Data Processing Agreement

1. Definitions
The following capitalized terms hadve the following meanings:

Agreement: means any (online) agreement and/or order form, including Appendices to
it, between Solvimon and Customer;

AP: the Dutch supervisory authority Autoriteit Persoonsgegevens;

Customer: means a party that uses Services provided by Solvimon;

DPA: this agreement (including annexes), which forms part of the Agreement;

GDPR: The General Data Protection Regulation;

Personal Data Breach: a breach of the security of Personal Data that inadvertently or
unlawfully leads to the destruction, loss, modification or unauthorized disclosure of or
unauthorized access to transmitted, stored or otherwise processed data;

Personal Data: all data that can be traced directly or indirectly to a natural person as
referred to in Article 4 GDPR as set out in Annex A that may be processed in the context
of the Agreement and this DPA and may be processed including the personal data as
referred to in Annex A, for the purposes set therein;

to Process: to process Personal Data as referred to in Article 4 GDPR;

Processing: the processing of Personal Data by the Data Processor for the Data
Controller based on the Agreement;

Services: the Services provided by Solvimon to the Customer under the Agreement.

Sub-Processor: a data processor assigned by Solvimon to perform part of the Services
offered by Solvimon to Customer where it involves the Processing of Personal Data for
Customer, in its capacity of Controller.

2. Data Controller and Data Processor of Personal Data

Solvimon shall process Personal Data on behalf of Customer in the execution of the
Agreement. The provisions of Agreement shall apply in full to the DPA.

Customer remains the responsible Controller for the Processing of Personal Data in
accordance with the instructions to Solvimon under the Agreement, this DPA and any
other (additional) instructions.

Customer has instructed Solvimon, in its capacity as Processor, and will continue to
instruct Solvimon, for the duration of the commissioned data processing, to only process
the Personal Data for the benefit of Customer and in accordance with the GDPR, the
Agreement, this DPA and the instructions of Customer.

Customer is entitled and obliged to instruct Solvimon regarding the Processing of the
Personal Data, both in general and in individual cases. Instructions may also relate to the
rectification, deletion and blocking of Personal Data. Instructions are generally provided
in writing or by email, unless the urgency or other specific circumstances require a
different (for example verbal or electronic) form. Non-written or e-mailed instructions must be confirmed by Customer in writing or by e-mail without delay. Insofar as the
execution of an instruction leads to costs for Solvimon, Solvimon will first inform the
Customer of these costs. Only after Customer has confirmed that the costs for the
execution of an instruction are for his account, will Solvimon follow and execute such

Solvimon, in its capacity of Processor, shall only process Personal Data for the activities
mentioned in this SPA deriving from the Agreement. Solvimon shall not make use of the
Personal Data in any other way unless Customer has given explicit and written
permission otherwise, or a statutory provision obliges Solvimon to do so. In that case,
Solvimon shall inform Customer, before the Processing takes place, of the statutory
provision, unless such a process is not permitted by this legislation.

3.  General duty of care Data Processor
Solvimon, in its capacity of Processor, must ensure compliance with this DPA and the
statutory rules (such as the GDPR) that apply to a Processor. If Customer so requests,
Solvimon shall inform Customer of the actions and measures taken by Solvimon within
the framework of this general duty of care. More specifically Solvimon will Process the
Personal Data exclusively in accordance with the instructions of Customer and on behalf
of Customer and/or, when and where applicable, inform Customer without undue delay
if Solvimon cannot comply with said instructions for any reason.

4. Technical and organizational measures
Solvimon shall take appropriate technical and organizational measures to secure the
Personal Data against loss or unlawful Processing. Solvimon must ensure that the
security level sufficiently addresses the risks. These measures will take into account the
current state of technology and the costs of the security measures.

Solvimon shall in any case take measures to protect the Personal Data against
destruction, against accidental and intentional loss, forgery, unauthorized distribution or
access, or against any other form of unlawful Processing.

Solvimon shall, upon request, provide a document which includes the technical and
organizational measures taken by Solvimon. This document shall in this case form part of
the current Agreement and will be included as an attachment.

5. Confidentiality
Solvimon shall have all authorized individuals who are involved in the execution of the
Agreement, and as such are authorized by Solvimon to Process the Personal Data for
Customer sign a confidentiality agreement - whether resulting from or included in the
employment contract with those individuals - which states that these individuals must
observe confidentiality with regard to the Processing of the Personal Data. Solvimon
shall take all necessary measures, such as screening of employees and security of data
carriers, to ensure that confidentiality is maintained.

6. Data processing outside the European Economic Area (EEA)
Processing of Personal Data outside the EEA shall only take place with due observance
of the applicable legal obligations and/or with the prior written consent of Customer.

7. Sub-processors
Solvimon is permitted to make use of Sub-Processers in the framework of the
Agreement, including this DPA. In such an event Solvimon shall inform Customer of this
instigation. If the Customer has reasonable grounds to object to this instigation of a Sub-
Processor, Customer must oppose in writing, within 14 days following receipt of said
notification. In such an event Solvimon will undertake reasonable efforts to propose a
suitable alternative, unless the severity of a Data Breach urges and obliges Solvimon to
relocate and transfer the Personal Data immediately and, thus within a 14-day period, to
a different Sub-Processor.

Solvimon shall obligate each Sub-Processor to fulfill the confidentiality obligations,
notification obligations and security measures in relation to the Processing of Personal
Data, which obligations and measures must at least comply with the provisions of this

8. Liability
All liability arising from or in connection with this DPA follows and is exclusively
governed by, the liability provisions set out in, or otherwise applicable to, the

9. Infringement in connection with Personal Data (Data Breach)
If Solvimon is informed of a Data Breach, Solvimon shall (i) inform the Controller without
undue delay of the existence of the Data Breach and (ii) take all reasonable measures to
limit or prevent (further) violation of the GDPR. When taking the aforementioned
measures, Solvimon shall, where possible, refrain from taking measures that are
irreversible and/or seriously impede an investigation into the causes of the Data Breach.

Solvimon shall offer cooperation and support to Customer in the performance of its legal
obligations with respect to the identified incident.

Solvimon shall offer technical support to Customer with regards to the reporting
obligation with respect to the Personal Data Breach with the AP and/or the person
concerned, as referred to in Article 33 paragraph 3 and 34 paragraph 1 GDPR. Solvimon
shall refrain from independently submitting a notification of infringement related to
Personal Data to the AP and/or the Data Subject.

10. Assistance to Data Controller
Solvimon will inform the Controller without undue delay:

of its intention to appoint and use different and/or additional Sub-Processors in the
framework of the Agreement and the DPA,

of any legally binding request for the provision of the Personal Data by a law
enforcement agency, unless this notification is otherwise prohibited, such as in case of a
criminal or tax law prohibition to preserve the confidentiality of a law enforcement

of complaints and requests received directly from the Data Subjects (such as complaints
and requests for access, rectification, removal, limitation of processing, data transferability, objection to processing of data, automated decision-making) without
going into that request, unless he otherwise authorized to do so;

Solvimon shall support Customer, as far as reasonably possible, in fulfilling its duty under
the GDPR to carry out a Data Protection Impact Assessment (articles 35 and 36 GDPR).

Solvimon shall provide the Customer with all information necessary to demonstrate that
Solvimon complies with its obligations under the GDPR. In addition, at the request of
Customer, Solvimon will make and contribute to audits, including inspections, by
Customer or a party authorized by Customer. The Customer shall inform Solvimon in
time if, and when, he will make use of this audit right. The number of audits is limited to a
maximum of one per year.

Solvimon may charge any reasonable costs for the assistance referred to in this article to

11. Termination & Miscellaneous
Regarding the termination of this DPA, the specific provisions of the Agreement apply.
Without prejudice to the specific provisions of the Agreement, Solvimon will delete or
return all Personal Data at the first request of Customer, and delete existing copies,
unless Solvimon is otherwise legally obliged to store Personal Data.

The Customer will be responsible to adequately inform Solvimon about (legal) retention
periods that apply to the Processing of the Personal Data for Processors. Solvimon will
not Process the Personal Data for longer than to the predefined retention periods.

The obligations arising from this DPA which by their nature are intended to survive
termination shall also remain in force after termination of this DPA.

This DPA is governed by the laws of the Netherlands. All disputes arising from the
performance of this DPA shall be submitted to the competent judge or arbitrator as
agreed upon in the Agreement.