1 The scope of the agreement

1.1 In this Schedule, Brainalyzed Finance GmbH will be referred to as the “Data Processor” and You will be referred to as the “Data Controller”.

1.2 The Data Processor will during the term of this Agreement be processing personal data on behalf of the Data Controller for the purpose of providing the Platform (the “Purpose”).

1.3 The Data Processor will be processing the types of personal data as provided to the Data Processor via the Platform by the Data Controller.

1.4 The categories of data subjects include the individuals about whom personal data is provided to the Data Processor via the Platform by the Data Controller.

2 Instructions and security

2.1 The Data Processor shall only process personal data on behalf of the Data Controller and only on instruction from the Data Controller.

2.2 The Data Processor shall implement appropriate technical and organizational security measures to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in the Directive 95/46 EC of the European Parliament and the Council and any applicable laws implementing it and/or any latter amendments hereof, including the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing the EU Directive (hereinafter referred to as the “Data Protection Legislation”).

2.3 Upon the Data Controller’s written request, the Data Processor shall permit the Data Controller or any third party appointed by the Data Controller (subject to reasonable and appropriate confidentiality undertakings), to audit the Data Processor’s data processing activities and comply with all reasonable and commercially viable requests or directions by the Data Controller to enable the Data Controller to verify and/or procure that the Data Processor and/or sub-processors are in compliance with their obligations under this Agreement and the Data Protection Legislation. The Data Processor shall be entitled to charge the Data Controller a reasonable fee for its assistance in relation to the conduct of any audits.

2.4 The Data Processor must upon the request of any public authority, grant the authority access to perform an audit or other investigation of the processing of Personal Data conducted by the Data Processor. The Data Processor shall accommodate any request made by the public authority for copies of the auditing reports performed in accordance with Clause 3. The Data Processor shall without undue delay inform the Data Controller in writing upon receiving such request unless expressly prohibited by the public authority.

2.5 The Data Processor will ensure that the employees processing personal data on its behalf have committed themselves to the obligation of confidentiality regarding any personal data processed under this Agreement. The obligation of confidentiality will continue after the termination of the Agreement.

3 Sub-processing

3.1 The Data Processor may only sub-contract its processing operations performed on behalf of the Data Controller to another Data processor upon written approval by the Data Controller. At the time of entering into this Agreement, the Cloud Providers shall be deemed to have been approved in writing.

3.2 Where the Data Processor sub-contracts its obligations, as described in Clause 1 above, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the Data Processor under this Agreement.

3.3 The Data Processor or any of its sub-processors may transfer personal data processed on behalf of the Data Controller out of the EU/EEA.

3.4 Data Processor will comply with the applicable law and any requirements established by any data protection authority or other government authorities necessary for the granting of approval by such authorities for the transfer of personal data outside of the EU/EEA.

4 Data breach notification

4.1 The Data Processor shall without undue delay notify the Data Controller in case of breach of personal data processed under the Agreement.

5 Termination

5.1 This Agreement shall be in force as long as the Data Processor provides services in accordance with the Purpose to the Data Controller.

5.2 Upon termination of the Agreement, the Data Processor must return all material containing personal data, or upon request from the Data Controller delete the personal data and delete existing copies unless otherwise is required by applicable law.