Common use of Obligations of the Processor Clause in Contracts

Obligations of the Processor. 3.1 The Processor undertakes to carry out Data Processing exclusively on the basis of documented instructions from the Controller. If the Processor considers an instruction of the Controller to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current version. 3.4 The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller. 3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment. 3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPA. 3.8 To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.

Obligations of the Processor. 3.1 4.1.1. The Processor undertakes to carry out Data Processing exclusively on the basis of Process Personal data only in accordance with documented instructions from the ControllerController (the “Instructions” stated in Appendix 1) and Applicable Data Protection Legislation, unless otherwise provided by Applicable Data Protection Legislation. If Processing deviating from the Processor considers an instruction of the Controller to be unlawfulInstructions, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the required under Applicable Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current version. 3.4 The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller. 3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment. 3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPA. 3.8 To the extent permitted by lawProtection Legislation, the Processor shall inform the Controller of the legal requirement before Personal Data is Processed for that purpose, unless such information is prohibited with reference to an important public interest under Applicable Data Protection Legislation. This DPA and Appendix 1 sets out the Controller’s instructions to the Processor about control actions the subject-matter and measures taken duration of the Processing, the nature and purpose of the Processing, the type of Personal data and categories of Data subjects. 4.1.2. The Controller confirms that the Processor’s obligations under this DPA, including Appendix 1, constitute the complete instructions to be followed by the supervisory authorities insofar as they relate Processor. Any changes to the Controller's ’s instructions shall be negotiated separately and shall be made in writing and signed by both Parties. 4.1.3. The Processor shall without undue delay inform the Controller if the Processor believes that the Controller’s instructions regarding the Processing of Personal data are in violation of Applicable Data Processing operationsProtection Legislation. 4.1.4. The Processor shall assist the Controller with appropriate technical and organisational measures, taking into account, as far as possible, the nature of the processing and the information available to the Processor, in order for the Controller to comply with the requirements of Article 28 of the GDPR, and for the Controller to comply its obligations regarding: security in connection with the Processing, notification of a Personal data breach to the Supervisory authority, information to the Data subject about a Personal data breach, impact assessment regarding data protection and prior consultation (Articles 32-36 of the GDPR). The Processor shall also provide assistance to the Controller through appropriate technical and organisational measures so that the Controller can fulfil its duty regarding the rights of Data subjects in accordance with Chapter 3 of the GDPR. 4.1.5. The Processor shall, at the Controllers request, correct or delete incorrect, incomplete or outdated Personal data without undue delay.

Obligations of the Processor. 3.1 (1) The Processor undertakes to carry out Data Processing exclusively on may process data of affected persons only within the basis framework of documented the order and the written instructions from of the Controller. If the The Processor considers an instruction of informs the Controller to be unlawful, the immediately if he believes that a directive violates applicable laws. The Processor shall be entitled to may suspend the implementation of the relevant instruction instructions until it is they have been confirmed or amended modified by the Controller. 3.2 (2) If the Processor receives an official order to publish data of the Controller, he shall - insofar as legally permissible - inform the Controller immediately and refer the authority to the latter. Similarly, processing the data for the processor's own purposes requires a written order. (3) The Processor shall be obliged to treat confidentially any personal will, in his area of responsibility, design the in-house organization in such a way that it meets the special requirements of data of which it becomes aware in connection with the Data Processingprotection. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical Technical and organizational measures within shall be taken to adequately protect the meaning data of the Controller, which meet the requirements of the General Data Protection Regulation (Art. 32 of the GDPR). These The Processor shall take technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take into account the state of the art, the costs of implementation systems and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk services related to the rights and freedoms processing on a permanent basis. (4) The Controller shall be made aware of natural persons. The these technical and organizational measures taken by in writing and shall be held responsible for ensuring that they provide an adequate level of protection for the Processor are available at xxxxx://xxxx.xx/en/legal in risks of the current versiondata to be processed. 3.4 The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller. 3.5 (5) The Processor shall support the Controller as far as possible in fulfilling the performance inquiries and claims of data subjects in accordance with Chapter III of the GDPR (right to information, information, correction and deletion, data portability, objection and automated decision - making in individual cases) as well as to the compliance with the obligations incumbent upon the Controller pursuant to Art. set out in Articles 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of GDPR (data security measures, the notification of data protection breaches andto the supervisory authority, where applicable, notification of the preparation data subject of a data breach, data protection impact assessment, prior consultation). 3.6 (6) The Processor warrants that the employees involved in the processing of the data of the Processor and other persons working for the Processor shall be prohibited from processing the data out of scope of instructions passed on to them. Furthermore, the Processor guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal secrecy obligation. The obligation of confidentiality / secrecy persists even after the order has been completed. (7) The Processor shall delete inform the Controller without undue delay if he becomes aware of violations of the protection of personal data of the Data Processing Controller. The Processor shall take the necessary measures to secure the data and to reduce the possible adverse consequences of the persons concerned and shall immediately discuss this with the Controller. (8) The Processor shall inform the Controller of the contact person for data protection issues arising in the context of the contract. (9) The Processor shall also ensure that obligations under Article 32 (1) (d) of the GDPR are fulfilled and that a periodic review of the effectiveness of the technical and organizational measures to ensure the safety of the processing is concluded. With regards to the processing of the data provided by the customer, the customer is granted the right to inspect and control at any time, even if third parties commissioned by him, to the data processing facilities. The Processor undertakes to provide the Controller with the information necessary to control compliance with the obligations set out in this Agreement. (10) The Processor rectifies or deletes the contractual data if the Controller so instructs and this is included in the scope of the directive. If a data protection confirming deletion or a corresponding limitation of the data processing is not possible, the processor takes over the data protection compliant destruction of data media and other materials on the basis of an individual commissioning by the Controller or returns these data carriers to the Controller, if not already agreed in the contract. (11) The processing of data in private homes is permitted only with the consent of the Controller in individual cases. As far as the data are processed in a private apartment, the access to the apartment by the Controller must be coordinated in advance with the processor. The Processor assures that the other residents of this private dwelling agree with this regulation. (12) Data, data carriers as well as all other materials shall either be issued or deleted after the expiry end of the retention periods provided for in the Main Agreement and/or without delay order at the request of the Controller. If the Controller expressly requests thisProcessor processes the data in a special technical format, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor it is obliged to provide the Controller with information data after termination of this agreement either in this format or at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant format in which the data from the Controller access to has been received, common Format issue. If additional costs arise as a result of deviating specifications in the documents and technical systems necessary for verifying case of the Data Processing in accordance with Section 5 publication or deletion of this DPAthe data, the costs shall be covered by the Controller. 3.8 To (13) In the extent permitted case of a claim of the customer by lawan affected person with regards to any claims under Art. 82 GDPR (compensation for damages), the Processor shall inform undertakes to assist the Controller about control actions and measures taken by in defending the supervisory authorities insofar as they relate claim to the Controller's Data Processing operationsextent possible.

Obligations of the Processor. 3.1 The Processor undertakes to carry out Data Processing exclusively on the basis of documented instructions from the Controller. If the Processor considers an instruction of the Controller to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take into account the state of the art, the costs of implementation and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current version. 3.4 The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller. 3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment. 3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 4 of this DPA. 3.8 To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.

Obligations of the Processor. 3.1 The Processor undertakes to carry out Data Processing exclusively agrees to: 4.1 Process the personal data only on the basis of documented instructions from the Controller. If , including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor considers an instruction is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the processing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to be unlawfulrespond to requests for exercising the data subject's rights laid down in Chapter III of the Regulation. In addition, the Processor shall be entitled shall: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to suspend that request except on the implementation documented instructions of Controller or as required by Data Protection Legislation to which the relevant instruction until it Processor is confirmed or amended subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, inform the ControllerController of that legal requirement before the Processor responds to the request. 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. They shall take 4.3 Take into account the state of the art, the costs of implementation and the nature, scope scope, context and purposes of the processing, processing as well as the risk of varying likelihood and severity of the risk to for the rights and freedoms of natural persons. The technical , and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current version. 3.4 The Processor shall, where possible, support the Controller with shall implement appropriate technical and organizational organisational measures to enable ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such informationin the context of this agreement, as required under the Data Protection Legislation. If a subject submits a request to Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller. 3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of its own direct responsibilities and liabilities under the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment. 3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPA. 3.8 To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.

Obligations of the Processor. 3.1 5.1 The Processor undertakes to carry out Data Processing shall execute the data processing in accordance with applicable data protection laws of the EU and its member states as well as exclusively on within the basis scope of written orders and documented instructions from the ControllerSupplier, unless required otherwise by applicable data protection laws of the EU or its member states. In the latter case the Processor shall inform the Supplier of that legal requirement before commencement the data processing, unless such laws prohibit such information on important grounds of public interest. If the Processor considers receives an instruction official order to hand over personal data of the Controller Supplier, it shall – if permitted by law – inform the Supplier without delay and refer the authority to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controllerlatter. 3.2 5.2 The Processor shall be obliged to treat confidentially ensure that any personal data of which it becomes aware in connection persons commissioned with the Data Processingdata processing have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. In particular, such confidentiality obligation of the persons commissioned with the data processing also remains after the termination of their activity and leaving from the Processor. 5.3 The Processor shall impose a confidentiality obligation on all persons authorized by it to process establish the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within in accordance with Article 32 GDPR. Such measures are available on the meaning of Art. 32 website of the GDPRProcessor under xxxxx://xxx.xxxxxxx.xx/auftragsdatenverarbeitungsbedingungen. These technical and organizational The measures to be taken are measures of data security and measures to ensure that guarantee a protection level of protection appropriate to the risk with regard to concerning confidentiality, integrity, availability and the resilience of the systems. They shall take into account the The state of the art, the costs of implementation and costs, the nature, scope and purposes of the processing, processing as well as the varying likelihood probability of occurrence and the severity of the risk to the rights and freedoms of natural personspersons must be taken into account. The technical and organizational measures taken by are subject to technical progress and further development. In this respect, it is permissible for the Processor are available at xxxxx://xxxx.xx/en/legal in to implement alternative adequate measures. In so doing, the current versionsecurity level of the defined measures must not be reduced. Substantial changes must be documented. 3.4 5.4 The Processor shall, where possible, support shall establish the Controller with appropriate technical and organizational measures to enable the Controller Supplier to comply with fulfill at all times any obligation to respond to requests for exercising the data subject subject’s rights under laid down in Chapter III of the GDPR (rights to information, access, rectification and erasure, data portability, object and automated individual decision- making) within the legal time limits deadlines and shall provide to the Controller Supplier with the all information necessary information to do so upon the Controller's requestfor this, provided that such information is solely available from the Processor has such informationProcessor. If a subject submits a respective request is made to the Processor Processor, the latter indicates that the claimant mistakenly considers it to exercise be the Supplier of the operated data subject rightsapplication, the Processor shall be obliged to must immediately forward the request to the Controller if Supplier and notify the request relates to Data Processing by the Controllerclaimant thereof. 3.5 5.5 The Processor shall support assist the Controller Supplier in the performance of complying with the obligations incumbent upon the Controller pursuant referred to Art. in Articles 32 to 36 of the GDPRGDPR (concerning the security of personal data, which shall includereporting requirements for data breaches to the supervisory authority, but not be limited to, the implementation of security measures, the notification communications of data protection breaches andto the data subject, where applicable, the preparation of a data protection impact assessmentassessments and prior consultations). 3.6 The 5.6 Upon completion of the Service Agreement, the Processor shall delete the all personal data of the Data Processing after Supplier or on its documented instructions hand over such personal data to the expiry Supplier, unless the Processor is required to further storage of such personal data pursuant to applicable law of the retention periods provided for in EU or its member states. 5.7 With respect to the Main Agreement and/or without delay at data processing of its personal data the request Supplier shall be entitled to inspection and control of data processing equipment of the ControllerProcessor, which may also be conducted by a third auditor mandated by the Supplier. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide to the Controller with Supplier all such information at the latter's request in order necessary to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the this Agreement on Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing obligations laid down in accordance with Section 5 of this DPAapplicable data protection laws. 3.8 To the extent permitted by law, the 5.8 The Processor shall inform the Controller about control actions Supplier immediately, if it considers that an instruction violates data protection regulations of the EU or its member states. 5.9 The Processor is obliged to appoint a data protection officer, who performs its duties in compliance with Articles 38 and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.39

Obligations of the Processor. 3.1 3.1. The Processor undertakes to carry out Data Processing exclusively based on the basis of documented instructions from the Controller. If the Processor considers an instruction of the Controller to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. 3.2 3.2. The Processor shall be obliged to treat confidentially any personal data of which it becomes aware of in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-non- disclosure shall continue to apply after termination of this DPA. 3.3 3.3. The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures GDPR to ensure a level of protection appropriate to the risk with regard to regarding confidentiality, integrity, availability availability, and the resilience of the systems. They shall take into account These measures include ensuring the state security of the artdata processed by Supabase, the costs of implementation Vercel, and the nature, scope and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current versionSendgrid. 3.4 3.4. The Processor shall, where possible, support the Controller with appropriate technical and organizational measures to enable the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller. 3.5 3.5. The Processor shall support the Controller in the performance of performing the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, including the implementation of security measures, the notification of data protection breaches breaches, and, where applicable, the preparation of a data protection impact assessment. 3.6 3.6. The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 3.7. The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPA. 3.8 3.8. To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.

Obligations of the Processor. 3.1 The Processor undertakes to carry out Data Processing exclusively agrees to: 4.1 Process the personal data only on the basis of documented instructions from the Controller. If the Processor considers an instruction of the Controller to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk including with regard to confidentialitytransfers of personal data to a third country or an international organisation, integrityunless required to do so by Union or Member State law to which the Processor is subject; in such a case, availability and the resilience processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the systemsprocessing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in the Data Protection Legislation. They shall take In addition the Processor shall: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, inform the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state of the art, the costs of implementation and the nature, scope scope, context and purposes of the processing, processing as well as the risk of varying likelihood and severity of the risk to for the rights and freedoms of natural persons. The technical , and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current version. 3.4 The Processor shall, where possible, support the Controller with shall implement appropriate technical and organizational organisational measures to enable ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to comply with the data subject rights Processor in the context of this agreement, as required under Chapter III the Data Protection Legislation. Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor of its own direct responsibilities and liabilities under the UK GDPR. 4.7 Within 30 days following the completion of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, service the Processor shall be obliged to forward destroy all such data unless the request to the Controller if the request relates to Data Processing by the Controller. 3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment. 3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPAprohibited from doing so by any applicable law. 3.8 To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.

Obligations of the Processor. 3.1 The Processor undertakes to carry out Data Processing exclusively agrees to: 4.1 Process the personal data only on the basis of documented instructions from the Controller. If the Processor considers an instruction of the Controller to be unlawful, the Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection appropriate to the risk including with regard to confidentialitytransfers of personal data to a third country or an international organisation, integrityunless required to do so by Union or Member State law to which the Processor is subject; in such a case, availability and the resilience processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 4.2 Take into account the nature of the systemsprocessing, and to assist the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in the Data Protection Legislation. They shall take In addition the Processor shall: 4.2.1 Promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Legislation in respect of Controller Personal Data; and 4.2.2 Ensure that the Processor does not respond to that request except on the documented instructions of Controller or as required by Data Protection Legislation to which the Processor is subject, in which case the Processor shall, to the extent permitted by Data Protection Legislation, inform the Controller of that legal requirement before the Processor responds to the request. 4.3 Take into account the state of the art, the costs of implementation and the nature, scope scope, context and purposes of the processing, processing as well as the risk of varying likelihood and severity of the risk to for the rights and freedoms of natural persons. The technical , and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current version. 3.4 The Processor shall, where possible, support the Controller with shall implement appropriate technical and organizational organisational measures to enable ensure a level of security appropriate to the risk. 4.4 Take account in assessing the appropriate level of security the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 4.5 Have in place appropriate technical and organisational security measures, reviewed and approved by the Controller, to protect the personal data provided or made available by the Controller to comply with the data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such informationin the context of this agreement, as required under the Data Protection Legislation. If a subject submits a request to Further details, including the minimum standard of security protection, are set out in Appendix 1 of this agreement. 4.6 For the avoidance of doubt, nothing within this agreement relieves the Processor to exercise of its own direct responsibilities and liabilities under the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the ControllerUK GDPR. 3.5 The Processor shall support the Controller in the performance of the obligations incumbent upon the Controller pursuant to Art. 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and, where applicable, the preparation of a data protection impact assessment. 3.6 The Processor shall delete the personal data of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If the Controller expressly requests this, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with information at the latter's request in order to demonstrate compliance with the obligations pursuant to Art. 28 of the GDPR. The Processor shall support the Controller in verifying the Data Processing and shall grant the Controller access to the documents and technical systems necessary for verifying the Data Processing in accordance with Section 5 of this DPA. 3.8 To the extent permitted by law, the Processor shall inform the Controller about control actions and measures taken by the supervisory authorities insofar as they relate to the Controller's Data Processing operations.

Obligations of the Processor. 3.1 1. The Processor undertakes hereby declares that it has the infrastructure, resources, experience, knowledge and qualified personnel, to carry out Data Processing exclusively the extent enabling the proper execution of the Agreement, in accordance with applicable laws. In particular, the Processor declares that it is familiar with the principles of processing and securing personal data resulting from: 1) GDPR; 2) the applicable national regulations. 2. The Processor is obliged to: 1) process entrusted personal data only on the basis of the Agreement and process the personal data only on the documented instructions from of the Controller. If , unless this is required by law to which the Processor considers an instruction of is subject . In a situation where the Controller Processor's obligation to be unlawfulprocess personal data arises from legal provisions, the Processor shall inform the Controller by electronic means of this legal requirement, unless that law prohibits such information due to important public interest considerations; 2) process entrusted personal data in accordance with the Regulation, regulations adopted to enable the Regulation to be entitled applied, other applicable legal provisions, the Agreement and the Controller’s instructions; 3) grant access to suspend the implementation entrusted personal data only to persons who, due to the scope of their tasks, have been authorized by the Processor to process them, and have undertaken to maintain the confidentiality of the relevant instruction until it is confirmed or amended by the Controller.processed data; 3.2 The Processor shall be obliged to treat confidentially any personal data of which it becomes aware in connection with the Data Processing. The Processor shall impose a confidentiality obligation on all persons authorized by it to process the data, unless they are already subject to a statutory duty of confidentiality. The obligation of confidentiality and non-disclosure shall continue to apply after termination of this DPA. 3.3 The Processor shall take all necessary 4) implement appropriate technical and organizational measures within the meaning of Art. 32 of the GDPR. These technical and organizational measures are data security measures to ensure a level of protection security appropriate to the risk with regard to confidentiality, integrity, availability and of violating the resilience rights or freedoms of individuals whose personal data will be processed under the Agreement (Article 32 of the systems. They shall take into account GDPR) and to ensure the state implementation of principles of data protection by design and data protection by default (specified in Article 25 of the artGDPR); 5) maintain documentation describing the processing of data by the Processor, including, in particular, the costs record of implementation and the nature, scope and purposes processing activities (Article 30 of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. The technical and organizational measures taken by the Processor are available at xxxxx://xxxx.xx/en/legal in the current version.GDPR); 3.4 The Processor shall, where possible, support 6) immediately notify the Controller with appropriate technical and organizational measures to enable the Controller to comply with the of any violation of personal data subject rights under Chapter III of the GDPR within the legal time limits and shall provide the Controller with the necessary information to do so upon the Controller's request, provided that the Processor has such information. If a subject submits a request to the Processor to exercise the data subject rights, the Processor shall be obliged to forward the request to the Controller if the request relates to Data Processing by the Controller.protection; 3.5 The Processor shall 7) support the Controller in the performance of the obligations incumbent upon duties specified in art. 32-36 GDPR taking into account the nature of processing and the information available to the Processor; 8) taking into account the nature of the processing support the Controller pursuant to Art. 32 to 36 (through the application of appropriate technical and organizational measures) in the fulfilment of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification obligation to respond to requests of data protection breaches and, where applicable, subjects in the preparation exercise of a data protection impact assessment. 3.6 The Processor shall delete the personal data their rights set out in Chapter III of the Data Processing after the expiry of the retention periods provided for in the Main Agreement and/or without delay at the request of the Controller. If Regulation; 9) make available to the Controller expressly requests thisupon request, the personal data shall be returned to the Party. Statutory retention periods remain unaffected by this. 3.7 The Processor is obliged to provide the Controller with no later than within 30 working days, all information at the latter's request in order necessary to demonstrate the Processor’s compliance with the obligations pursuant set forth in the applicable law, in particular the Regulation, including information on the safeguards used, identified risks and incidents in the area of personal data protection; 10) immediately notify the Controller if, in its opinion, the instruction violates this Regulation or other Union or Member State data protection provisions; 11) without undue delay inform (if it does not lead to Art. 28 violation of the GDPR. The Processor shall support applicable law) the Controller of any proceedings, in verifying particular administrative or judicial ones, concerning the Data Processing processing of personal data by the Processor, any administrative decision or rulings concerning the processing of personal data entrusted to 12) inform Controller of any controls and shall grant inspections regarding the Controller access processing of personal data entrusted to the documents Processor, in particular those carried out by the supervisory authority, as well as any complaints from data subjects related to the processing of their personal data; 13) store personal data only for as long as designated by the Controller, and technical systems necessary for verifying the Data Processing without undue delay update, correct, modify, anonymize, limit processing or delete personal data in accordance with Section 5 the Controller’s instructions (if such action would result in the inability to continue implementation of this DPA. 3.8 To the extent permitted by lawprocessing activities, the Processor shall will inform the Controller about control actions prior to taking such action, and measures taken then follow the Controller’s instructions); 14) return or delete in a permanent manner, upon the termination, expiration or termination of this Agreement, all personal data provided by the supervisory authorities insofar as they relate Controller and delete existing copies, unless Union, Member State law or state law to which the Controller's Data Processing operationsProcessor is subject in the United States of America, requires storage of the personal data.