Data Processing Agreement

This Data Processing Agreement ("DPA") is concluded by and between the Customer ("Controller") and Direct Cursus Technology LLC, a limited liability company duly established and existing in accordance with the laws of the United Arab Emirates having its license number 1100423 issued from Dubai Economy and Tourism, having its address at Floor 6, Building 5, One Central, Trade Centre Second Dubai, UAE ("Processor"). Controller and Processor are hereinafter collectively referred to as the "Parties" and separately as the "Party".

The Controller and the Processor are the parties of the DoubleCloud Customer Agreement concluded either by accepting by the Controller of agreement terms available at: https://double.cloud/legal/customer_agreement/ or by signing of a written version of DoubleCloud Customer Agreement by both Parties (the "Agreement"). This DPA is part of the Agreement. Except as modified herein, the terms of the Agreement will remain as agreed in case of contradictions between the terms of this DPA with the terms of the Agreement, the terms of this DPA prevail.

1. The Parties hereby conclude the standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 (decision (EU) 2021/915 of 4 June 2021) ("SCC").

2. For the purposes of Clause 1(a) of the SCC, the Parties choose the option 1.

3. The Parties agree to include in the SCC Clause 5 (Docking Clause).

4. The Parties agree to add the following clause (f) to Clause 7.6 of the SCC: "The Processor will allow the Controller or an independent and suitably qualified auditor appointed by the Controller to conduct audits to verify the Processor's compliance with its obligations under these SCC. The Processor will reasonably contribute to such audits. The following requirements apply to any audit: (i) the Controller must give a minimum thirty (30) days' notice of intention to audit, (ii) the Controller may exercise the right to audit no more than once in any calendar year; (iii) commencement of the audit shall be subject to an agreement with the Processor of a scope of work for the audit at least ten (10) days in advance; (iv) the Processor may restrict access to certain parts of its facilities and certain records where such restriction is necessary for commercial confidentiality or other legitimate reasons; (v) the audit shall not include penetration testing, vulnerability scanning, or other security tests; (vi) the right to audit includes the right to inspect but not copy or otherwise remove any records, other than those that relate specifically and exclusively to the Controller; (vii) any independent auditor will be required to sign such non-disclosure agreement as is reasonably required by the Processor prior to the audit; and (viii) the Controller shall compensate the Processor for its reasonable costs (including for the time of its personnel, other than its relationship manager) incurred in supporting any audit."

5. For the purposes of Clause 7.7(a) of the SCC, the Parties choose the option 2 and specify that the Processor shall specifically inform in writing the Controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is available at https://double.cloud/legal/sub-processors and may be amended by the Processor from time to time at its discretion subject to Clause 7.7 of the SCC.

6. The Parties agree to add the following clause (f) to Clause 7.7 of the SCC: "The Controller may object to intended changes of the relevant agreed list of sub-processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Agreement immediately upon written notice received by the processor within 20 days as of the Controller is informed of the intended changes."

7. For the purposes of Clause 8(c)(4) of the SCC, the Parties choose the option 1.

8. For the purposes of Clause 9.1(b) of the SCC, the Parties choose the option 1.

9. For the purposes of Clause 9.1(c) of the SCC, the Parties choose the option 1.

10. For the purposes of Clause 9.2 of the SCC, the Parties choose the option 1.

11. Each Party's liability for any breach of this DPA (including the SCC) shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.

12. All references in the SCC to requirements of data protection laws of the EU shall be read as references to requirements of data protection laws of the EU and relevant requirements of other applicable data protection laws.

13. The Parties agree that other clauses and additional safeguards added by this DPA to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.

14. Annexes I -- III are attached to this DPA.

ANNEX I

List of parties

Controller(s):

Name:

Customer as defined in the Agreement

Address:

As defined in the Agreement

Contact person’s name, position and contact details:

As defined in the Agreement

Signature and accession date:

As defined in the Agreement

Processor(s):

Name:

Direct Cursus Technology LLC

Address:

Floor 6, Building 5, One Central, Trade Centre Second Dubai, UAE

Contact person’s name, position and contact details:

As defined in the Agreement

Signature and accession date:

As defined in the Agreement

ANNEX II

Description of the processing

Categories of data subjects whose personal data is processed:

Controller's employees, contractors, end-users, individuals whose data processed by Controller at the Controller's discretion, and any other person who transmits data through the services provided to the Controller under the Agreement ("Services").

Categories of personal data processed:

Personal data submitted, stored, sent or received by the Controller via the Services.

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Sensitive personal data submitted, stored, sent or received by the Controller via the Services. The same restrictions and safeguards are applied to all personal data processed with the use of the Services.

Nature of the processing

Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment or combination, restriction, erasure and destruction.

Purpose(s) for which the personal data is processed on behalf of the controller

The Processor will process Controller data submitted, stored, sent or received by the Controller for the purposes of providing the Services to the Controller in accordance with the Agreement.

Duration of the processing

The period of provision of the Services to the Controller plus the time for the deletion of personal data, unless retention is required under applicable laws or if otherwise agreed by the parties.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

The (sub-) processors perform all the operations required to render the Services to the Controller under the Agreement. The (sub-) processors process the personal data until the Agreement between the Controller and the Processor is valid and until the processing is required to render the Services to the Controller.

ANNEX III

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Description of the technical and organisational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

The Processor and its authorized partners will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data processed on behalf of the Controller as part of the provided services. In particular, the Processor implements the following measures:

  1. Maintaining information security programs, including the adoption and enforcement of internal policies and procedures; Asset management, Access control, Vulnerability and Incident management, SDL, Change Management, Risk assessment and others.

  2. Sticking to the level of data protection set out in international security standards and certificates, such as ISO 27001 and SOC2. We make sure that our subprocessors share our values and adhere to the same high standards in cybersecurity and privacy.

  3. Periodic reviews of the security of the network and adequacy of information security program.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: the same.

Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller: the same.

Detailed information about technical and organizational security measures you can find at https://trust.double.cloud/.

________________________________________

Web address: https://double.cloud/legal/dpa_llc/

Date of publication: 1 January 2024

Effective date: 1 January 2024 (30 January 2024 for the DoubleCloud users who signed up before 1 January 2024)