A data processing agreement as intended in EU 2016/679, Art 28

Data protection appendix for contract structure between Customer / Data Controller and Apix Messaging Oy / Data Processor

1 The general rights and obligations of the Parties

The Customer shall act as a data controller in accordance with the applicable data protection legislation (“Data Controller” or “Customer”) with regard to the Customer’s customers’ or employees’ or other persons’ personal data processed by Apix Messaging Oy as service provider of Apix Messaging Service (“Customer’s Personal Data”). The Data Controller shall be responsible for the Customer’s Personal Data and for ensuring that they are legally processed pursuant to the applicable data protection legislation. The Data Controller shall be responsible for all required measures and acquire, secure and maintain all rights, agreements and authorizations that the Data Processor ( “Processor” or “Supplier”) requires in order to implement the Apix Messaging Service ( ”Service”) without breaching any laws or third-party rights.

2 Data Controller’s instructions

The Data Processor shall ensure that it will process the Customer’s Personal Data on behalf of the Data Controller pursuant to the applicable data protection legislation and as required in order to provide the Service. The Customer’s Personal Data shall be processed according to the Data Controller’s instructions. The Data Controller shall ensure that the instructions are described in detail at the time that this Data Protection Appendix enters into force. If the Data Controller later provides the Data Processor with additional instructions on the processing of the Customer’s Personal Data, the Processor shall have the right to charge for the resulting additional costs and work that are required in order to comply with the instructions provided. If the Data Processor shall not be able to comply with the instructions provided, the Data Processor shall immediately notify the Data Controller of this and the parties together shall attempt to solve the issue in an appropriate manner. If the issue cannot be solved within one (1) month, each party shall have the right to cancel the agreement with a notice period of two (2) months.

3 Development of the Service

Irrespective of the above, the Supplier shall have the right to use data created in connection with the Service provided and the processing of the Customer’s Personal Data for the development, analysis and assessment of the Supplier’s operations as well as statistical purposes. For these purposes, the Customer’s Personal Data are anonymized to the degree necessary for meeting the Supplier’s confidentiality obligation. The Customer may also grant the Supplier in writing a more extensive right to process the Customer’s Personal Data. The parties are aware that the processing referred to herein may result in obligations both for the Customer and the Supplier, such as the obligation to notify the persons to whom the Customer’s Personal Data refer of the processing.

4 Confidentiality of data processing

The Data Processor shall keep the Customer’s Personal Data confidential and ensure that the persons authorized to process the Customer’s Personal Data are committed to confidentiality or subject to an applicable statutory confidentiality obligation.

5 Data protection

Proper technological and organizational measures have been employed in order to ensure that the Customer’s Personal Data remain confidential, intact and accessible. Unrestricted by the above, the Processor may change its own data security procedures as long as the changes are not detrimental to general data security.

6 Notification of a personal data breach

The Processor shall inform the Data Controller of any data protection breaches of the Customer’s Personal Data without delay and in any case no later than 48 hours from the time the breach was detected, if possible. The Data Processor shall provide the Data Controller with the available data that are required to meet the Data Controller’s duty to notify. The Data Processor shall remedy and limit the effects of the breach to the best of their ability.

7 The rights of the data subject

Upon request and subject to commercially acceptable terms and conditions, the Data Processor shall help the Data Controller to implement the rights of a data subject and to meet the obligations pursuant to the data protection legislation. The rights of a data subject have been implemented in accordance with the Data Processing Policy Appendix.

8 The compliance with the applicable data protection legislation

Upon request, the Data Processor shall provide a required report on compliance with the applicable data protection legislation.

9 Retention of personal data

Once it is no longer necessary to process the Customer’s personal data in accordance with this agreement, the Supplier shall provide the Customer with a technological option to copy the Customer’s personal data stored in the service. Upon the Customer’s request, the Supplier shall destroy the Customer’s Personal Data and notify the Customer of the destruction of the data unless the personal data need to be stored due to legislation.

10 Subcontractors

The Data Processor may use subcontractors (“Subcontractor” or “Sub-processor”) to process the Customer’s Personal Data in accordance with this Appendix. The Data Processor shall notify the Data Controller before the Subcontractor begins the processing. Subcontractors are listed in separate Subcontractor Appendix: www.apix.fi/gdpr/en/subcontractors which shall be updated by Data Processor if needed. The Data Controller shall have the right to object to the planned change in writing on justified grounds pertaining to data protection within two (2) weeks of receiving the notification. In this case, the Data Processor shall continue the processing subject to the agreed terms and conditions until (i) both parties have agreed to end the processing and to return the Customer’s Personal Data to the Data Controller, or (ii) both parties have agreed on a way to continue the processing and on the related costs.

11 Transfer of personal data

The Data Controller shall agree that the Processor may, in order to implement the terms and conditions of this Appendix and to provide the Service, hand over the processing of and make available the Customer’s Personal Data to Subcontractors that are located outside of the Data Controller’s country of origin. If the Customer’s Personal Data are transferred outside of the EU or the EEA, the Data Processor shall, on behalf of the Data Controller, carry out the proper protective measures to guarantee and secure the data subjects’ rights and privileges in accordance with the requirements of the applicable data protection legislation. For instance, the Data Processor may, on behalf of the Data Controller, make an agreement in accordance with the standard data protection clauses approved by the European Commission on the processing of personal data with a Subcontractor located outside of the EU or the EEA in order to meet the requirements of the applicable data protection legislation.

12 Inspection right of the data subject

Pursuant to the data protection legislation, a data subject shall have the right to access the data (inspection rights), to request the correction or removal of data or to limit the processing of the data. The Supplier shall not directly respond to queries or requests by data subjects included in the Customer’s personal file. The Supplier shall provide the Customer with a service that makes it possible to implement the inspection right. The service may be subject to a service charge.

13 Audit right of the Customer

The Customer has the right to audit the Personal Data Processes of the Data Processor as described in this Appendix. The Customer shall only use external auditors who are not competitors of the Data Processor. The Parties shall agree well in advance about the timing and other details including to audit. The audit shall be performed in a manner without any harm to obligations between Data Processor and a third party. All representatives of Customer and all external auditors shall undersign a conventional Non-Disclosure-Agreement for the benefit of the Data Processor. The Customer shall cover all costs due to audit. The Data Processor shall have the right to charge for the supporting in audit and other additional work in consequence of audit.

Appendices: