliated with, or endorsed or sponsored by, The Saul Zaentz Company d.b.a. Tolkien Enterprises or the Estate of J.R.R. Tolkien.

ANNEX A

Customer’s use of AIP may leverage the following Models hosted in a third party environment (each a “Third Party Model Service”).

Third Party Model Service	Additional Terms
OpenAI Models hosted in Microsoft Azure Environment (“Azure OpenAI Model Service”)	(a) Customer’s use of AIP leveraging the Azure OpenAI Model Service shall comply with the Azure OpenAI Code of Conduct (https://learn.microsoft.com/en-us/legal/cognitive-services/openai/code-of-conduct?context=%2Fazure%2Fcognitive- services%2Fopenai%2Fcontext%2Fcontext); (b) Customer shall only use AIP leveraging the Azure OpenAI Model Service to (i) submit content to be summarized for pre-defined topics built into AIP and cannot use AIP as an open-ended summarizer (examples of such permitted use include but are not limited to summarization of call center transcripts, technical reports, and product reviews); (ii) analyze inputs using classification, sentiment analysis of text, or entity extraction (examples of such permitted use include but are not limited to analyzing product feedback sentiment, analyzing support calls and transcripts, and refining text-based search with embeddings; (iii) search trusted source documents such as internal Customer documentation; (iv) ask questions and receive answers from trusted source documents such as internal Customer documentation; or (v) code generation or transformation scenarios (examples of such permitted use include but are not limited to converting one programming language to another, generating docstrings for functions, or converting natural language to SQL); and (c) Customer shall not use AIP leveraging the Azure OpenAI Model Service (i) to generate, distribute, or modify any output from the Azure OpenAI Model Service that the Customer knew or should have known was infringing or likely to infringe a third party’s intellectual property or other proprietary rights (including if such infringement is caused by Customer’s combination of such output with third party products or services); or (ii) while disabling, ignoring, or otherwise circumventing, without authorization, any relevant citation, filtering, or safety features or restrictions provided by Azure or Athinia applicable to the Azure OpenAI Model Service.
Models hosted in Amazon Web Services Environment (“AWS Model Service”)	Customer’s use of AIP leveraging Anthropic Models through the AWS Model Service (a) shall comply with the Anthropic Code of Conduct (https://console.anthropic.com/legal/aup), and (b) shall not facilitate or engage in the following: (i) design, market, help distribute or utilize weapons, explosives, dangerous materials or other systems designed to cause harm to or loss of human life; (ii) covertly tracking, targeting, or surveilling individuals, i.e., searching for or gathering information on an individual or group in order to track, target or report on their identity, including using the product for facial recognition, covert tracking, battlefield management applications or predictive policing; (iii) automated determination of financing eligibility of individuals, i.e., making automated decisions about the eligibility of individuals for financial products and creditworthiness; (iv) automated determination of employment and housing decisions, i.e., making automated decisions about the employability of individuals or other employment determinations or decisions regarding eligibility for housing, including leases and home loans; (v) any law enforcement application, except for the following permitted applications by U.S. law enforcement organizations: back office uses including call center support, document summarization, and accounting; or (vi) analysis of data for the location of missing persons and other applications, provided that such applications do not otherwise violate or impair the liberty, civil liberties, or human rights of natural persons. Customer hereby agrees that its use of AIP leveraging Models (other than Anthropic Models) through the AWS Model Service shall comply with any acceptable use policies or codes of conduct applicable to such Models, as made available to Customer through AIP or the Documentation. Customer acknowledges that Amazon Web Services, Inc. may collect and temporarily retain pseudonymized security classifier metadata related to Customer’s use of AIP leveraging the AWS Model Service (which metadata, for the avoidance of doubt, shall not include the contents of Customer’s prompts provided to or output received from the AWS Model Service).
Google Models hosted in Google Cloud Services Environment (“Google Model Service”)	Customer’s use of AIP leveraging the Google Model Service (a) shall comply with the Google Generative AI Prohibited Use Policy (https://policies.google.com/terms/generative-ai/use-policy); (b) shall comply with the Google Cloud Platform Acceptable Use Policy (https://cloud.google.com/terms/aup); and (c) shall not reasonably be expected to lead to death, personal injury, or environmental damage, including operation of nuclear facilities, air traffic control, life support systems, or weaponry. Customer acknowledges that Google LLC may collect and temporarily retain pseudonymized security classifier metadata related to Customer’s use of AIP leveraging the Google Model Service (which metadata, for the avoidance of doubt, shall not include the contents of Customer’s prompts provided to or output received from the Google Model Service).
OpenAI Models hosted by OpenAI (“OpenAI Model Service”)	Customer’s use of AIP leveraging the OpenAI Model Service (a) shall comply with the OpenAI Usage Policies (https://openai.com/policies/usage-policies); (b) if and only as applicable, shall comply with the applicable OpenAI Service Terms (https://openai.com/policies/service-terms); (c) Customer shall only use AIP leveraging the OpenAI Model Service to (i) submit content to be summarized for pre-defined topics built into AIP and cannot use AIP as an open-ended summarizer (examples of such permitted use include but are not limited to summarization of call center transcripts, technical reports, and product reviews); (ii) analyze inputs using classification, sentiment analysis of text, or entity extraction (examples of such permitted use include but are not limited to analyzing product feedback sentiment, analyzing support calls and transcripts, and refining text-based search with embeddings; (iii) search trusted source documents such as internal Customer documentation; (iv) ask questions and receive answers from trusted source documents such as internal Customer documentation; (v) code generation or transformation scenarios (examples of such permitted use include but are not limited to converting one programming language to another, generating docstrings for functions, or converting natural language to SQL); or (vi) fine-tune Models as provided as part of AIP and the OpenAI Model Service; and (d) Customer shall not use AIP leveraging the OpenAI Model Service (i) to generate, distribute, or modify any output from the OpenAI Model Service that the Customer knew or should have known was infringing or likely to infringe a third party’s intellectual property or other proprietary rights (including if such infringement is caused by Customer’s combination of such output with third party products or services); or (ii) while disabling, ignoring, or otherwise circumventing, without authorization, any relevant citation, filtering, or safety features or restrictions provided by OpenAI applicable to the OpenAI Model Service. Customer acknowledges that OpenAI, LLC may collect and temporarily retain pseudonymized security classifier metadata related to Customer’s use of AIP leveraging the OpenAI Model Service (which metadata, for the avoidance of doubt, shall not include the contents of Customer’s prompts provided to or output received from the OpenAI Model Service).

ATHINIA TERMS OF SERVICE

1. Certain Definitions.

1.2 “Customer” means the customer identified on the Order Form who is Party to this Agreement.

1.3 “Customer Data” means any data (including aggregated or transformed versions thereof and analytical outputs), models, algorithms, analyses, transformation code or other content that is provided by, whether directly or indirectly from a third party, or created by Customer, or Users using the Service, for integration, use, or other processing in or through the Service.

1.4 “Data Connection Software” means Athinia software provided for installation locally for Customer to connect Customer Data to the Service.

1.5 “Documentation” means any technical documentation for the Service made available in connection with the Service.

1.6 “Intellectual Property Rights” means all rights, title, and interest in and to any trade secrets, patents, copyrights, service marks, trademarks, know-how, trade names, rights in trade dress and packaging, moral rights, rights of privacy, rights of publicity, and any similar rights, including any applications, continuations, or registrations with respect to the foregoing, under the laws or regulations of any governmental, regulatory, or judicial authority.

1.7 “Order Form” means an ordering document, specifying the Service and/or Professional Services (if applicable) to be provided hereunder that is entered into between Athinia and Customer, including any attachments, addenda, or exhibits thereto.

1.8 “Palantir” means Palantir Technologies Inc., a Delaware corporation.

1.9 “Athinia Technology” means the Service, Documentation, Data Connection Software, Sample Materials, models, and application programming interfaces (APIs), provided or made available to Customer as a service in connection with this Agreement, and any improvements, modifications, derivative works, patches, upgrades, and updates thereto.

1.10 “Sample Materials” means any technology and materials provided or made available by Athinia to Customer for use with the Service, including sample code, software libraries, command line tools, data integration code, templates, and configuration files.

1.11 “Service” means Athinia’s proprietary software-as-a-service offering(s) as set forth in an Order Form.

1.12 “Taxes” means any applicable sales, use, transaction, value added, goods and services tax, harmonized sales tax, withholding tax, excise or similar taxes, and any foreign, provincial, federal, state or local fees or charges, (including but not limited to, environmental or similar fees) duties, costs of compliance with export and import controls and regulations, and other governmental assessments , including any penalties and interest in respect thereof, imposed on, in respect of or otherwise associated with any transaction hereunder.

1.13 “Third Party Content” means any third party data, services, or applications that interoperate with the Service which Athinia may, at Customer’s sole discretion, facilitate the use of in connection with the Service and subject to an independent agreement between Customer and such third party.

1.14 “Third Party Services” means third party services that Athinia may use in the provision of the Service as set forth in the Documentation (or as otherwise agreed by the Parties).

2. Provision of Service.

2.1 Service Access. Athinia shall make available the Service to Customer, subject to the condition precedent set forth in Section 8.4, during the applicable Order Term solely for use by Customer and its Users in accordance with the terms and conditions of this Agreement and the Documentation for Customer’s internal business purposes or as otherwise set forth in an Order Form.

2.2 Data Connection Software License. If applicable for use of the Service, and subject to the condition precedent set forth in Section 8.4, Athinia grants to Customer during the applicable Order Term a non-exclusive, nontransferable, non-sublicenseable, limited license to use the Data Connection Software for the sole purposes of using and connecting to the Service. Customer shall allow Athinia to access the Data Connection Software remotely as necessary to provide the Service.

2.3 Sample Materials License. Athinia may make available Sample Materials for use by Customer during the Order Term. If applicable, and subject to the condition precedent set forth in Section 8.4, Athinia grants to Customer during the applicable Order Term a non-exclusive, nontransferable, non-sublicenseable, limited license, to copy, modify, and use the Sample Materials solely to the extent necessary for Customer’s use of the Service.

3. Customer Use of Service.

3.2 Data Protection. The Parties shall comply with the Athinia Data Protection Addendum (“DPA”) annexed to this Agreement. Customer shall be solely responsible for the accuracy, content, and legality of Customer Data and shall ensure that any integration of Customer Data into the Service complies with applicable laws and regulations, including but not limited to data localization requirements.

4. Proprietary Rights.

4.3 Restrictions. Customer will not (and will not allow any third party to): (a) gain or attempt to gain unauthorized access to the Service or infrastructure, or any element thereof, or circumvent or interfere with any authentication or security measures of the Service; (b) interfere with or disrupt the integrity or performance of the Service; (c) access or attempt to gain access to another customer’s data; (d) adversely impact the ability of other customers to use the Service; (e) transmit material containing software viruses or other harmful or deleterious computer code, files, scripts, agents, or programs through the Service; (f) decompile, disassemble, scan, reverse engineer, or attempt to discover any source code or underlying ideas or algorithms of any Athinia Technology (except to the extent that applicable law expressly prohibits such a reverse engineering restriction, and in such case only upon prior written notice to Athinia); (g) provide, lease, lend, use for timesharing or service bureau purposes, or otherwise use or allow others to use the Service for the benefit of any third party (except as set forth in an Order Form); (h) use the Service for any purpose that is not expressly permitted by this Agreement; (i) list or otherwise display or copy any code of any Athinia Technology, except for Sample Materials to the extent necessary for Customer’s use of the Service; (j) copy any Athinia Technology (or component thereof) or develop any improvement, modification, or derivative work thereof, except for Sample Materials to the extent necessary for Customer’s use of the Service; (k) include any portion of any Athinia Technology in any other service, equipment, or item; (l) allow the transfer, transmission (including without limitation making available on-line, electronically transmitting, or otherwise communicating, to the public), export, or re-export of any Athinia Technology (or any portion thereof) or any Athinia technical data; (m) perform penetration tests on the Service unless authorized by Athinia; (n) use, evaluate, or view the Athinia Technology for the purpose of designing, modifying, or otherwise creating any environment, software, models, algorithms, products, program, or infrastructure or any portion thereof, which performs functions similar to the functions of the Athinia Technology; or (o) remove, obscure, or alter, or otherwise violate the terms of any copyright notice, trademarks, logos, and trade names and any other notices (including third party open source or similar licenses) or identifications that appear on or in any Athinia Technology and any associated media; (p) use the Athinia Technology to engage in or advance any fraud or misrepresentation (including but not limited to providing fraudulent or misleading information in response to the Order Form); or (q) use or access the Service for the purposes of engaging in or supporting spamming activities or communications, or marketing activities or communications in violation of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (15 U.S.C. § 7701 et seq.), the Telephone Consumer Protection Act (47 U.S.C. § 227), and all other applicable laws prohibiting spam or otherwise governing transmission of marketing materials and/or communications. Notwithstanding the foregoing, or any statement to the contrary herein, Third Party Content may be made available with notices and open source or similar licenses from such communities and third parties that govern the use of those portions, and Customer hereby agrees to be bound by and fully comply with all such licenses; however, the disclaimer of warranty and limitation of liability provisions in this Agreement will apply to all such Third Party Content.

6. Fees and Payment; Taxes. The Service is deemed delivered upon the provision of access to Customer or for Customer’s benefit. If there are fees set forth in an Order Form, such fees will be invoiced and payable on an annual upfront basis, or as otherwise set forth in the Order Form. All payments shall be made via wire transfer to an account designated by Athinia in the currency set forth on the corresponding invoice within thirty (30) days after the date of issuance of Athinia’s invoice. Any late payments shall be subject to a service charge equal to the lesser of 1.5% per month of the amount due or the maximum amount of interest allowed by applicable law. Unless otherwise stated in an Order Form, fees are exclusive of applicable Taxes. Customer shall be responsible for all Taxes arising under this Agreement (except taxes on or measured by the net income of Athinia) so that after payment of such Taxes the amount Athinia receives is not less than the fees set forth in the Order Form. In the event a double taxation treaty applies, which provides a zero or reduced withholding tax rate, Customer agrees (a) not to withhold taxes in case of a zero withholding tax rate or (b) to withhold at the reduced tax rate in accordance with the double taxation treaty.

7. Term and Termination.

7.3 Effect of Termination. Upon any termination or expiration of this Agreement, except as specifically set forth below, all Customer’s rights, access, and licenses granted to Athinia Technology shall immediately cease and Customer shall promptly return or destroy all Data Connection Software, Sample Materials, and Documentation, and all other Athinia Confidential Information, and, upon written request, certify its compliance with the foregoing to Athinia in writing within ten (10) days of such request. Upon termination or expiration of all Order Forms, if requested by Customer, Customer shall, subject to the terms of this Agreement, have access to the Service for thirty (30) days solely for the purpose of retrieving Customer Data. Athinia shall thereafter delete all Customer Data. Notwithstanding the foregoing, Athinia shall retain, subject to the other terms of this Agreement, and solely for security purposes, usage information and metadata related to the security of the Service, excluding Customer Data (except for security-related information such as IP addresses, usernames, log-in attempts, and search queries), for a period of two (2) years following the last event logged. No termination or expiration of this Agreement shall limit or affect rights or obligations that accrued prior to the effective date of termination or expiration (including without limitation payment obligations). Sections 1, 4, 5, 6, 7, 8, 9, 10, 11, 12, and 13 shall survive any termination or expiration of this Agreement.

8. Indemnification.

8.1 Athinia Indemnification. Athinia shall defend Customer against any claim of infringement or violation of any Intellectual Property Rights asserted against Customer by a third party based upon Customer’s use of Athinia Technology in accordance with the terms of this Agreement and indemnify and hold harmless Customer from and against reasonable costs, attorneys’ fees, and damages, if any, finally awarded against Customer pursuant to a non-appealable order by a court of competent jurisdiction in such claim or settlement entered into by Athinia. If Customer’s use of any of the Athinia Technology is, or in Athinia’s opinion is likely to be, enjoined by a court of competent jurisdiction due to the type of infringement specified above, or if required by settlement approved by Athinia in writing, Athinia may, in its sole discretion: (a) substitute substantially functionally similar products or services; (b) procure for Customer the right to continue using the Athinia Technology; or (c) if Athinia reasonably determines that options (a) and (b) are commercially impracticable, terminate this Agreement and refund to Customer a pro-rated portion of the fees paid hereunder for the terminated Athinia Technology that reflects the remaining portion of the Order Terms of any Order Forms in effect at the time of termination. The foregoing indemnification obligations of Athinia shall not apply: (i) if Athinia Technology is modified by or at the direction of Customer or Users, but only to the extent the alleged infringement would not have occurred but for such modification; (ii) if Athinia Technology is combined with non-Athinia products not authorized by Athinia, but only to the extent the alleged infringement would not have occurred but for such combination; (iii) to any unauthorized use of Athinia Technology, any use that is not consistent with the Documentation, or use during any period of suspension; (iv) to any Customer Data; or (v) to any non-Athinia products or services.

8.2 Customer Indemnification. Customer shall defend Athinia against any third party claim asserted against Athinia arising from or relating to (a) Customer’s violation of applicable law, (b) Customer Data, or (c) any Customer-offered product or service (except if such claim is attributable to the Service as offered by Athinia) and indemnify and hold harmless Athinia from and against related costs, attorneys’ fees, and damages, if any, issued by a competent authority or finally awarded pursuant to a non-appealable order.

8.4 Suspension of Services. If Athinia reasonably determines that: (a) Customer’s use of the Service violates applicable law (including but not limited to the Trade Compliance Requirements) or otherwise violates a material term of this Agreement (including Section 3.2 (Data Protection), Section 4 (Acceptable Use), Section 5.3 (Restrictions), Section 6 (Confidentiality), Section 7 (Fees and Payment), and Section 11 (Customer Warranty)); or (b) Customer’s use of the Service poses a risk of material harm to Athinia or its other customers, Athinia reserves the right to disable or suspend Customer’s access to all or any part of the Athinia Technology, subject to Athinia providing Customer notice of such suspension concurrent or prior to such suspension.

9. Athinia Warranty and Disclaimer.

9.1 Athinia Warranty. Athinia warrants that during the Term (a) the Service will be provided substantially in accordance with the applicable Documentation and (b) the Professional Services will be provided in a professional and workmanlike manner. In the event of a breach of an above warranty, Customer may give Athinia written notice of termination of this Agreement, which termination will be effective thirty (30) days after Athinia’s receipt of the notice, unless Athinia is able to remedy the breach prior to the effective date of termination. This warranty shall not apply to the extent such breach is caused by Customer Data or misuse or unauthorized modification of the Service or any Customer selected hardware used in connection with the Service. In the event of termination of this Agreement pursuant to Customer’s exercise of its right under this Section, Customer shall be entitled to receive from Athinia, as its sole and exclusive remedy, a refund of a pro-rated portion of the fees paid hereunder that reflects the remaining portion of the Order Terms of any Order Forms in effect at the time of termination.

13. Miscellaneous. Athinia shall provide the Service and Professional Services consistent with laws and regulations applicable to Athinia’s provision of such Service and Professional Services generally, including but not limited to, regarding data protection and international transfers of personal data, without regard to Customer’s specific utilization of the Service except to the extent set forth in an Order Form, and subject to Customer’s compliance with this Agreement. Except with Athinia’s prior written consent, neither this Agreement nor the access or licenses granted hereunder may be assigned, transferred, or sublicensed by Customer, including, without limitation, pursuant to a direct or indirect change of control of Customer, a merger involving Customer where Customer is not the surviving entity, or a sale of all or substantially all of the assets of Customer (collectively, a “Change of Control”); any attempt to do so shall be void. Customer must provide written notice to Athinia prior to a Change of Control, and Athinia may terminate this Agreement in the event of a Change of Control. Athinia may subcontract this Agreement or portions thereof. Any notice required or permitted hereunder shall be in writing to the parties at the addresses set forth in the applicable Order Form and if by email, notifications to Athinia shall be sent to legalnotices@Athinia.com. If any provision of this Agreement shall be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement shall otherwise remain in full force and effect and be enforceable. Any and all modifications, waivers or amendments must be made by mutual agreement and shall be effective only if made in writing and signed by each Party. No waiver of any breach shall be deemed a waiver of any subsequent breach. The Service is controlled under 5D002.c.1, ENC. Customer shall ensure that all exports, reexports, transfers, end-uses, and Users of the Service comply with the export and sanctions laws and regulations of the United States and other applicable jurisdictions, including without limitation those of the U.S. Bureau of Industry & Security and the Office of Foreign Assets Control. Customer represents that it is not subject to restrictions under any U.S. government restricted end user lists, and that it is not 50% or more, directly or indirectly, owned or controlled by any individuals or entities identified on such lists. Customer will immediately notify Athinia if Customer becomes subject to any such restrictions. Customer shall refrain from taking any action that causes Athinia to violate applicable export and sanctions laws and regulations. Except for the obligation to pay money, neither Party will be liable for any failure or delay under this Agreement due to any cause beyond its reasonable control, including without limitation acts of war, acts of God, earthquake, flood, embargo, riot, sabotage, labor shortage or dispute, governmental act, or failure of the Internet, telecommunications, or hosting service provider, computer attacks, or malicious acts; provided that the delayed Party: (a) gives the other Party prompt notice of such cause; and (b) uses commercially reasonable efforts promptly to correct such failure or delay in performance. Athinia has the right to immediately suspend access to the Service: (a) if Customer is in material breach of this Agreement; (b) to prevent a security incident impacting Customer, Customer Data, or the Service; or (c) if continued access would violate applicable laws or if required to do so pursuant to applicable law or regulation or requests or orders of governmental, regulatory, or judicial authorities. There are no third party beneficiaries under this Agreement, whether express or implied. For the avoidance of doubt, nothing in this Agreement shall be construed to create a joint venture, employment, partnership, strategic alliance, formal alliance, or strategic partnership relationship between the Parties. This Agreement is the complete and exclusive statement of the mutual understanding of the Parties and supersedes and cancels all previous written and oral agreements and communications relating to the subject matter of this Agreement. In the event of a conflict between these Terms of Service and any Order Forms or exhibit, the terms of such Order Form or exhibit will prevail. Athinia is in no way affiliated with, or endorsed or sponsored by, The Saul Zaentz Company d.b.a. Tolkien Enterprises or the Estate of J.R.R. Tolkien .

Version

Effective March 30th 2026

ATHINIA DATA PROTECTION ADDENDUM (“DPA”)

Customer and Athinia Technologies LLC (“Athinia” each of Customer and Athinia a “Party” and collectively the “Parties”), have entered into an agreement (including the Athinia Order Form and the Athinia Terms of Service) governing Customer’s use of Athinia Technology, including the Service, and the provision of related Professional Services to Customer by Athinia, including any attachments, order forms, exhibits, and appendices thereto (collectively, the “Agreement”). This DPA supplements, is incorporated into, and forms part of the Agreement and establishes the rights and obligations of Athinia and Customer with respect to any Customer Personal Data Processed by Athinia on behalf of Customer under the Agreement. Any capitalized terms used but not defined in this DPA shall have the meaning provided in the Agreement. To the extent there is any conflict in meaning between any provisions of the Agreement and this DPA, the terms and conditions in this DPA shall prevail and control.

Definitions

1.1 The following capitalized terms will have the meanings indicated below:
- “Adequate Country” means a country or territory outside of the EEA that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance with Article 45(1) of the EU GDPR, or country or territory having equivalent status under the UK GDPR (as applicable);
- “Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of at least 50% of the voting equity securities or other equivalent voting interests of an entity. Affiliate shall include, without being limited to, all entities listed in Exhibit A, Part II, of the present DPA.
- “Customer Personal Data” means any Personal Data contained within Customer Data subject to Data Protection Laws that Customer, including Users, provides or makes available to Athinia in connection with the Agreement;
- “Data Incident” means any breach of Athinia’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Athinia.
- “Data Protection Laws” means all laws and regulations regarding data protection and privacy to the extent applicable to the Processing of Customer Personal Data by Athinia under the Agreement, such as:
  - California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
  - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”);
  - The EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); and
  - The Switzerland Federal Data Protection act of 19 June 1992 as replaced and/or updated from time to time (“FDP”).
- “DPA Effective Date” means the Effective Date of the Athinia Order Form.
- “EEA” means the European Economic Area.
- “European Data Protection Law” means, as applicable, the GDPR and/or the FDP.
- “GDPR” means, as applicable, the EU GDPR and/or the UK GDPR.
- “International Transfer Solution” means appropriate safeguards established by Athinia in relation to the transfer of Personal Data from the EEA or the UK to a country or territory outside of the EEA or the UK (respectively) that is not an Adequate Country (a “Third Country”) in accordance with Article 46 of the GDPR.
- “Security Documentation” means the Documentation describing the security standards that apply to the Service as provided by or on behalf of Athinia from time to time.
- “Sell” has the meaning set forth in the CCPA, Cal. Civ. Code § 1798.100 et seq.
- “Service” means Athinia’s proprietary software-as-a-service offering(s) as set forth in the Agreement.
- “Standard Contractual Clauses” means the standard data protection clauses for the transfer of Personal Data from Controllers (or Processors, as applicable) established inside the EEA or the UK to Processors established in Third Countries, as adopted by the European Commission from time to time (in the case of transfers from the EEA), as adopted by the Swiss Federal Data Protection and Information Commissioner from time to time (in the case of transfers from Switzerland) or approved by the Information Commissioner’s Office from time to time (in the case of transfers from the UK).
- “Subprocessor” means a third-party, Third Party Service, or Athinia's Affiliate engaged by or on behalf of Athinia to Process Customer Personal Data in connection with the Agreement.
- “Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR.
- “UK” means the United Kingdom.
1.2 The terms “Personal Data”, “Process” (and its derivatives being construed accordingly), “Controller”, “Processor”, “Representative”, “Data Protection Officer”, “Data Subject” and “Consent” shall each have the meanings as set out in the GDPR.

Term

2.1 This DPA will take effect from the DPA Effective Date and remain in effect until the destruction or return of all Customer Personal Data by Athinia in accordance with the Agreement, at which point it will automatically terminate.

Application of Data protection laws

3.1 Except to the extent this DPA specifies otherwise, the terms of this DPA shall apply to the Processing of Customer Personal Data whether or not European Data Protection Law applies.
3.2 The Parties agree that European Data Protection Law will apply to the Processing of Customer Personal Data including to the extent that:
- (a) the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA and/or the UK; and/or
- (b) the Customer Personal Data relates to Data Subjects who are in the EEA and/or the UK and the Processing relates to the offering to them of goods or services in the EEA and/or the UK, or the monitoring of their behavior in the EEA and/or the UK.
3.3 Subject to Section 4.5, if Data Protection Laws other than European Data Protection Laws apply to the Processing of Customer Personal Data hereunder, Customer shall ensure that Customer Instructions identify, and are in accordance with, and the Parties will comply with, the requirements applicable under such Data Protection Laws.

Controller and Processor Obligations

4.1 As between the Parties, Customer shall be liable and responsible as the Controller (or Processor, if Customer is Processing third party Personal Data with the Service) and Athinia shall be liable and responsible as the Processor (or Subprocessor), in respect of Customer Personal Data. The subject matter and details of Processing are as described in the Agreement and this DPA, including Exhibit B (Subject Matter and Details of Customer Personal Data Processing). In the event that Customer acts as a Processor (or Subprocessor) in respect of Customer Personal Data, Customer represents and warrants to Athinia that it is validly authorized by the relevant Controller to enter into the Agreement and this DPA and to provide Customer Instructions (as defined below) on behalf of the Controller in relation to Customer Personal Data. The Service provides Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer Data (including Customer Personal Data) as described in the Documentation. Customer may use these controls as technical and organisational measures to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects.
4.2 Customer instructs Athinia to Process Customer Personal Data: (a) to provide the Service specified in the Agreement and Documentation or otherwise perform its obligations thereunder; (b) as further initiated by Customer via Customer’s or Users use of the Service in accordance with the Agreement and Documentation; and/or (c) for any additional instruction outside the scope of the Agreement or this DPA, as further documented in any other written instructions given by Customer and acknowledged by Athinia as constituting instructions for purposes of this DPA (collectively, “Customer Instructions”). Customer Instructions which have a material impact on the cost and/or structure of the provision of the Service and/or Professional Services shall be set out in the Agreement. Customer may elect to implement certain technical and organisational measures in relation to Customer Data (including Customer Personal Data) Processed via the Services as described in the Documentation.
4.3 Athinia shall:
- (a) designate and maintain a Data Protection Officer and a data protection team that meets the requirements of the GDPR as it pertains to Processors, which can be contacted at privacy@athinia.com;
- (b) not Sell Customer Personal Data or otherwise Process Customer Personal Data for any purpose other than for the fulfillment of Customer Instructions, unless obligated to do otherwise by applicable law or regulation or requests or orders of judicial, governmental or regulatory entities (including without limitation subpoenas), in which case Athinia will inform Customer of that legal requirement before the Processing occurs unless legally prohibited from doing so;
- (c) implement appropriate technical and organisational measures as described in the Security Documentation to ensure a level of security appropriate to the risk against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; and
- (d) ensure that all persons authorized by Athinia to Process Customer Personal Data, including any Subprocessors (as defined above and further listed below), are bound by confidentiality obligations consistent with those set out in this DPA, the Agreement or otherwise sufficient to meet the requirements of Data Protection Laws.
4.4 Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data, the means by which it acquires and uses Customer Personal Data, and for Customer Instructions regarding the Processing of Customer Personal Data. Customer represents and warrants that it has provided (or procured the provision of) all notifications and obtained (or procured the provision of) all consents (including Consents), authorisations, approvals, and/or agreements (including, where Customer is a Processor or Subprocessor, with and from the applicable Controller(s)) required under applicable laws or policies in order to enable Athinia to receive and Process Customer Personal Data in accordance with this DPA, the Agreement and Customer Instructions.
4.5 Customer shall instruct Athinia as to the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects taking into account the specific tasks and responsibilities of the Processor in the context of the Processing to be carried out and the risk to the rights and freedoms of the Data Subject as part of Customer Instructions. Notwithstanding anything to the contrary herein, Customer shall ensure that its acts or omissions, including in relation to any Customer Instructions to Athinia, do not put Athinia in breach of the Data Protection Laws.

Subprocessors

5.1 Customer specifically authorizes the engagement as Subprocessors of (a) the entities listed in Exhibit A hereto; and (b) all Athinia Affiliates from time to time, provided that, prior to permitting such Subprocessors to Process any Customer Personal Data, Athinia shall enter into a written agreement with the Subprocessor imposing terms that are consistent with those set out in this DPA or otherwise sufficient to meet the requirements of Data Protection Laws.
5.2 Subject to Section 5.3, Customer generally authorizes Athinia to engage additional Subprocessors (“Additional Subprocessors”), provided that, prior to permitting such Additional Subprocessor to Process any Customer Personal Data, Athinia shall enter into a written agreement with the Additional Subprocessor imposing terms that are consistent with those set out in this DPA or otherwise sufficient to meet the requirements of Data Protection Laws.
5.3 Should Athinia engage an Additional Subprocessor, it shall provide Customer with no less than 30 days’ notice, including the identity, location, and nature of Processing proposed to be undertaken by such Additional Subprocessor. Customer may, within 60 days of such notification, object to Processing of Customer Personal Data by such Additional Subprocessor by providing written notice to Athinia.
5.4 To the extent required by Data Protection Law, Athinia shall remain liable to Customer for the performance of the Subprocessor’s obligations in relation to this Section 5 (“Subprocessor Data Protection Liability”), and shall be permitted to re-perform or to procure the re-performance of any such obligations and Customer acknowledges that such re-performance shall diminish any claim that Customer has against Athinia in respect of any Subprocessor Data Protection Liability.

Audit

6.1 Athinia relies on its main Affiliate, Palantir Technologies Inc. (“Palantir”), for the provision of certain of the Services. Palantir uses third party auditors to verify the adequacy of its security measures. This audit is performed at least annually, by independent and reputable third-party auditors at Athinia’s selection and expense, and according to Service Organization Controls 2 (SOC2) or substantially equivalent industry standards, and results in the generation of an audit report (“Report”) which will be the Confidential Information of Athinia and Palantir.
6.2 At Customer’s written request, Athinia will provide Customer with a confidential summary of the above Report, documentation evidencing compliance with the Accreditations, and the Accountability Information outlined in Section 7 of this DPA so that Customer can reasonably verify Palantir’s compliance with the data security and data protection obligations under this DPA. Subject to Section 6.3, if Data Protection Laws, Standard Contractual Clauses, or the Agreement require Athinia to provide Customer with access to Palantir’s facilities or information in addition to the Report and the Accountability Information, then Athinia shall permit Customer to audit Palantir’s compliance with the terms and conditions of this DPA as it applies to Customer Personal Data to the extent expressly required by the Agreement, the Standard Contractual Clauses, or Data Protection Laws.
6.3 In order to request an audit of Palantir’s facilities under this Section 6 (and where such an audit is authorized), Customer shall notify Athinia and the Parties shall agree, as soon as reasonably possible but always in advance, the reasonable dates, duration and scope of the audit, the identity and qualifications of the auditor, the costs, and any security and confidentiality controls required for access to the information or Processes in scope of such audit. Athinia may object to any external auditor if, in Athinia’s reasonable opinion, the auditor is not qualified, does not have appropriate security controls to ensure Athinia’s and Palantir’s Confidential Information is suitably protected, is a competitor to Athinia or Palantir or its suppliers, or is not independent. If Athinia objects to the identity or qualifications of any proposed auditor, Athinia shall provide reasons for such objection and Customer will be required to propose an alternate auditor. The scope of any audit under this Section 6 shall be limited to Palantir systems and facilities used to Process Customer Personal Data and Documentation directly related to such Processing.
6.4 All information provided or made available to Customer pursuant to this Section 6 shall be Confidential Information of Athinia and Palantir.

Dealings with supervisory authorities AND DATA PROTECTION IMPACT ASSESSMENTS

7.1 Athinia shall reasonably cooperate, on reasonable request and at Customer’s cost, with any Supervisory Authority in the performance of its tasks, taking into account the nature of the Processing by, and information available to, Athinia.
7.2 Taking into account the nature of the Service and the information available to Athinia, Athinia will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the Report, Accountability Information and Documentation.

Accountability

8.1 To the extent required by Data Protection Laws, Athinia shall maintain electronic records of all categories of Processing activities carried out on behalf of Customer, containing:
- (a) the name and contact details of the Processors and Subprocessors;
- (b) details of the types of Processing being carried out;
- (c) details of any transfers of Customer Personal Data to a territory or international organisation outside of the EEA or UK, and documentation of suitable safeguards (if applicable); and
- (d) a general description of the technical and organisational security measures used in relation to the Processing, together, the “Accountability Information”.
8.2 On reasonable written request from Customer, Athinia shall provide the Accountability Information to Customer. Such records shall be Confidential Information of Athinia.

Data subject Rights

9.1 Where Athinia directly receives requests from any Data Subjects, or anyone acting on their behalf, to exercise their rights under Data Protection Laws, including to withdraw any Consent (“Data Subject Request”), or to make any claim or complaint in relation to their rights under the Data Protection Laws, and provided Athinia can reasonably identify from the information provided that the request, claim or complaint relates to Customer and Customer Personal Data, then unless prohibited by applicable law, Athinia shall forward the request, claim or complaint to Customer.
9.2 On reasonable written request from Customer, and taking into account the nature of the Processing, Athinia shall use commercially reasonable efforts to offers Customer certain controls as described in Sections 4.1, 4.2, and the Documentation that Customer may elect to use to comply with its obligations towards Data Subjects.

DATA Incident

10.1 Athinia shall notify Customer without undue delay after becoming aware of a Data Incident. For avoidance of doubt, a Data Incident shall not include acts or omissions which do not breach Athinia’s security or the security of any Subprocessor; port scans, authorized penetration tests, and denial of service attacks; or any access to or Processing of Customer Personal Data that is consistent with Customer Instructions.
10.2 Athinia shall provide Customer with reasonable cooperation and assistance in dealing with a Data Incident, in particular in relation to (a) taking commercially reasonable steps to resolve any data privacy or security issues involving any Customer Personal Data; and (b) making any appropriate notifications to individuals affected by the Data Incident or to a Supervisory Authority to the extent reasonably possible; provided that, Customer shall maintain and follow an effective cyber incident response policy, which shall include the use of legal professional, litigation, or client attorney privilege, work in good faith with Athinia in relation to the Data Incident, and agree with Athinia the form and method of any public announcement in relation to the Data Incident.
10.3 Any information provided by Athinia pursuant to this Section 10 shall be the Confidential Information of Athinia and Athinia’s notification of or response to a Data Incident under this Section 10 will not be construed as an acknowledgement by Athinia or, if relevant, its Subprocessors of any fault or liability with respect to the performance of any Service or Professional Services (as applicable).

Data TRAnsfers

11.1 Athinia may Process Customer Personal Data in countries outside of the EEA in which Athinia or its Subprocessors maintains facilities or infrastructure.
11.2 Unless clause 11.3 applies, if the Processing of Customer Personal Data involves transfers of Customer Personal Data by or on behalf of Customer from the EEA, Switzerland or the UK to Athinia (or any other Athinia entity) in any Third Country, and European Data Protection Law applies to such transfers, then the transfers will be subject to the Standard Contractual Clauses between Customer and Athinia which,
- (a) in the case of transfers from the EEA, are hereby incorporated into this DPA as attached in Annexes 1 and 2 to Exhibit C, as applicable, and with the inclusions specified in Exhibit C,
- (b) in the case of transfers from Switzerland, are hereby incorporated into this DPA by reference with the inclusions as specified in Exhibit C (including Annex 1 and 2 to Exhibit C) in the locations that are most closely equivalent to those in Exhibit C (including Annex 1 and 2 to Exhibit C) and such other inclusions as are necessary to give effect to the Standard Contractual Clauses in such manner as is most closely equivalent to the Standard Contractual Clauses in Annexes 1 and 2 to Exhibit C,
- (c) in the case of transfers from the UK, are hereby incorporated into this DPA by reference with the inclusions as specified in Exhibit C (including Annex 1 and 2 to Exhibit C) in the locations that are most closely equivalent to those in Exhibit C (including Annex 1 and 2 to Exhibit C) and such other inclusions as are necessary to give effect to the Standard Contractual Clauses in such manner as is most closely equivalent to the Standard Contractual Clauses in Annexes 1 and 2 to Exhibit C, and Athinia will comply with its obligations as an importer under those clauses in respect of those transfers, provided that when Athinia does have an International Transfer Solution in place, such Standard Contractual Clauses shall automatically terminate. In the event of a conflict between the Agreement, this DPA, and the Standard Contractual Clauses, the latter in each case shall prevail.
11.3 If the Processing of Customer Personal Data involves transfers of Customer Personal Data by or on behalf of Athinia from the EEA, Switzerland or the UK to any Third Country, and European Data Protection Law applies to such transfers, then Athinia shall ensure an International Transfer Solution is put in place in respect of such transfer.
11.4 Nothing in this DPA or the Agreement modifies any rights or obligations of Athinia or Customer under the Standard Contractual Clauses.

Liability

12.1 Subject to 12.2, the total combined liability of either Party and its Affiliates towards the other Party and its Affiliates under or in connection with the Agreement and the Standard Contractual Clauses combined will be the liability cap, and subject to the liability limitations, set forth in the Agreement for the relevant Party.
12.2 Nothing in this DPA serves to modify, disapply or amend the terms of the Agreement relating to liability, including but not limited to any exclusions and/or limitations of liability.

Governing law and jurisdiction

13.1 The Parties shall modify the terms of this DPA as soon as possible if such modification is required for the parties to comply with any Data Protection Laws, or in order to implement or adhere to the Standard Contractual Clauses or such other permitted compliance mechanism under Data Protection Laws.
13.2 This DPA, and any dispute or claim (including any non-contractual disputes or claims) arising out of or in connection with it, or its subject matter or formation, shall be governed by and construed in accordance with the laws that govern the Agreement. If it is or becomes a requirement that, under the Data Protection Laws or other applicable laws, this DPA must be governed by (a) the laws of a member state of the European Union (and it is not already so governed), this DPA shall be governed by and construed in accordance with the laws of Ireland; and/or (b) the laws of the United Kingdom, this DPA shall be governed by and construed in accordance with the laws of England and Wales, to the extent required to satisfy such laws.

EXHIBIT A

LIST OF APPROVED SUBPROCESSORS

Part I - Subprocessors

To perform its obligations under the Athinia Terms of Service and Athinia DPA (or the alternative written agreement between Customer and Athinia, if applicable), Athinia Technologies LLC and its Affiliates may use third-party data processors (“Third-Party Subprocessors”) and Athinia Affiliates to process Customer Personal Data. Capitalized terms used but not defined here shall have the meanings provided in the Agreement.

The following third parties are hereby specifically authorized by Customer to carry out work as Third-Party Subprocessors for purposes of the Agreement.

Authorized Third-Party Subprocessors
Subprocessor	Purpose	Registered Address	Location	Transfer Mechanism
Amazon Web Services, Inc.	Cloud hosting and infrastructure, alerting and encrypted notification services and AI services.	410 Terry Avenue North, Seattle, WA 98109 USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Microsoft Corporation	Cloud hosting and infrastructure and AI services (Microsoft Azure).	One Microsoft Way Redmond, WA 98052 USA	The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI service is East US, South Central US, West Europe and other Azure regions as they become available.	Standard Contractual Clauses
Google LLC	Cloud hosting and infrastructure (Google Cloud Platform) and AI services.	1600 Amphitheatre Parkway Mountain View, CA 94043 USA	The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI services are all regions available for features of Generative AI on Google Vertex AI and other regions as they become available.	Standard Contractual Clauses
Proofpoint, Inc.	Alerting and encrypted notification service.	892 Ross Drive, Sunnyvale, CA 94089 USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Microsoft Corporation	User authentication as an identity provider (where selected as chosen identity provider by Customer).	One Microsoft Way Redmond, WA 98052, USA	United States	Standard Contractual Clauses
OpenAI LLC	AI services.	3180 18th Street, San Francisco, CA 94110 USA	The location for the purpose of providing the AI service can be the United States and other regions as they become available.	Standard Contractual Clauses
X.AI LLC	AI services.	1450 Page Mill Rd. Palo Alto, CA 94034 USA	The location for the purpose of providing the AI service can be the United States and other regions as they become available.	Standard Contractual Clauses
Oracle America, Inc.	Cloud hosting and infrastructure.	500 Oracle Parkway, Redwood Shores, CA 94065 USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement.	Standard Contractual Clauses
Anthropic, PBC	AI Services	548 Market Street, PMB 90375, San Francisco, CA 94104-5401	The location for the purpose of providing the AI service can be the United States and other regions as they become available.	Standard Contractual Clauses

PART II – Athinia Affiliates

Provided that an adequate level of data protection consistent with the Data Protection Laws and this Agreement is ensured by Athinia, Customer specifically authorizes Athinia Affiliates as listed below to act as Athinia’s Subprocessor(s) including by Processing Customer Personal Data for the purposes of the Agreement for the delivery of Service and/or Professional Services to Customer. Where required, Athinia and its respective Affiliate have entered into the Standard Contractual Clauses. Such Processing, where applicable, shall occur under the control and direction of Athinia and shall occur on systems managed or otherwise controlled by Athinia.

Athinia Affiliates
Subprocessor	Purpose	Registered Address	Location	Transfer Mechanism
Palantir Technologies Inc.	Providing the Service and Professional Services to Customer	1200 17th Street, Floor 15, Denver, CO 80202 USA	United States	Standard Contractual Clauses
EMD Digital Technologies Inc.	Providing the Service and Professional Services to Customer	400 Summit Dr. Burlington, MA 01803 USA	United States	Standard Contractual Clauses

EXHIBIT B

Subject Matter and Details of Customer Personal Data Processing

Categories of Data Subject Whose Personal Data May be Subject to Processing

Data Subjects include the individuals about whom Personal Data is provided to Athinia via the Service (as applicable) or otherwise by (or at the direction of) Customer or Customer’s Users.

Categories of Customer Personal Data

Customer Personal Data provided to Athinia for Processing (including via the Service) by or at the direction of Customer or Customer’s Users.

Subject Matter of Processing

Athinia’s provision of the Service and Professional Services and performance of its obligations under the Agreement.

Nature and Purpose of Processing

Athinia will Process Customer Personal Data in accordance with the terms of this DPA for the purpose of providing the Service and Professional Services to Customer, or as otherwise compelled by applicable law.

Duration of Processing

Continuous for duration of the Agreement, plus the period from the expiry of the Agreement until the return or deletion of all Customer Personal Data by Athinia in accordance with the Agreement (including this DPA), Customer Instructions and applicable law.

Subject matter, nature and duration of processing by sub-processors

As set out in Exhibit A. The duration of sub-processing is as set out immediately above.

EXHIBIT C

Additions to the Standard Contractual Clauses

Each Party agrees to abide by and transfer Customer Personal Data subject to European Data Protection Law solely in accordance with the Standard Contractual Clauses, which are incorporated into this DPA. Each Party is deemed to have executed the Standard Contractual Clauses by entering into this DPA.

The Module 2 (Controller to Processor) terms, as provided below in Annex 1 to Exhibit C, shall apply to the extent Customer is a Controller of Customer Personal Data. The Module 3 (Processor to Processor) terms, as provided below in Annex 2 to Exhibit C, shall apply to the extent Customer is a Processor (or subprocessor) of Customer Personal Data. For both Module 2 and Module 3 of the Standard Contractual Clauses, the election of specific terms and/or addition of required information shall apply as follows:

(a) The applicable wording for Clause 13(a) of the Standard Contractual Clauses (as determined by the instructions in square brackets in the Standard Contractual Clauses) is retained and the two remaining alternatives are deleted;
(b) details of Subprocessors the data importer intends to engage as set out in Exhibit A to this Agreement are the “agreed list” of Subprocessors referred to in Clause 9(a) of the Standard Contractual Clauses.

ANNEX 1 TO EXHIBIT C

STANDARD CONTRACTUAL CLAUSES

Module 2: Controller to Processor

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (^[1]) for the transfer of data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

[intentionally left blank]

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (^[2]) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) OPTION 2 GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (^[3]) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (^[4]);
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: Name of Customer as stated in the Agreement.

Address: Address of Customer as stated in the Agreement.

Contact person’s name, position and contact details: Point of contact for Customer as stated in the Agreement.

Activities relevant to the data transferred under these Clauses: Customer under the Agreement

Role (controller/processor): Controller

Data importer(s):

Name: Name of Athinia as stated in the Agreement.

Address: Address of Athinia as stated in the Agreement.

Contact person’s name, position and contact details: Data Protection Officer, privacy@syntropy.com

Activities relevant to the data transferred under these Clauses: Supplier under the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described under "Categories of Data Subject Whose Personal Data May be Subject to Processing" in Exhibit B.

Categories of personal data transferred

As described under "Categories of Customer Personal Data" in Exhibit B.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data concerning a natural person's sex life or sexual orientation to the extent that Customer Personal Data includes such sensitive data and is provided to Athinia for Processing (including via the Service) by or at the direction of Customer or Customer’s Users. In that case Customer shall clearly identify such sensitive data to Athinia in writing before providing such sensitive data. The applied safeguards and restrictions are described in Annex II.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

On a continuous basis.

Nature of the processing

As described under "Nature and Purpose of Processing" in Exhibit B.

Purpose(s) of the data transfer and further processing

As described under "Nature and Purpose of Processing" in Exhibit B.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described under "Duration of Processing" in Exhibit B.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As described under "Subject matter, nature and duration of processing by sub-processors" in Exhibit B.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority as determined in accordance with Clause 13 and as further specified at https://edpb.europa.eu/about-edpb/about-edpb/members_en (as updated from time to time).

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The security features and functionalities available to Customer described in clause 4.1 of the DPA, as further documented in the Security Documentation, and the technical and organisational measures described in clause 4.3(c) of the DPA.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

The controls available to Customer described in clause 4.1 of the DPA, as further documented in the Security Documentation.

ANNEX 2 TO EXHIBIT C

STANDARD CONTRACTUAL CLAUSES

Module 3: Processor to Processor

SECTION I

Clause 1

Purpose and scope

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

[Intentionally left blank]

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

8.1 Instructions

(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.

(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter ().

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (^[6]) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) OPTION 2 GENERAL WRITTEN AUTHORISATION: The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (^[7]) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (^[8]);
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

The data exporter shall forward the notification to the controller.

15.2 Review of legality and data minimization

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: Name of Customer as stated in the Agreement.

Address: Address of Customer as stated in the Agreement.

Contact person’s name, position and contact details: Point of contact for Customer as stated in the Agreement.

Activities relevant to the data transferred under these Clauses: Customer under the Agreement

Role (controller/processor): Processor

Data importer(s):

Name: Name of Athinia as stated in the Agreement.

Address: Address of Athinia as stated in the Agreement.

Contact person’s name, position and contact details: Data Protection Officer, dpo@athinia.com

Activities relevant to the data transferred under these Clauses: Supplier under the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described under "Categories of Data Subject Whose Personal Data May be Subject to Processing" in Exhibit B.

Categories of personal data transferred

As described under "Categories of Customer Personal Data" in Exhibit B.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data concerning a natural person's sex life or sexual orientation to the extent that Customer Personal Data includes such sensitive data and is provided to Athinia for Processing (including via the Service) by or at the direction of Customer or Customer’s Users. In that case, Customer shall clearly identify such sensitive data to Athinia in writing before providing such sensitive data. The applied safeguards and restrictions are described in Annex II.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

On a continuous basis.

Nature of the processing

As described under "Nature and Purpose of Processing" in Exhibit B.

Purpose(s) of the data transfer and further processing

As described under "Nature and Purpose of Processing" in Exhibit B.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described under "Duration of Processing" in Exhibit B.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As described under "Subject matter, nature and duration of processing by sub-processors" in Exhibit B.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority as determined in accordance with Clause 13 and as further specified at https://edpb.europa.eu/about-edpb/about-edpb/members_en (as updated from time to time).

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The controls available to Customer described in clause 4.1 of the DPA, as further documented in the Security Documentation.

FOOTNOTES

[1] Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

[2] The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

[3] This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.

[4] As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

[5] Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

[6] The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

[7] This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.

[8] As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

ATHINIA DATA PROTECTION ADDENDUM (“DPA”)

Customer and Athinia Technologies LLC (“Athinia”; each of Customer and Athinia a “Party” and collectively the “Parties”), have entered into an agreement (including the Athinia Order Form and the Athinia Terms of Service) governing Customer’s use of Athinia Technology, including the Service, and the provision of related Professional Services to Customer by Athinia, including any attachments, order forms, exhibits, and appendices thereto (collectively, the “Agreement”). This DPA supplements, is incorporated into, and forms part of the Agreement and establishes the rights and obligations of Athinia and Customer with respect to any Customer Personal Data Processed by Athinia on behalf of Customer under the Agreement. Any capitalized terms used but not defined in this DPA shall have the meaning provided in the Agreement. To the extent there is any conflict in meaning between any provisions of the Agreement and this DPA, the terms and conditions in this DPA shall prevail and control.

1. DEFINITIONS

1.1 The following capitalized terms will have the meanings indicated below:

“Adequate Country” means a country or territory outside of the EEA that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance with Article 45(1) of the EU GDPR, or country or territory having equivalent status under the UK GDPR (as applicable);
“Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of at least 50% of the voting equity securities or other equivalent voting interests of an entity. Affiliate shall include, without being limited to, all entities listed in Exhibit A, Part II, of the present DPA.
“Customer Personal Data” means any Personal Data contained within Customer Data subject to Data Protection Laws that Customer, including Users, provides or makes available to Athinia in connection with the Agreement;
“Data Incident” means any breach of Athinia’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Athinia.
“Data Protection Laws” means all laws and regulations regarding data protection and privacy to the extent applicable to the Processing of Customer Personal Data by Athinia under the Agreement, such as:
- California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”);
- The EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); and
- The Switzerland Federal Data Protection act of 19 June 1992 as replaced and/or updated from time to time (“FDP”).
“DPA Effective Date” means the Effective Date of the Athinia Order Form.
“EEA” means the European Economic Area.
“European Data Protection Law” means, as applicable, the GDPR and/or the FDP.
“GDPR” means, as applicable, the EU GDPR and/or the UK GDPR.
“International Transfer Solution” means appropriate safeguards established by Athinia in relation to the transfer of Personal Data from the EEA or the UK to a country or territory outside of the EEA or the UK (respectively) that is not an Adequate Country (a “Third Country”) in accordance with Article 46 of the GDPR.
“Security Documentation” means the Documentation describing the security standards that apply to the Service as provided by or on behalf of Athinia from time to time.
“Sell” has the meaning set forth in the CCPA, Cal. Civ. Code § 1798.100 et seq.
“Service” means Palantir’s proprietary software-as-a-service offering(s) as set forth in the Agreement.
“Standard Contractual Clauses” means the standard data protection clauses for the transfer of Personal Data from Controllers (or Processors, as applicable) established inside the EEA or the UK to Processors established in Third Countries, as adopted by the European Commission from time to time (in the case of transfers from the EEA), as adopted by the Swiss Federal Data Protection and Information Commissioner from time to time (in the case of transfers from Switzerland) or approved by the Information Commissioner’s Office from time to time (in the case of transfers from the UK).
“Subprocessor” means a third-party, Third Party Service, or Athinia's Affiliate engaged by or on behalf of Athinia to Process Customer Personal Data in connection with the Agreement.
“Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR.
“UK” means the United Kingdom.

1.2 The terms “Personal Data”, “Process” (and its derivatives being construed accordingly), “Controller”, “Processor”, “Representative”, “Data Protection Officer”, “Data Subject” and “Consent” shall each have the meanings as set out in the GDPR.

2. TERM

2.1 This DPA will take effect from the DPA Effective Date and remain in effect until the destruction or return of all Customer Personal Data by Athinia in accordance with the Agreement, at which point it will automatically terminate.

3. APPLICATION OF DATA PROTECTION LAWS

3.1 Except to the extent this DPA specifies otherwise, the terms of this DPA shall apply to the Processing of Customer Personal Data whether or not European Data Protection Law applies.

3.2 The Parties agree that European Data Protection Law will apply to the Processing of Customer Personal Data including to the extent that:

(a) the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA and/or the UK; and/or

(b) the Customer Personal Data relates to Data Subjects who are in the EEA and/or the UK and the Processing relates to the offering to them of goods or services in the EEA and/or the UK, or the monitoring of their behavior in the EEA and/or the UK.

3.3 Subject to Section 4.5, if Data Protection Laws other than European Data Protection Laws apply to the Processing of Customer Personal Data hereunder, Customer shall ensure that Customer Instructions identify, and are in accordance with, and the Parties will comply with, the requirements applicable under such Data Protection Laws.

4. CONTROLLER AND PROCESSOR OBLIGATIONS

4.1 As between the Parties, Customer shall be liable and responsible as the Controller (or Processor, if Customer is Processing third party Personal Data with the Service) and Athinia shall be liable and responsible as the Processor (or Subprocessor), in respect of Customer Personal Data. The subject matter and details of Processing are as described in the Agreement and this DPA, including Exhibit B (Subject Matter and Details of Customer Personal Data Processing). In the event that Customer acts as a Processor (or Subprocessor) in respect of Customer Personal Data, Customer represents and warrants to Athinia that it is validly authorized by the relevant Controller to enter into the Agreement and this DPA and to provide Customer Instructions (as defined below) on behalf of the Controller in relation to Customer Personal Data. The Service provides Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer Data (including Customer Personal Data) as described in the Documentation. Customer may use these controls as technical and organisational measures to assist it in connection with its obligations under Data Protection Laws, including its obligations relating to responding to requests from Data Subjects.

4.2 Customer instructs Athinia to Process Customer Personal Data: (a) to provide the Service specified in the Agreement and Documentation or otherwise perform its obligations thereunder; (b) as further initiated by Customer via Customer’s or Users use of the Service in accordance with the Agreement and Documentation; and/or (c) for any additional instruction outside the scope of the Agreement or this DPA, as further documented in any other written instructions given by Customer and acknowledged by Athinia as constituting instructions for purposes of this DPA (collectively, “Customer Instructions”). Customer Instructions which have a material impact on the cost and/or structure of the provision of the Service and/or Professional Services shall be set out in the Agreement. Customer may elect to implement certain technical and organisational measures in relation to Customer Data (including Customer Personal Data) Processed via the Services as described in the Documentation.

4.3 Athinia shall:

(a) designate and maintain a Data Protection Officer and a data protection team that meets the requirements of the GDPR as it pertains to Processors, which can be contacted at privacy@athinia.com;

(b) not Sell Customer Personal Data or otherwise Process Customer Personal Data for any purpose other than for the fulfillment of Customer Instructions, unless obligated to do otherwise by applicable law or regulation or requests or orders of judicial, governmental or regulatory entities (including without limitation subpoenas), in which case Athinia will inform Customer of that legal requirement before the Processing occurs unless legally prohibited from doing so;

(c) implement appropriate technical and organisational measures as described in the Security Documentation to ensure a level of security appropriate to the risk against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons; and

(d) ensure that all persons authorized by Athinia to Process Customer Personal Data, including any Subprocessors (as defined above and further listed below), are bound by confidentiality obligations consistent with those set out in this DPA, the Agreement or otherwise sufficient to meet the requirements of Data Protection Laws.

4.4 Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data, the means by which it acquires and uses Customer Personal Data, and for Customer Instructions regarding the Processing of Customer Personal Data. Customer represents and warrants that it has provided (or procured the provision of) all notifications and obtained (or procured the provision of) all consents (including Consents), authorisations, approvals, and/or agreements (including, where Customer is a Processor or Subprocessor, with and from the applicable Controller(s)) required under applicable laws or policies in order to enable Athinia to receive and Process Customer Personal Data in accordance with this DPA, the Agreement and Customer Instructions.

4.5 Customer shall instruct Athinia as to the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects taking into account the specific tasks and responsibilities of the Processor in the context of the Processing to be carried out and the risk to the rights and freedoms of the Data Subject as part of Customer Instructions. Notwithstanding anything to the contrary herein, Customer shall ensure that its acts or omissions, including in relation to any Customer Instructions to Athinia, do not put Athinia in breach of the Data Protection Laws.

5. SUBPROCESSORS

5.1 Customer specifically authorizes the engagement as Subprocessors of (a) the entities listed in Exhibit A hereto; and (b) all Athinia Affiliates from time to time, provided that, prior to permitting such Subprocessors to Process any Customer Personal Data, Athinia shall enter into a written agreement with the Subprocessor imposing terms that are consistent with those set out in this DPA or otherwise sufficient to meet the requirements of Data Protection Laws.

5.2 Subject to Section 5.3, Customer generally authorizes Athinia to engage additional Subprocessors (“Additional Subprocessors”), provided that, prior to permitting such Additional Subprocessor to Process any Customer Personal Data, Athinia shall enter into a written agreement with the Additional Subprocessor imposing terms that are consistent with those set out in this DPA or otherwise sufficient to meet the requirements of Data Protection Laws.

5.3 Should Athinia engage an Additional Subprocessor, it shall provide Customer with no less than 30 days’ notice, including the identity, location, and nature of Processing proposed to be undertaken by such Additional Subprocessor. Customer may, within 60 days of such notification, object to Processing of Customer Personal Data by such Additional Subprocessor by providing written notice to Athinia.

5.4 To the extent required by Data Protection Law, Athinia shall remain liable to Customer for the performance of the Subprocessor’s obligations in relation to this Section 5 (“Subprocessor Data Protection Liability”), and shall be permitted to re-perform or to procure the re-performance of any such obligations and Customer acknowledges that such re-performance shall diminish any claim that Customer has against Athinia in respect of any Subprocessor Data Protection Liability.

6. AUDIT

6.1 Athinia relies on its main Affiliate, Palantir Technologies Inc. (“Palantir”), for the provision of certain of the Services. Palantir uses third party auditors to verify the adequacy of its security measures. This audit is performed at least annually, by independent and reputable third-party auditors at Athinia’s selection and expense, and according to Service Organization Controls 2 (SOC2) or substantially equivalent industry standards, and results in the generation of an audit report (“Report”) which will be the Confidential Information of Athinia and Palantir.

6.2 At Customer’s written request, Athinia will provide Customer with a confidential summary of the above Report, documentation evidencing compliance with the Accreditations, and the Accountability Information outlined in Section 7 of this DPA so that Customer can reasonably verify Palantir’s compliance with the data security and data protection obligations under this DPA. Subject to Section 6.3, if Data Protection Laws, Standard Contractual Clauses, or the Agreement require Athinia to provide Customer with access to Palantir’s facilities or information in addition to the Report and the Accountability Information, then Athinia shall permit Customer to audit Palantir’s compliance with the terms and conditions of this DPA as it applies to Customer Personal Data to the extent expressly required by the Agreement, the Standard Contractual Clauses, or Data Protection Laws.

6.3 In order to request an audit of Palantir’s facilities under this Section 6 (and where such an audit is authorized), Customer shall notify Athinia and the Parties shall agree, as soon as reasonably possible but always in advance, the reasonable dates, duration and scope of the audit, the identity and qualifications of the auditor, the costs, and any security and confidentiality controls required for access to the information or Processes in scope of such audit. Athinia may object to any external auditor if, in Athinia’s reasonable opinion, the auditor is not qualified, does not have appropriate security controls to ensure Athinia’s and Palantir’s Confidential Information is suitably protected, is a competitor to Athinia or Palantir or its suppliers, or is not independent. If Athinia objects to the identity or qualifications of any proposed auditor, Athinia shall provide reasons for such objection and Customer will be required to propose an alternate auditor. The scope of any audit under this Section 6 shall be limited to Palantir systems and facilities used to Process Customer Personal Data and Documentation directly related to such Processing.

6.4 All information provided or made available to Customer pursuant to this Section 6 shall be Confidential Information of Athinia and Palantir.

7. DEALINGS WITH SUPERVISORY AUTHORITIES AND DATA PROTECTION IMPACT ASSESSMENTS

7.1 Athinia shall reasonably cooperate, on reasonable request and at Customer’s cost, with any Supervisory Authority in the performance of its tasks, taking into account the nature of the Processing by, and information available to, Athinia.

7.2 Taking into account the nature of the Service and the information available to Athinia, Athinia will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR, by providing the Report, Accountability Information and Documentation.

8. ACCOUNTABILITY

8.1 To the extent required by Data Protection Laws, Athinia shall maintain electronic records of all categories of Processing activities carried out on behalf of Customer, containing:

(a) the name and contact details of the Processors and Subprocessors;

(b) details of the types of Processing being carried out;

(c) details of any transfers of Customer Personal Data to a territory or international organisation outside of the EEA or UK, and documentation of suitable safeguards (if applicable); and

(d) a general description of the technical and organisational security measures used in relation to the Processing, together, the “Accountability Information”.

8.2 On reasonable written request from Customer, Athinia shall provide the Accountability Information to Customer. Such records shall be Confidential Information of Athinia.

9. DATA SUBJECT RIGHTS

9.1 Where Athinia directly receives requests from any Data Subjects, or anyone acting on their behalf, to exercise their rights under Data Protection Laws, including to withdraw any Consent (“Data Subject Request”), or to make any claim or complaint in relation to their rights under the Data Protection Laws, and provided Athinia can reasonably identify from the information provided that the request, claim or complaint relates to Customer and Customer Personal Data, then unless prohibited by applicable law, Athinia shall forward the request, claim or complaint to Customer.

9.2 On reasonable written request from Customer, and taking into account the nature of the Processing, Athinia shall use commercially reasonable efforts to offers Customer certain controls as described in Sections 4.1, 4.2, and the Documentation that Customer may elect to use to comply with its obligations towards Data Subjects.

10. DATA INCIDENT

10.1 Athinia shall notify Customer without undue delay after becoming aware of a Data Incident. For avoidance of doubt, a Data Incident shall not include acts or omissions which do not breach Athinia’s security or the security of any Subprocessor; port scans, authorized penetration tests, and denial of service attacks; or any access to or Processing of Customer Personal Data that is consistent with Customer Instructions.

10.2 Athinia shall provide Customer with reasonable cooperation and assistance in dealing with a Data Incident, in particular in relation to (a) taking commercially reasonable steps to resolve any data privacy or security issues involving any Customer Personal Data; and (b) making any appropriate notifications to individuals affected by the Data Incident or to a Supervisory Authority to the extent reasonably possible; provided that, Customer shall maintain and follow an effective cyber incident response policy, which shall include the use of legal professional, litigation, or client attorney privilege, work in good faith with Athinia in relation to the Data Incident, and agree with Athinia the form and method of any public announcement in relation to the Data Incident.

10.3 Any information provided by Athinia pursuant to this Section 10 shall be the Confidential Information of Athinia and Athinia’s notification of or response to a Data Incident under this Section 10 will not be construed as an acknowledgement by Athinia or, if relevant, its Subprocessors of any fault or liability with respect to the performance of any Service or Professional Services (as applicable).

11. DATA TRANSFERS

11.1 Athinia may Process Customer Personal Data in countries outside of the EEA in which Athinia or its Subprocessors maintains facilities or infrastructure.

11.2 Unless clause 11.3 applies, if the Processing of Customer Personal Data involves transfers of Customer Personal Data by or on behalf of Customer from the EEA, Switzerland or the UK to Athinia (or any other Athinia entity) in any Third Country, and European Data Protection Law applies to such transfers, then the transfers will be subject to the Standard Contractual Clauses between Customer and Athinia which,

(a) in the case of transfers from the EEA, are hereby incorporated into this DPA as attached in Annexes 1 and 2 to Exhibit C, as applicable, and with the inclusions specified in Exhibit C,

(b) in the case of transfers from Switzerland, are hereby incorporated into this DPA by reference with the inclusions as specified in Exhibit C (including Annex 1 and 2 to Exhibit C) in the locations that are most closely equivalent to those in Exhibit C (including Annex 1 and 2 to Exhibit C) and such other inclusions as are necessary to give effect to the Standard Contractual Clauses in such manner as is most closely equivalent to the Standard Contractual Clauses in Annexes 1 and 2 to Exhibit C,

(c) in the case of transfers from the UK, are hereby incorporated into this DPA by reference with the inclusions as specified in Exhibit C (including Annex 1 and 2 to Exhibit C) in the locations that are most closely equivalent to those in Exhibit C (including Annex 1 and 2 to Exhibit C) and such other inclusions as are necessary to give effect to the Standard Contractual Clauses in such manner as is most closely equivalent to the Standard Contractual Clauses in Annexes 1 and 2 to Exhibit C,

and Athinia will comply with its obligations as an importer under those clauses in respect of those transfers, provided that when Athinia does have an International Transfer Solution in place, such Standard Contractual Clauses shall automatically terminate. In the event of a conflict between the Agreement, this DPA, and the Standard Contractual Clauses, the latter in each case shall prevail.

11.3 If the Processing of Customer Personal Data involves transfers of Customer Personal Data by or on behalf of Athinia from the EEA, Switzerland or the UK to any Third Country, and European Data Protection Law applies to such transfers, then Athinia shall ensure an International Transfer Solution is put in place in respect of such transfer.

11.4 Nothing in this DPA or the Agreement modifies any rights or obligations of Athinia or Customer under the Standard Contractual Clauses.

12. LIABILITY

12.1 Subject to 12.2, the total combined liability of either Party and its Affiliates towards the other Party and its Affiliates under or in connection with the Agreement and the Standard Contractual Clauses combined will be the liability cap, and subject to the liability limitations, set forth in the Agreement for the relevant Party.

12.2 Nothing in this DPA serves to modify, disapply or amend the terms of the Agreement relating to liability, including but not limited to any exclusions and/or limitations of liability.

13. GOVERNING LAW AND JURISDICTION

13.1 The Parties shall modify the terms of this DPA as soon as possible if such modification is required for the parties to comply with any Data Protection Laws, or in order to implement or adhere to the Standard Contractual Clauses or such other permitted compliance mechanism under Data Protection Laws.

13.2 This DPA, and any dispute or claim (including any non-contractual disputes or claims) arising out of or in connection with it, or its subject matter or formation, shall be governed by and construed in accordance with the laws that govern the Agreement. If it is or becomes a requirement that, under the Data Protection Laws or other applicable laws, this DPA must be governed by (a) the laws of a member state of the European Union (and it is not already so governed), this DPA shall be governed by and construed in accordance with the laws of Ireland; and/or (b) the laws of the United Kingdom, this DPA shall be governed by and construed in accordance with the laws of England and Wales, to the extent required to satisfy such laws.

EXHIBIT A

LIST OF APPROVED SUBPROCESSORS

Part I - Subprocessors

The following third parties are hereby specifically authorized by Customer to carry out work as Third-Party Subprocessors for purposes of the Agreement.

Authorized Third-Party Subprocessors
Subprocessor	Purpose	Registered Address	Location	Transfer Mechanism
Amazon Web Services, Inc.	Cloud hosting and infrastructure, alerting and encrypted notification services and AI services	410 Terry Avenue North, Seattle, WA 98109, USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Microsoft Corporation	Cloud hosting and infrastructure and AI services (Microsoft Azure)	One Microsoft Way Redmond, WA 98052, USA	The location for the purpose of providing the cloud hosting service is as selected by Customer in the Order Form or, as applicable, other parts of the Agreement. The location for the purpose of providing the AI service is East US, South Central US, West Europe and other Azure regions as they become available.	Standard Contractual Clauses
Google LLC	Cloud hosting and infrastructure (Google Cloud Platform) and AI services	1600 Amphitheatre Parkway Mountain View, CA 94043, USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Proofpoint, Inc.	Alerting and encrypted notification service	892 Ross Drive, Sunnyvale, CA 94089, USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Microsoft Corporation	User authentication as an identity provider (where selected as chosen identity provider by Customer).	One Microsoft Way Redmond, WA 98052, USA	United States	Standard Contractual Clauses

PART II – Athinia Affiliates

Athinia Affiliates
Subprocessor	Purpose	Registered Address	Location	Transfer Mechanism
Palantir Technologies Inc.	Providing the Service and Professional Services to Customer	1200 17th Street, Floor 15, Denver, CO 80202, USA	United States	Standard Contractual Clauses
EMD Digital Technologies Inc.	Providing the Service and Professional Services to Customer	400 Summit Dr. Burlington, 01803, MA USA	United States	Standard Contractual Clauses

EXHIBIT B

Subject Matter and Details of Customer Personal Data Processing

Categories of Data Subject Whose Personal Data May be Subject to Processing

Data Subjects include the individuals about whom Personal Data is provided to Athinia via the Service (as applicable) or otherwise by (or at the direction of) Customer or Customer’s Users.

Categories of Customer Personal Data

Customer Personal Data provided to Athinia for Processing (including via the Service) by or at the direction of Customer or Customer’s Users.

Subject Matter of Processing

Athinia’s provision of the Service and Professional Services and performance of its obligations under the Agreement.

Nature and Purpose of Processing

Duration of Processing

Subject matter, nature and duration of processing by sub-processors

As set out in Exhibit A. The duration of sub-processing is as set out immediately above.

EXHIBIT C

Additions to the Standard Contractual Clauses

(a) The applicable wording for Clause 13(a) of the Standard Contractual Clauses (as determined by the instructions in square brackets in the Standard Contractual Clauses) is retained and the two remaining alternatives are deleted;

(b) details of Subprocessors the data importer intends to engage as set out in Exhibit A to this Agreement are the “agreed list” of Subprocessors referred to in Clause 9(a) of the Standard Contractual Clauses.

ANNEX 1 TO EXHIBIT C

STANDARD CONTRACTUAL CLAUSES

Module 2: Controller to Processor

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (^[1]) for the transfer of data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

[intentionally left blank]

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

8.1 Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

8.4 Accuracy

8.5 Duration of processing and erasure or return of data

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (^[²^]) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) OPTION 2 GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (^[3]) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (^[⁴^]);

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: Name of Customer as stated in the Agreement.

Address: Address of Customer as stated in the Agreement.

Contact person’s name, position and contact details: Point of contact for Customer as stated in the Agreement.

Activities relevant to the data transferred under these Clauses: Customer under the Agreement

Role (controller/processor): Controller

Data importer(s):

Name: Name of Athinia as stated in the Agreement.

Address: Address of Athinia as stated in the Agreement.

Contact person’s name, position and contact details: Data Protection Officer, dpo@athinia.com

Activities relevant to the data transferred under these Clauses: Supplier under the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described under "Categories of Data Subject Whose Personal Data May be Subject to Processing" in Exhibit B.

Categories of personal data transferred

As described under "Categories of Customer Personal Data" in Exhibit B.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

On a continuous basis.

Nature of the processing

As described under "Nature and Purpose of Processing" in Exhibit B.

Purpose(s) of the data transfer and further processing

As described under "Nature and Purpose of Processing" in Exhibit B.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described under "Duration of Processing" in Exhibit B.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As described under "Subject matter, nature and duration of processing by sub-processors" in Exhibit B.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority as determined in accordance with Clause 13 and as further specified at https://edpb.europa.eu/about-edpb/about-edpb/members_en (as updated from time to time).

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

The controls available to Customer described in clause 4.1 of the DPA, as further documented in the Security Documentation.

ANNEX 2 TO EXHIBIT C

STANDARD CONTRACTUAL CLAUSES

Module 3: Processor to Processor

SECTION I

Clause 1

Purpose and scope

(b) The Parties:

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

[Intentionally left blank]

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

8.1 Instructions

(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.

(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter [1].

8.2 Purpose limitation

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

8.8 Onward transfers

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(c)The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) OPTION 2 GENERAL WRITTEN AUTHORISATION: The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (^[7]) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

The data exporter shall forward the notification to the controller.

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

15.2 Review of legality and data minimization

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: Name of Customer as stated in the Agreement.

Address: Address of Customer as stated in the Agreement.

Contact person’s name, position and contact details: Point of contact for Customer as stated in the Agreement.

Activities relevant to the data transferred under these Clauses: Customer under the Agreement

Role (controller/processor): Processor

Data importer(s):

Name: Name of Athinia as stated in the Agreement.

Address: Address of Athinia as stated in the Agreement.

Contact person’s name, position and contact details: Data Protection Officer, dpo@athinia.com

Activities relevant to the data transferred under these Clauses: Supplier under the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described under "Categories of Data Subject Whose Personal Data May be Subject to Processing" in Exhibit B.

Categories of personal data transferred

As described under "Categories of Customer Personal Data" in Exhibit B.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data concerning a natural person's sex life or sexual orientation to the extent that Customer Personal Data includes such sensitive data and is provided to Athinia for Processing (including via the Service) by or at the direction of Customer or Customer’s Users. In that case, Customer shall clearly identify such sensitive data to Athinia in writing before providing such sensitive data. The applied safeguards and restrictions are described in Annex II.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

On a continuous basis.

Nature of the processing

As described under "Nature and Purpose of Processing" in Exhibit B.

Purpose(s) of the data transfer and further processing

As described under "Nature and Purpose of Processing" in Exhibit B.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described under "Duration of Processing" in Exhibit B.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As described under "Subject matter, nature and duration of processing by sub-processors" in Exhibit B.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority as determined in accordance with Clause 13 and as further specified at https://edpb.europa.eu/about-edpb/about-edpb/members_en (as updated from time to time).

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The controls available to Customer described in clause 4.1 of the DPA, as further documented in the Security Documentation.

FOOTNOTES

Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑

ATHINIA DATA PROTECTION ADDENDUM (“DPA”)

1. DEFINITIONS

1.1 The following capitalized terms will have the meanings indicated below:

“Adequate Country” means a country or territory outside of the EEA that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance with Article 45(1) of the EU GDPR, or country or territory having equivalent status under the UK GDPR (as applicable);
“Affiliate” means an entity that, directly or indirectly, owns or controls or is owned or controlled by, or is under common ownership or control with, a Party. As used herein, “control” means the power to direct, directly or indirectly, the management or affairs of an entity and “ownership” means the beneficial ownership of at least fifty percent of the voting equity securities or other equivalent voting interests of an entity. Affiliate shall include, without being limited to, all entities listed in Exhibit A, Part II, of the present DPA.
“Customer Personal Data” means any Personal Data contained within Customer Data subject to Data Protection Laws that Customer, including Users, provides or makes available to Athinia in connection with the Agreement;
“Data Incident” means any breach of Athinia’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed or otherwise controlled by Athinia.
“Data Protection Laws” means all laws and regulations regarding data protection and privacy to the extent applicable to the Processing of Customer Personal Data by Athinia under the Agreement, such as:
- California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“EU GDPR”);
- The EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); and
- The Switzerland Federal Data Protection act of 19 June 1992 as replaced and/or updated from time to time (“FDP”).
“DPA Effective Date” means the Effective Date of the Athinia Order Form.
“EEA” means the European Economic Area.
“European Data Protection Law” means, as applicable, the GDPR and/or the FDP.
“GDPR” means, as applicable, the EU GDPR and/or the UK GDPR.
“International Transfer Solution” means appropriate safeguards established by Athinia in relation to the transfer of Personal Data from the EEA or the UK to a country or territory outside of the EEA or the UK (respectively) that is not an Adequate Country (a “Third Country”) in accordance with Article 46 of the GDPR.
“Security Documentation” means the Documentation describing the security standards that apply to the Service as provided by or on behalf of Athinia from time to time.
“Sell” has the meaning set forth in the CCPA, Cal. Civ. Code § 1798.100 et seq.
“Service” means Palantir’s proprietary software-as-a-service offering(s) as set forth in the Agreement.
“Standard Contractual Clauses” means the standard data protection clauses for the transfer of Personal Data from Controllers (or Processors, as applicable) established inside the EEA or the UK to Processors established in Third Countries, as adopted by the European Commission from time to time (in the case of transfers from the EEA), as adopted by the Swiss Federal Data Protection and Information Commissioner from time to time (in the case of transfers from Switzerland) or approved by the Information Commissioner’s Office from time to time (in the case of transfers from the UK).
“Subprocessor” means a third-party, Third Party Service, or Athinia's Affiliate engaged by or on behalf of Athinia to Process Customer Personal Data in connection with the Agreement.
“Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; and/or (b) the “Commissioner” as defined in the UK GDPR.
“UK” means the United Kingdom.

2. TERM

3. APPLICATION OF DATA PROTECTION LAWS

3.1 Except to the extent this DPA specifies otherwise, the terms of this DPA shall apply to the Processing of Customer Personal Data whether or not European Data Protection Law applies.

3.2 The Parties agree that European Data Protection Law will apply to the Processing of Customer Personal Data including to the extent that:

(a) the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA and/or the UK; and/or

4. CONTROLLER AND PROCESSOR OBLIGATIONS

4.3 Athinia shall:

(a) designate and maintain a Data Protection Officer and a data protection team that meets the requirements of the GDPR as it pertains to Processors, which can be contacted at privacy@athinia.com;

5. SUBPROCESSORS

6. AUDIT

6.4 All information provided or made available to Customer pursuant to this Section 6 shall be Confidential Information of Athinia and Palantir.

7. DEALINGS WITH SUPERVISORY AUTHORITIES AND DATA PROTECTION IMPACT ASSESSMENTS

8. ACCOUNTABILITY

8.1 To the extent required by Data Protection Laws, Athinia shall maintain electronic records of all categories of Processing activities carried out on behalf of Customer, containing:

(a) the name and contact details of the Processors and Subprocessors;

(b) details of the types of Processing being carried out;

(c) details of any transfers of Customer Personal Data to a territory or international organisation outside of the EEA or UK, and documentation of suitable safeguards (if applicable); and

(d) a general description of the technical and organisational security measures used in relation to the Processing, together, the “Accountability Information”.

8.2 On reasonable written request from Customer, Athinia shall provide the Accountability Information to Customer. Such records shall be Confidential Information of Athinia.

9. DATA SUBJECT RIGHTS

10. DATA INCIDENT

11. DATA TRANSFERS

11.1 Athinia may Process Customer Personal Data in countries outside of the EEA in which Athinia or its Subprocessors maintains facilities or infrastructure.

(a) in the case of transfers from the EEA, are hereby incorporated into this DPA as attached in Annexes 1 and 2 to Exhibit C, as applicable, and with the inclusions specified in Exhibit C,

11.4 Nothing in this DPA or the Agreement modifies any rights or obligations of Athinia or Customer under the Standard Contractual Clauses.

12. LIABILITY

12.2 Nothing in this DPA serves to modify, disapply or amend the terms of the Agreement relating to liability, including but not limited to any exclusions and/or limitations of liability.

13. GOVERNING LAW AND JURISDICTION

EXHIBIT A

LIST OF APPROVED SUBPROCESSORS

Part I - Subprocessors

The following third parties are hereby specifically authorized by Customer to carry out work as Third-Party Subprocessors for purposes of the Agreement.

Authorized Third-Party Subprocessors
Subprocessor	Purpose	Registered Address	Location	Transfer Mechanism
Amazon Web Services, Inc.	Cloud hosting and infrastructure	410 Terry Avenue North, Seattle, WA 98109, USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Microsoft Corporation	Cloud hosting and infrastructure (Microsoft Azure) and	One Microsoft Way Redmond, WA 98052, USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Google LLC	Cloud hosting and infrastructure (Google Cloud Platform)	1600 Amphitheatre Parkway Mountain View, CA 94043, USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Proofpoint, Inc.	Alerting and encrypted notification service	892 Ross Drive, Sunnyvale, CA 94089, USA	As selected by Customer in the Order Form or, as applicable, other parts of the Agreement	Standard Contractual Clauses
Microsoft Corporation	User authentication as an identity provider (where selected as chosen identity provider by Customer).	One Microsoft Way Redmond, WA 98052, USA	United States	Standard Contractual Clauses

PART II – Athinia Affiliates

Athinia Affiliates
Subprocessor	Purpose	Registered Address	Location	Transfer Mechanism
Palantir Technologies Inc.	Providing the Service and Professional Services to Customer	1555 Blake Street Suite 250 Denver, CO 80202, USA	United States	Standard Contractual Clauses
EMD Digital Technologies Inc.	Providing the Service and Professional Services to Customer	400 Summit Dr. Burlington, 01803, MA USA	United States	Standard Contractual Clauses

EXHIBIT B

Subject Matter and Details of Customer Personal Data Processing

Categories of Data Subject Whose Personal Data May be Subject to Processing

Data Subjects include the individuals about whom Personal Data is provided to Athinia via the Service (as applicable) or otherwise by (or at the direction of) Customer or Customer’s Users.

Categories of Customer Personal Data

Customer Personal Data provided to Athinia for Processing (including via the Service) by or at the direction of Customer or Customer’s Users.

Subject Matter of Processing

Athinia’s provision of the Service and Professional Services and performance of its obligations under the Agreement.

Nature and Purpose of Processing

Duration of Processing

Subject matter, nature and duration of processing by sub-processors

As set out in Exhibit A. The duration of sub-processing is as set out immediately above.

EXHIBIT C

Additions to the Standard Contractual Clauses

ANNEX 1 TO EXHIBIT C

STANDARD CONTRACTUAL CLAUSES

Module 2: Controller to Processor

SECTION I

Clause 1

Purpose and scope

(b) The Parties:

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

[intentionally left blank]

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

8.1 Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

8.4 Accuracy

8.5 Duration of processing and erasure or return of data

8.6 Security of processing

8.7 Sensitive data

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (^[²^]) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

Clause 10

Data subject rights

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

15.2 Review of legality and data minimisation

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: Name of Customer as stated in the Agreement.

Address: Address of Customer as stated in the Agreement.

Contact person’s name, position and contact details: Point of contact for Customer as stated in the Agreement.

Activities relevant to the data transferred under these Clauses: Customer under the Agreement

Role (controller/processor): Controller

Data importer(s):

Name: Name of Athinia as stated in the Agreement.

Address: Address of Athinia as stated in the Agreement.

Contact person’s name, position and contact details: Data Protection Officer, dpo@athinia.com

Activities relevant to the data transferred under these Clauses: Supplier under the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described under "Categories of Data Subject Whose Personal Data May be Subject to Processing" in Exhibit B.

Categories of personal data transferred

As described under "Categories of Customer Personal Data" in Exhibit B.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

On a continuous basis.

Nature of the processing

As described under "Nature and Purpose of Processing" in Exhibit B.

Purpose(s) of the data transfer and further processing

As described under "Nature and Purpose of Processing" in Exhibit B.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described under "Duration of Processing" in Exhibit B.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As described under "Subject matter, nature and duration of processing by sub-processors" in Exhibit B.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority as determined in accordance with Clause 13 and as further specified at https://edpb.europa.eu/about-edpb/about-edpb/members_en (as updated from time to time).

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The controls available to Customer described in clause 4.1 of the DPA, as further documented in the Security Documentation.

ANNEX 2 TO EXHIBIT C

STANDARD CONTRACTUAL CLAUSES

Module 3: Processor to Processor

SECTION I

Clause 1

Purpose and scope

(b) The Parties:

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

[Intentionally left blank]

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

8.1 Instructions

8.2 Purpose limitation

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

8.8 Onward transfers

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

Clause 10

Data subject rights

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11

Redress

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

The data exporter shall forward the notification to the controller.

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

15.2 Review of legality and data minimization

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

Clause 17

Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

Name: Name of Customer as stated in the Agreement.

Address: Address of Customer as stated in the Agreement.

Contact person’s name, position and contact details: Point of contact for Customer as stated in the Agreement.

Activities relevant to the data transferred under these Clauses: Customer under the Agreement

Role (controller/processor): Processor

Data importer(s):

Name: Name of Athinia as stated in the Agreement.

Address: Address of Athinia as stated in the Agreement.

Contact person’s name, position and contact details: Data Protection Officer, dpo@athinia.com

Activities relevant to the data transferred under these Clauses: Supplier under the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described under "Categories of Data Subject Whose Personal Data May be Subject to Processing" in Exhibit B.

Categories of personal data transferred

As described under "Categories of Customer Personal Data" in Exhibit B.

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health data, data concerning a natural person's sex life or sexual orientation to the extent that Customer Personal Data includes such sensitive data and is provided to Athinia for Processing (including via the Service) by or at the direction of Customer or Customer’s Users. In that case, Customer shall clearly identify such sensitive data to Athinia in writing before providing such sensitive data. The applied safeguards and restrictions are described in Annex II.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

On a continuous basis.

Nature of the processing

As described under "Nature and Purpose of Processing" in Exhibit B.

Purpose(s) of the data transfer and further processing

As described under "Nature and Purpose of Processing" in Exhibit B.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described under "Duration of Processing" in Exhibit B.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As described under "Subject matter, nature and duration of processing by sub-processors" in Exhibit B.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The supervisory authority as determined in accordance with Clause 13 and as further specified at https://edpb.europa.eu/about-edpb/about-edpb/members_en (as updated from time to time).

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The controls available to Customer described in clause 4.1 of the DPA, as further documented in the Security Documentation.

FOOTNOTES

Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑
Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915. ↑
The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. ↑
This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7. ↑
As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies. ↑