Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated by reference in your Tinkit Partner Agreement: Terms of Service (the "Agreement"). Capitalized terms used in this DPA shall have the meaning given in the Agreement. Direct all inquiries concerning this DPA to

1. Definitions

2. Processing of Personal Data

2.1 Scope of Processing. Customer use Services to transmit, store or process data which may include Personal Data. Tinkit will not review, share, distribute nor reference any such Customer Data except as required by law or as provided in the Agreement and/or Addendum in place with Partner. Customer is responsible for maintaining the security and confidentiality regarding accounts and access to Services as well as encrypting Personal Data that may be stored on or transmitted to/from the Services.

2.2 Roles of the Parties. Roles of the Parties. The parties acknowledge and agree that regarding the Processing of Personal Data, Customer is the Data Controller and/or Data Processor when referring primarily to Customer Data within the Services. Customer is Data Controller or Data Processor and Tinkit is Data Processor or Sub-Processor when referring to Personal Data used as meta data to setup, maintain and deliver Services. Details and references per Service are to be found in Privacy Policy.

2.3 Customers Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions to Tinkit for the Processing of Personal Data shall comply with Data Protection Laws and Regulations at all times. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. If Tinkit becomes aware of any non-compliance with Data Protection Laws and Regulations, Tinkit shall immediately inform the Partner.

2.4 Tinkits Processing of Personal Data. Tinkit shall only Process Personal Data on behalf of and in accordance with Customers instructions and shall treat Personal Data as Confidential Information. Customer guarantees that all instructions to Tinkit is in accordance with Data Protection Laws and Regulations.

2.5 Details of the Processing. In the Customer Agreement, if required by law, details of the Processing will be specified, e.g. the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.

3. Rights of Data Subjects

3.1 Correction, Blocking and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, Partner shall comply with any commercially reasonable request by Customer to facilitate such actions. Should Partner not have the ability to perform any of above mentioned actions, Tinkit shall comply with any commercially reasonable request by Partner to facilitate such actions to the extent Tinkit is legally permitted to do so. If legally permitted, Partner shall be responsible for any costs arising from Tinkit’s provision of such assistance.

3.2 Data Subject Requests. Tinkit shall, to the extent legally permitted, promptly notify Partner if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Tinkit shall not respond to any such Data Subject request without Partner’s prior written consent except to confirm that the request relates to Partner to which Partner hereby agrees. Tinkit shall provide Partner with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Partner does not have access to such Personal Data through its use of the Services. If legally permitted, Partner shall be responsible for any costs arising from Tinkit’s provision of such assistance.

4. Tinkit Personnel and Visitors

4.1 Confidentiality. Tinkit shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Tinkit shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Reliability. Tinkit shall take commercially reasonable steps to ensure the reliability of any Tinkit personnel engaged in the Processing of Personal Data.

4.3 Limitation of Access. Tinkit shall ensure that Tinkits access to Personal Data is limited to those personnel performing services in accordance with an agreement with the Customer.

4.4 Visitors. The Customers personnel visiting the Tinkit premises shall always be escorted by Tinkit personnel or shall wear identity cards with photo to ensure visual identification. Customer shall ensure that such visiting personnel are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Customer shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

5. Sub-processors

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Tinkits Affiliates may be retained as Sub-processors; and (b) Tinkit and Tinkits Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.

5.2 Objection Right for New Sub-processors. In order to exercise its right to object to Tinkits use of a new Sub-processor, Customer shall notify Tinkit promptly in writing within ten (10) business days after receipt of Tinkits notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, and that objection is not unreasonable, Tinkit will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customers configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Tinkit is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Services with respect only to those Services which cannot be provided by Tinkit without the use of the objected-to new Sub-processor by providing written notice to Tinkit. Tinkit will refund Customer any prepaid fees covering the remainder of the term of such Services following the effective date of termination with respect to such terminated Services.

5.3 Liability. Tinkit shall be liable for the acts and omissions of its Sub-processors to the same extent Tinkit would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. Security

6.1 Controls for the Protection of Personal Data. Tinkit shall maintain administrative, physical and technical safeguards for protection of the security (including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage), confidentiality and integrity of Customer Data, including Personal Data.

6.2 Audits. Upon Customers request, and subject to confidentiality obligations set forth in the agreement between the parties, Tinkit shall make available to Customer that is not a competitor of Tinkit (or Customers independent, third-party auditor that is not a competitor of Tinkit) information regarding the Tinkits compliance with the obligations set forth in this Agreement. Customer may request an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Tinkit for any time expended by Tinkit or its third-party Sub-processors for any such onsite audit at the Tinkits then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Tinkit shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the sources expended by Tinkit, or its third-party Sub-processors. Customer shall promptly notify Tinkit with information regarding any non-compliance discovered during the course of an audit.

7. Security Breach Management and Notification

Tinkit maintains security incident management policies and procedures and shall, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized disclosure of Customer Data, including Personal Data, by Tinkit or its Sub-processors of which Tinkit becomes aware (a Security Breach). To the extent such Security Breach is caused by a violation of the requirements of this Agreement by Tinkit, Tinkit shall make reasonable efforts to identify and remediate the cause of such Security Breach.

8. Deletion of Customer Data

8.1 Customer Data in Services. Customer may at it’s sole discretion delete Services via the Control Panel. After such deletion Tinkit may retain Customer Data in limbo for a period of time, which shall not exceed thirty (30) days before permanently deleting the Customer Data. To the extend Customer is not able to delete certain Services via the Control Panel, Tinkit shall, after request and within reasonable time, assist Customer to delete the Services and the Customer Data.

8.2 Customer Data in Backups. Backup data are only kept for a limited and specified time, which may vary from for different Services, and if the Customer Data is part of such backup Tinkit is allowed to wait with deletion up to the standard deletion of such backup. This deletion cycle may never exceed ninety (90) days unless specifically agreed upon in writing between the parties.

9. Additional Terms

9.1 Change in Data Protection Laws and Regulations. The Parties agree that any changes in the Data Protection Laws and Regulations that have an effect on the services under this Agreement shall immediately after coming into force be implemented into and part of this Agreement and Tinkit is responsible for informing the Customer about such changes and distribute the amended wording of this Agreement.

9.2 General co-operation. The parties shall assist each other in ensuring compliance with the obligations in the Data Protection Laws and Regulations of the respective parties.

9.3 Terms of Service. The Tinkit Terms of Service will apply for all other aspects of the relation between Tinkit and Customer, than the specific regulation of Data processing in this Agreement.

10. Indemnity and Limitation of Liability

10.1 Indemnity. The Customer and Tinkit, shall indemnify each other for any third party claim caused by the other partys breach of this Agreement.

10.2 Limitation of liability. Neither party shall in any event be liable to the other party under this Agreement for loss of production, loss of use, loss of business, loss of data or revenue or for any special, indirect, incidental or consequential damages, whether or not the possibility of such damages could have been reasonably foreseen.

Revision 04/10/2018