# Data Processing Agreement This Data Processing Agreement regulates data processing on behalf of the Client by **Do Lean IT OÜ, Lõõtsa tn 5, 11415 Tallinn, Estonia** as a Contractor. It is part of the Main Contract on the provision of the **eTWI System** Software (aka “Software”) to the Client named in the respective order. It is an essential part of the contract between the parties and becomes incorporated into the contract between the parties by reference. ### 1. Preamble 1. The Contractor provides a software platform for creation, management and use of digital work instructions. The parties have concluded a contract which includes the processing of personal data by the Contractor on behalf of the Client ("Main Contract"). 2. This Data Processing Agreement ("DPA") specifies, as part of the Main Contract, the obligations of both parties to comply with the applicable data protection law, in particular the requirements of the EU Data Protection Regulation ("GDPR"). ### 2. Scope 1. The Contractor processes personal data on behalf of the Client. The subject-matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in the Main Contract and in **Appendix 1**. The term of this DPA shall depend on the term of the Main Contract. ### 3. Instructions 1. The Contractor may only process personal data within the scope of the order and the documented instructions of the Client. The instructions shall initially be set out in the Main Contract and may subsequently be amended, supplemented or replaced by the Client in text form. Verbal instructions must be confirmed immediately by the Client in text form. 2. If the Contractor is obliged to process personal data in accordance with the law of the Union or the Member State to which the Contractor is subject, the Contractor shall inform the Client thereof in writing prior to such processing, unless the law prohibits such information for important reasons of public interest. In the latter case, the Contractor shall inform the Client without delay as soon as legally possible. 3. The Contractor shall inform the Client without delay if it believes that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client. ### 4. Technical and Organizational Measures 1. The Contractor undertakes towards the Client to comply with the technical and organizational measures required to comply with the applicable data protection regulations. This includes in particular the requirements of Art. 32 GDPR. 2. The status of the technical and organizational measures existing at the time of conclusion of the contract is documented in **Appendix 2**. The parties agree that changes to the technical and organizational measures may be necessary to adapt to technical and legal conditions. The Contractor reserves the right to change the security measures taken, but it must be ensured that they do not fall below the contractually agreed level of protection. The Client may request an up-to-date overview of the technical and organizational measures taken by the Contractor at any time. ### 5. Data Subject Rights 1. The Contractor shall, taking into account the nature of the processing, assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (in particular access, rectification, restriction of processing, erasure and other rights under Chapter III GDPR). To the extent that the assistance of the Contractor is necessary for the protection of rights of data subjects by the Client, the Contractor shall take the necessary measures according to the instructions of the Client. 2. The Contractor may only provide information to third parties or to data subjects with the prior consent of the Client. It shall forward requests addressed directly to the Contractor to the Client without undue delay. ### 6. Other Obligations of the Contractor 1. The Contractor shall notify the Client without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Client and, where feasible, within 48 hours. 2. The Contractor shall support the Client in preparing and updating the records of processing activities regarding the data processing performed by the Contractor on behalf of the Client, and, if necessary, in carrying out a data protection impact assessment. All necessary information and documentation must be made available to the Client immediately upon request. 3. If the Client is subject to an audit by a supervisory authority or other parties or if a data subject requests to exercise their rights against the Client, the Contractor undertakes to support the Client to the necessary extent insofar as the personal data processed on behalf of the Client is affected. 4. Personnel engaged by the Contractor in the processing have committed themselves in writing to confidentiality, have been made familiar with the relevant provisions of all relevant data protection laws and are continuously appropriately instructed and monitored with regard to the fulfillment of data protection requirements. 5. The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the type of processing and the information available to the Contractor. 6. The Client may contact the Contractor regarding data protection matters at or another privacy contact address designated by the Contractor from time to time. ### 7. Rights and Obligations of the Client 1. The Client shall be responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects. 2. The Client may, upon at least thirty (30) days’ prior written notice and no more than once per calendar year, unless required by law or triggered by a documented Personal Data Breach or a binding request of a supervisory authority, audit the Contractor’s compliance with this DPA through documentation review, questionnaires, certifications and, where reasonably necessary and proportionate, an on-site inspection during normal business hours. Any audit shall be conducted in a manner that does not unreasonably interfere with the Contractor’s business operations and does not compromise the confidentiality, security or rights of other customers. The audit may be performed by the Client or by an independent professional auditor bound by confidentiality obligations. The Contractor shall provide such information and access as is reasonably necessary to demonstrate compliance with this DPA. Each Party shall bear its own costs of the audit, provided that the Client shall reimburse the Contractor for reasonable costs incurred in connection with audits that are excessive in scope, repetitive, or not based on a reasonable compliance concern. ### 8. Sub-Processors 1. The Contractor may only use sub-processors with the consent of the Client. The Client consents to the usage of sub-processors in accordance with the List of Sub-Processors attached as Appendix 3. The List of Sub-Processors attached as Appendix 3 also sets out the notification and objection process for future changes of Sub-Processors, including the Client’s right to object on reasonable data protection grounds. 2. The Contractor shall carefully select the sub-processors and shall check prior to the assignment that they can comply with the agreements made between the Client and the Contractor. In particular, the Contractor shall check that all sub-processors have taken the technical and organizational measures as required under Art. 32 GDPR to protect personal data. 3. Services which the Contractor uses with third parties as a pure ancillary service in order to carry out its business activities shall not be considered sub-processing in the context of this DPA. This includes, for example, cleaning services, pure telecommunications services without concrete reference to services provided by the Contractor for the Client, postal and courier services, transport services, financial services and security services. 4. The usage of sub-processors shall not affect the Contractor's contractual and data protection obligations towards the Client. The Contractor shall be liable for any acts or omissions of its sub- processors as if they were its own acts or omissions. ### 9. Data Transfer to Third Countries 1. To the extent necessary for the performance of the Main Contract, Personal Data may be processed by the Contractor or its approved Sub-Processors in countries outside the EU/EEA. Any such transfer shall be carried out only in compliance with applicable data protection law and on the basis of a valid transfer mechanism, including an adequacy decision pursuant to Article 45 GDPR or appropriate safeguards pursuant to Article 46 GDPR, such as the Standard Contractual Clauses. Upon written request, the Contractor shall provide the Client with reasonable information on the applicable transfer mechanism, to the extent permitted by law and subject to confidentiality obligations. ### 10. Deletion and Return of Personal Data 1. Copies of the personal data processed on behalf of the Client shall not be made without the knowledge of the Client, except for backup copies that are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory retention obligations. 2. Upon termination of the Main Contract, or earlier upon the Client’s written request, the Contractor shall, at the Client’s choice, return the Personal Data to the Client in a commonly used electronic format and/or delete the Personal Data, unless Union or Member State law requires further storage. Unless otherwise agreed or technically impossible, such return or deletion shall be completed within thirty (30) days after termination of the Main Contract or receipt of the Client’s request. Personal Data contained in backup copies shall be isolated from further processing and deleted in the ordinary course of the Contractor’s documented backup retention cycle, unless retention is required by law.” 3. Documentation serving as evidence of the proper processing of Personal Data under this DPA may be retained by the Contractor after termination of the Main Contract to the extent and for the period required by applicable law, after which it shall be deleted or anonymized, unless further retention is required by law. ### 11. Miscellaneous 1. If the data of the Client processed by the Contractor should be endangered by measures of third parties (e.g. by seizure or confiscation), by insolvency proceedings or by other events, the Contractor shall inform the Client immediately. The Contractor shall notify the creditors without delay of the fact that the data are processed on instruction of a third party. 2. Ancillary agreements must be made in writing. Should individual parts of this DPA be invalid, this shall not affect the validity of the remaining provisions of the DPA. ## Appendix 1: Description of the Data Processing ### 1. Subject-Matter, Nature and Purpose of the Processing The Client uses the eTWI System Software for creation, management and use of digital work instructions. Personal data is processed for the purpose of performing the services of the Contractor agreed in the Main Contract. ### 2. Categories of Data Subjects and Types of Personal Data The personal data processed on behalf of the Client concern users of the eTWI System Software (regularly employees of the Client who access the eTWI System Software in the course of their work). The personal data processed on instruction of the Client relates to the following categories of data: * Name and surname; * Authentication credentials (stored in hashed or otherwise protected form), where applicable; * Job title; * Employee department; * E-mail address; * Phone number; * Preferred language; * Data on the use of the software platform (e.g. input values or time stamps); * Other Personal Data provided by the Client through the Software or otherwise made available to the Contractor for the performance of the services under the Main Contract, to the extent determined and controlled by the Client. The personal data processed on behalf of the Client regularly does not include special categories of personal data according to Art. 9 GDPR (e.g. health data), unless such special categories of personal data are made available to the Contractor by the Client for the purpose of performing the Contractor's services or are collected by the Contractor in the course of performing its services on the instructions and on behalf of the Client. ### 3. Duration of Processing The duration of the processing corresponds to the duration of the Main Contract. ## ## Appendix 2: Technical and Organizational Measures The following technical and organizational measures are implemented by the Contractor: ### 1. CONFIDENTIALITY ### **1.1. Physical Access Control Hosting/Data Center:** The eTWI System Software is hosted in a Contabo data center in the EU (Germany). A detailed documentation of the technical and organizational data security measures taken by Contabo GmbH can be found here: #### Registered Office and Remote Working Arrangements: The Contractor maintains its registered office in Tallinn, Estonia. The Contractor’s personnel primarily perform their work remotely from Poland and, where applicable, from other locations authorized by the Contractor. The Contractor does not rely on a permanent operational office for the regular processing of Client Personal Data. Access to company devices, records and working environments used for the performance of the services is restricted to authorized personnel only and is protected by appropriate physical, technical and organizational safeguards. ### 1.2 System Access Control To gain access to IT systems, users must have appropriate access authorization. For this purpose, corresponding user authorizations are assigned by administrators. This, however, only if this has been requested by the respective supervisor/manager. The user then receives a user name and an initial password, which must be changed the first time they log on. The password specifications include a minimum password length of 8 characters, whereby the password must consist of upper/lower case letters, numbers and special characters. Remote access to Contractor’s IT systems is always via encrypted connections. An intrusion prevention system is in use on Contractor’s servers. All server and client systems are equipped with anti-virus software, which guarantees a daily supply of signature updates. All servers are protected by firewalls, which are constantly maintained and supplied with updates and patches. The access of servers and clients to the Internet and the access to these systems via the Internet is also secured by firewalls. This also ensures that only the ports required for the respective communication can be used. All other ports are blocked accordingly. All employees are instructed to lock their IT systems when they leave them. Passwords are always stored encrypted. ### 1.3 Data Access Control Access rights for the Contractor’s IT systems and applications are assigned exclusively by administrators. Authorizations are always assigned according to the need-to-know principle. This means that only those persons who maintain and service data, databases or applications or are active in development are granted access rights to data, databases or applications. The prerequisite is a corresponding request for authorization for an employee by a supervisor/manager. There is a role-based authorization concept with the possibility of differentiated assignment of access authorizations, which ensures that employees receive access rights to applications and data depending on their respective area of responsibility and, if necessary, on a project basis. Employees are strictly prohibited from installing unauthorized software on IT systems. All server and client systems are regularly updated with security updates. ### 1.4 Separation Control All IT systems used by Contractor for clients are multi-client capable. The separation of data from different clients is always guaranteed. ### 1.5 Encryption Administrative access to server systems is always done via encrypted connections. In addition, data on server and client systems is stored on encrypted data carriers. Appropriate hard disk encryption systems are in use. ### 2. INTEGRITY ### **2.1 Input Control** The entry, modification and deletion of personal data processed by the Contractor on behalf of the Client are logged together with the relevant timestamp and user account information. Employees are obliged to always work with their own accounts. User accounts may not be shared or shared with other persons. ### 2.2 Transfer Control Any disclosure of personal data on behalf of the Contractor's clients may only take place to the extent agreed with the client and to the extent necessary to provide the contractual services to the client. All employees working on a client project are instructed with regard to the permissible use of data and the modalities of data transfer. As far as possible, data will be transmitted to recipients in encrypted form. The Contractor’s employees are prohibited from using private data carriers in connection with client projects. All Employees receive regular training on data protection issues. All employees are obliged to handle personal data confidentially. ### 3. AVAILABILITY AND RESILIENCE Data on the Contractor’s server systems is backed up incrementally at least daily and "fully" weekly. The backup media are encrypted. The import of backups is tested regularly. The IT systems have an uninterruptible power supply. A fire alarm system and a CO2 extinguishing system are located in the server room. All server systems are subject to monitoring, which immediately triggers reports to an administrator in case of malfunctions. The Contractor implemented and maintains a detailed emergency plan, which also includes a business continuity and restart plan. ### 4. ORDER CONTROL When external service providers or third parties are involved, a data processing agreement is concluded in accordance with the applicable data protection laws, following a prior audit. Sub-processors are also regularly audited during the contractual relationship. ### 5. PROCEDURES FOR REGULAR REVIEW, ASSESSMENT AND EVALUATION The Contractor implemented a comprehensive data protection management system, including detailed policies on data protection and information security. A Data Protection and Information Security Team has been established to plan, implement, evaluate and adjust measures in the area of data protection and information security. All implemented measures and all policies are regularly evaluated and adjusted with regard to their effectiveness. In particular, it is ensured that data protection incidents are recognized by all employees and are reported to the Data Protection and Information Security Team without undue delay. The Data Protection and Information Security Team will immediately investigate every incident. If data is affected that are processed on instruction of clients, it is ensured that the respective clients are informed without undue delay about the nature and scope of the incident. ## Appendix 3: List of Sub-Processors The Contractor shall use the following Sub-Processors to provide the services under the Main Contract: | **Sub-Processor** | **Services** | **Location of Processing** | **Appropriate Safeguards (Art. 46 GDPR)** | | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | ------------------------------------------------------------ | | **Contabo GmbH, Germany** | Hosting of the eTWI System Software („Contabo“) | EU | n/a | | **Cloudflare, Inc. USA** | Cloudflare, Inc. (“Cloudflare”) provides content delivery, DNS, security, and abuse-prevention services in connection with web traffic transmitted to and from the Services. In providing these services, Cloudflare may process limited Personal Data, including IP addresses, website URL-related information, and certain browser- or device-related information, insofar as such data is contained in or associated with web traffic to and from the Services. Such processing is carried out solely to enable traffic management, content delivery, security, logging, and abuse prevention, in accordance with the applicable service configuration. | USA | Standard Contractual Clauses (according to Art. 46 (2) GDPR) | | **Atlassian Pty, Ltd.** | Task management | AUS | Standard Contractual Clauses (according to Art. 46 (2) GDPR) | | **Sugester sp. z o.o.** | Helpdesk, Forwarding of support requests | EU | n/a | Contractor may terminate the assignment of individual subcontractors or assign additional subcontractors. When contracting additional subprocessors, the Contractor shall inform the Client by electronic means at least 30 days before the additional subprocessor is to be used for its intended use. Excepted from this are emergency replacements as defined below. If the Client has reasonable data protection grounds to object to a new Sub-Processor, the Client shall notify the Contractor in writing, stating such grounds, within fifteen (15) days of the notification. If the Client does not object within that period, the new Sub-Processor shall be deemed approved. Should the Client object, the Contractor can remedy the objection as follows: (1.) The Contractor will not use the additional sub-processor to process personal data of the Client, or (2.) the Contractor will take measures to eliminate the material reason for the objection of the Client, or (3.) the Contractor may temporarily or permanently cease to provide the aspect of the service to the Client that is affected by the use of the additional sub-processor and refund to the Client any remuneration already paid in advance for the provision of the aspect of the service. If none of these three options should be feasible and the objection was not remedied within 15 days after receipt of the objection, each party can terminate the contract extraordinarily with appropriate period of notice. Emergency replacements of a sub-processor may become necessary if the need for the immediate deployment of an additional sub-processor is beyond the control of Contractor, for example, if a sub- processor unexpectedly ceases operations or breaches its material contractual obligations to Contractor so that Contractor is/would no longer be able to perform the service owed to the Client. In such a case, the Contractor will immediately inform the Client of the additional sub-processor and the objection process, as defined above, will be initiated with the Client's notification.