Last updated: December 17, 2025

Data Processing Addendum

THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into as of the effective date of the Agreement by and between: (1) Leliuga, MB (“Leliuga”); and (2) the other person who is a counterparty to the Agreement (as defined below) into which this DPA is incorporated and forms a part (“Customer”), together the “Parties” and each a “Party”. Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.

1. INTERPRETATION

In this DPA the following terms shall have the meanings set out in this Section 1, unless expressly stated otherwise:
“Addendum Effective Date” means the effective date of the Agreement.
“Agreement” means the Leliuga's Services Agreement under which Leliuga has agreed to provide services to Customer entered into by and between the Parties.
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CPRA”), and any binding regulations promulgated thereunder.
“Controller” means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, including, as applicable, any “business” as that term is defined by the CCPA.
“Data Subject Request” means the exercise by a Data Subject of its rights in accordance with Data Protection Laws in respect of Customer Personal Data and the Processing thereof.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“EEA” means the European Economic Area.
“FADP”means the Swiss Federal Act on Data Protection of 25 September 2020, including its implanting ordinances.
“Personal Data Breach” means an actual breach of Leliuga's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Leliuga's possession, custody or control. For clarity, Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).
“Personnel” means a person's employees, agents, consultants or contractors.
“Processor” means the entity that Processes Personal Data on behalf of the Controller, including, as applicable, any “service provider” as that term is defined by the CCPA.
“Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission (an “EU Restricted Transfer”); and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), which would be prohibited without a legal basis under Chapter V of the GDPR.
“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
“Service Data” means any data relating to the use, support and/or operation of the Services, which (i) is collected directly by Leliuga from and/or about users of the Services and/or Customer's use of the Service for use for its own purposes (certain of which may constitute Personal Data and or Customer Personal Data), and (ii) has its processing purpose and means determined by Leliuga; for the avoidance of doubt, Service Data may include and/or have overlap with Customer Personal Data (where applicable).
“Services” means those services and activities carried out by Leliuga for Customer pursuant to the Agreement.
“Sensitive Data” includes without limitation: (I) Social Security numbers or other government-issued identification numbers; (II) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (III) health insurance information; (IV) genetic, biometric, neural or biological information; (V) passwords to any online accounts and account login information; (VI) credentials to any financial accounts; (VII) tax return data; (VIII) any payment card information subject to the Payment Card Industry Data Security Standard; (IX) Personal Data of children or teens; (X) any other information that falls within any special categories of personal data (as defined in GDPR) and/or data relating to criminal convictions and offenses or related security measures; (XI) any bulk U.S. sensitive personal data or U.S. government-related data, in each case as defined in the U.S. Department of Justice's Final Rule on Prohibition on Bulk Data Transfers to Foreign Adversaries (28 C.F.R. Part 202), as amended, or any successor or similar rule, law, or regulation; (XII) racial, ethnic or national origin; religious or philosophical beliefs; mental or physical health condition, diagnosis, history, treatment or other health data; (XIII) mental or physical health condition, diagnosis, history, treatment or other health data; pregnancy; sex life, sexuality or sexual orientation; status as transgender or non-binary; citizenship; citizenship or immigration status; union membership; status as a victim of crime; (XIV) financial information or account number; (XV) contents of a communication to which you were not a party; (XVI) precise location information.
“Supervisory Authority” means any entity with the authority to enforce Data Protection Laws, including, (i) in the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner's Office.
“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof.
Unless otherwise defined in this DPA, all capitalized terms in this DPA shall have the meaning given to them in the Agreement.

2. SCOPE OF THIS DATA PROCESSING ADDENDUM

The DPA applies generally to Leliuga's Processing of Customer Personal Data under the Agreement. Annex 2 (European Annex) to this DPA applies only if and to the extent Leliuga's Processing of Customer Personal Data under the Agreement is subject to the GDPR. Annex 3 (California Annex) to this DPA applies only if and to the extent Leliuga's Processing of Customer Personal Data on behalf of Customer under the Agreement is subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA). To the extent that the jurisdiction of the Customer is not located in the EEA, UK or Switzerland, the SCCs as populated in Annex 2 shall be deemed to be amended to remove references to the European Union and its laws and replace such references to the jurisdiction of the Customer and that jurisdiction's applicable Data Protection Laws.

3. PROCESSING OF CUSTOMER PERSONAL DATA

Leliuga shall not Process Customer Personal Data other than on Customer's instructions, to provide the Services, or as required by applicable laws. Customer instructs Leliuga to Process Customer Personal Data as necessary to provide the Services to Customer under and in accordance with the Agreement.

The Parties acknowledge and agree that the details of Leliuga's Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.

For the avoidance of doubt, Leliuga is entitled to process the Service Data as a Data Controller. Some details of such processing under such capacity is set forth under Section 13 (Service Data).

4. LELIUGA PERSONNEL

Leliuga shall take commercially reasonable steps designed to ascertain the reliability of any Leliuga Personnel who Process Customer Personal Data, and shall enter into written confidentiality agreements with all Leliuga Personnel who Process Customer Personal Data that are not subject to professional or statutory obligations of confidentiality.

5. SECURITY

Leliuga shall implement and maintain technical and organizational measures in relation to Customer Personal Data described Annex 4 (Data Security Measures) (the “Security Measures”), which are designed to protect Customer Personal Data against a Personal Data Breach.

Leliuga may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.

6. SUB-PROCESSING

Customer generally authorizes Leliuga to appoint Sub-Processors in accordance with this Section 6.

Leliuga may continue to use those Sub-Processors already engaged by Leliuga as at the date of this DPA (as those Sub-Processors are shown, together with their respective functions and locations, in the Sub-Processor list shown in Annex 3 (the “Sub-Processor List”).

Leliuga shall give Customer prior notice of the appointment of any proposed Sub-Processor, including reasonable details of the Processing to be undertaken by the Sub-Processor, by updating the effective date of the Sub-Processor List. If, within ten (10) days of the date of update, Customer notifies Leliuga in writing of any objections (on reasonable grounds) to the proposed appointment:

Leliuga shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services, which avoids the use of that proposed Sub-Processor; and

where: (i) such a change cannot be made within thirty (30) days from Leliuga's receipt of Customer's notice; (ii) no commercially reasonable change is available; and/or (iii) Customer declines to bear the cost of the proposed change, then either Party may by written notice to the other Party with immediate effect terminate the Agreement, either in whole or to the extent that it relates to the Services which require the use of the proposed Sub-Processor, as its sole and exclusive remedy.
If Customer does not object to Leliuga's appointment of a Sub-Processor during the objection period referred to in Section 3, Customer shall be deemed to have approved the engagement and ongoing use of that Sub-Processor.
With respect to each Sub-Processor, Leliuga shall maintain a written contract between Leliuga and the Sub-Processor that includes terms which offer at least a level of protection for Customer Personal Data substantially similar to those set out in this DPA (including the Security Measures). Leliuga shall remain liable for any breach of this DPA caused by a Sub-Processor to the same extent as Leliuga would have been had it performed the Processing itself.

7. DATA SUBJECT RIGHTS

Leliuga, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligations to respond to Data Subject Requests, to the extent required by Data Protection Laws. If Leliuga receives a Data Subject Request, Customer will be responsible for responding to any such request.

If required by Data Protection Laws, Leliuga shall:

promptly notify Customer if it receives a Data Subject Request; and
not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except on the written instructions of Customer or as required by Data Protection Laws.

Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Leliuga (at Leliuga's then-current professional services rates) for Leliuga's cooperation and assistance provided to Customer under this Section 7, and shall on demand reimburse Leliuga any such costs incurred.

8. PERSONAL DATA BREACH

Leliuga shall notify Customer without undue delay upon Leliuga's determination that a Personal Data Breach has occurred affecting Customer Personal Data. Leliuga shall provide Customer with information (insofar as such information is within Leliuga's possession and knowledge and does not otherwise compromise the security of any Personal Data Processed by Leliuga) to provide reasonable assistance to Customer in meeting its obligations under the Data Protection Laws to report the Personal Data Breach. Leliuga's notification of or response to a Personal Data Breach shall not be construed as Leliuga's acknowledgement of any fault or liability with respect to the Personal Data Breach.

Leliuga shall reasonably co-operate with Customer and take such commercially reasonable steps to assist in the investigation of any such Personal Data Breach.

Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.

If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority, any Data Subject(s), the public or others under Data Protection Laws, to the extent such notice directly or indirectly refers to or identifies Leliuga, where permitted by applicable laws, Customer agrees to:

notify Leliuga in advance; and
in good faith, consult with Leliuga and consider any clarifications or corrections Leliuga may reasonably recommend or request to any such notification, which: (i) relate to Leliuga's involvement in or relevance to such Personal Data Breach; and (ii) are consistent with applicable laws.

9. RETURN AND DELETION

Subject to Sections 2 and 9.3, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Leliuga shall promptly cease all Processing of Customer Personal Data for any purpose other than for storage or as otherwise permitted or required under this DPA.

Subject to Section 4, to the extent technically possible in the circumstances (as determined in Leliuga's sole discretion), on written request to Leliuga (to be made no later than ten (10) days after the Cessation Date (“Post-cessation Storage Period”)), Leliuga shall within thirty (30) days of such request:

return a complete copy of all Customer Personal Data within Leliuga's possession to Customer by secure file transfer, promptly following which Leliuga shall delete or anonymize all other copies of such Customer Personal Data; or
either (at its option) delete or anonymize all Customer Personal Data within Leliuga's possession.
In the event that during the Post-cessation Storage Period, Customer does not instruct Leliuga in writing to either delete or return Customer Personal Data pursuant to Section 2, Leliuga shall promptly after the expiry of the Post-cessation Storage Period either (at its option) delete; or render anonymous, all Customer Personal Data then within Leliuga's possession to the fullest extent technically possible in the circumstances.
Leliuga may retain Customer Personal Data where permitted or required by applicable law, for such period as may be required by such applicable law, provided that Leliuga shall:
maintain the confidentiality of all such Customer Personal Data; and
Process the Customer Personal Data only as necessary for the purpose(s) specified in the applicable law permitting or requiring such retention.

For the avoidance of doubt, Leliuga may continue to process information derived from Customer Personal Data that has been anonymized and/or aggregated such that the processed data is no longer considered Personal Data, for the purpose of improving Leliuga's systems and services.

10. AUDIT RIGHTS

Upon Customer's request, Leliuga shall make available to Customer, or a third-party auditor instructed by Customer, once a year, information regarding Leliuga's compliance with this DPA and Data Protection Laws.

In the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Leliuga is not sufficient in the circumstances to demonstrate Leliuga's compliance with this DPA, Leliuga shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data by Leliuga.

Prior to conducting any audit, Customer must submit a detailed proposed audit plan providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Leliuga will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Leliuga's security, privacy, employment or other relevant policies). Leliuga will work cooperatively with Customer to agree on a final audit plan.Before any information or audit is provided, the Parties shall mutually agree on the scope, timing, and duration of such audit. The Customer shall ensure that each of its mandated auditors uses its best efforts to avoid causing any disruption to Leliuga's equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of Leliuga's other Customers or the availability of Leliuga's Service to such other Customers). Customer shall bear all the costs associated with the audit.

If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Customer's audit request (“Audit Report”) and Leliuga has confirmed in writing that there have been no known material changes in the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Leliuga shall provide copies of any such Audit Reports to Customer upon request; provided that they shall constitute the confidential information of Leliuga, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer's obligations under Data Protection Laws.

Leliuga may deny the exercise of audit rights: i) if Customer has not given Leliuga thirty (30) days prior written notice of the intention to carry out any audit; ii) to any auditor that Leliuga has not approved; iii) to any individual unless he or she presents reasonable evidence of identity and authority to Leliuga; iv) if the auditor does not enter into a non-disclosure agreement with Leliuga; v) where, and to the extent that Leliuga considers the audit performance is capable of constituting a material interference with confidentiality, data security and business hours at the premises in question; vi) on more than 1 occasion in each period of 12 months, unless in case of an audit performed as a consequence of a Personal Data Breach or that is conducted by a Supervisory Authority; or (vii) where an Audit Report is accepted in lieu of such controls or measures in accordance with Section 10.4.

Nothing in this DPA shall require Leliuga to furnish more information about its Sub-Processors in connection with such audits than such Sub-Processors make generally available to their Customers. Nothing in this Section 10shall be construed to obligate Leliuga to breach any duty of confidentiality.

11. CUSTOMER'S RESPONSIBILITIES

Customer agrees that, without limiting Leliuga's obligations under Section 5(Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer's systems and devices that Leliuga uses to provide the Services; and (d) backing up Customer Personal Data.

Customer shall ensure:

that there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Leliuga of Customer Personal Data in accordance with this DPA and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing) for the purposes of all Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR (where applicable)); and
that all Data Subjects have (i) been presented with all required notices and statements (including as required by Article 12-14 of the GDPR (where applicable)); and (ii) provided all required consents, in each case (i) and (ii) relating to the Processing by Leliuga of Customer Personal Data.
Customer agrees that the Service, the Security Measures, and Leliuga's commitments under this DPA are adequate to meet Customer's needs, including with respect to any security obligations of Customer under Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
Customer shall not provide or otherwise make available to Leliuga any Sensitive Data.

Except to the extent prohibited by Data Protection Laws, Customer shall compensate Leliuga at Leliuga's then-current professional services rates for, and reimburse any costs reasonably incurred by Leliuga in the course of providing, cooperation, information, or assistance requested by Customer in respect of this DPA (including pursuant to Sections 7, 8, and 10 of this DPA (provided that Leliuga shall bear its own costs in the event that any audit or inspection conducted in accordance with that Section 10 reveals any material non-compliance by Leliuga with this DPA and/or Data Protection Laws), and Paragraph 1 of Annex 2 (European Annex)), in each case, beyond providing self-service features included as a part of the Services.

12. LIABILITY

THE TOTAL AGGREGATE LIABILITY OF EITHER PARTY TOWARDS THE OTHER PARTY, HOWSOEVER ARISING, UNDER OR IN CONNECTION WITH THE AGREEMENT, THIS DPA AND THE SCCS (IF AND AS THEY APPLY) WILL UNDER NO CIRCUMSTANCES EXCEED ANY LIMITATIONS OR CAPS ON, AND SHALL BE SUBJECT TO ANY EXCLUSIONS OF, LIABILITY AND LOSS AGREED BY THE PARTIES IN THE AGREEMENT; PROVIDED THAT, NOTHING IN THIS SECTION 12 WILL AFFECT ANY PERSON'S LIABILITY TO DATA SUBJECTS UNDER THE THIRD-PARTY BENEFICIARY PROVISIONS OF THE SCCS (IF AND AS THEY APPLY).

13. SERVICE DATA

Customer acknowledges that Leliuga may, as a Data Controller, collect, use and disclose Service Data, including Customer Personal Data (where applicable), for its own business purposes, such as:

for accounting, tax, billing, audit, and compliance purposes;
to test, operate, provide, improve, develop, optimize and maintain the Services. Customer acknowledges that if Customer provides Feedback, e.g.: by using the “star rating”, Leliuga will use such Feedback as well as the associated Input, Content and Output, as Controller, to conduct research or improve the Services;
to investigate fraud, spam, wrongful or unlawful use of the Services; and/or
as otherwise permitted or required by applicable law.

In respect of any such Processing described in the foregoing paragraphs, Leliuga:

independently determines the purposes and means of such Processing;
shall comply with Data Protection Laws (if and as applicable in the context);
shall Process such Service Data as described in Leliuga's relevant privacy notices/policies, as updated from time to time; and
where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than the Security Measures.

Customer acknowledges and agrees that the Processing of Service Data, including Customer Personal Data (where applicable), for the purposes set out in Section 13 of this DPA is compatible with the Processing to provide the Services.

14. CHANGE IN LAWS

Leliuga may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Data Protection Laws from time to time, including by varying or replacing the SCCs in the manner described in Paragraph 3.4 of Annex 2 (European Annex).

15. INCORPORATION AND PRECEDENCE

This DPA shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date.

In the event of any conflict or inconsistency between:

this DPA and the Agreement, this DPA shall prevail; or
any SCCs entered into pursuant to Paragraph 2of Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.

Annex 1

Data Processing Details

LELIUGA / 'DATA IMPORTER' DETAILS

Name:

Leliuga, MB

Address:

Taikos pr. 24 - 230, Klaipeda, Lithuania, LT-91222

Leliuga Activities:

Provision of the Services by Leliuga under the Agreement.

Role:

Processor

CUSTOMER / 'DATA EXPORTER' DETAILS

Customer Activities:

Customer's activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.

Role:

Controller– in respect of any Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and

Processor– in respect of any Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person (including its affiliates if and where applicable).

Categories of Data Subjects:

Relevant Data Subjects include:

Customer's Staff (as defined below).

Any other natural person whose Personal Data is processed by Customer when using Leliuga's Services.

Where any of the above is a business or organization, it includes their staff, namely, employees and non-employee workers; students, interns, apprentices and volunteers; directors and officers; advisers, consultants, independent contractors, agents and autonomous, temporary or casual workers, together with applicants and candidates for any one or more of the foregoing roles or positions, and other persons that work or provide service for the Customer (including the persons joining in a Team set up or administered by persons designated by the Customer) (collectively, “Staff”).

Each category includes current, past and prospective Data Subjects.

Categories of Personal Data:

Relevant Personal Data includes:

Personal details – for example any information that identiﬁes the Data Subject and their personal characteristics, name, age, date of birth, sex, and physical description.
Contact details – for example home and/or business address, email address, telephone details and other contact information such as social media identifiers/handles.
Authentication details – for example username, password or PIN code, security questions and other access protocols.
Communications data, based on Leliuga's exchanges with users, including when users contact Leliuga through the Service, social media, or otherwise.
Transactional data – for example information relating to or needed to complete subscriptions on or through the Service, including subscription type and transaction history.
Inputs, prompts and user-generated content – for example messages, photos, images, audio or voice clips, music, videos, comments, questions, files, works of authorship, third party account credentials and other content or information that users upload/use as an input or prompt to, generate, transmit, or otherwise make available on the Service, as well as associated metadata. Metadata includes information on how, when, where and by whom a piece of content was collected and how that content has been formatted or edited. Metadata also includes information that users can add or can have added to their content, such as keywords, geographical or location information, and other similar data.
Technological details – for example internet protocol (IP) addresses, unique identifiers and numbers (including unique identifier in tracking cookies or similar technology), pseudonymous identifiers, precise and imprecise location data, internet / application / program activity data, and device IDs and addresses.
Sensitive Categories of Data, and associated additional restrictions/safeguards:
Categories of Sensitive Data:
None – Customer agrees that Sensitive Data, which includes 'sensitive data' (as defined in Clause 8.7 of the SCCs), must not be submitted to the Services and Customer shall be liable for any Sensitive Data that it does submit.

Frequency of transfer:

Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.

Nature of the Processing:

Processing operations required in order to provide the Services in accordance with the Agreement.

Purpose of the Processing:

Customer Personal Data will be processed:

as necessary to provide the Services as initiated by Customer in its use thereof,
to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA, and
to test, improve, develop, optimize and maintain the Services.

Duration of Processing / Retention Period:

For the period determined in accordance with the Agreement and DPA, including Section 9of the DPA.
Transfers to (sub)processors:
Transfers to Sub-Processors are as, and for the purposes, described from time to time in the Sub-Processor List.

Annex 2

European Annex

1. PROCESSING OF CUSTOMER PERSONAL DATA

Where Leliuga receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Leliuga shall inform Customer.

Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of Leliuga pursuant to or in connection with the Agreement shall be in strict compliance with the GDPR and all other applicable laws.

2. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Leliuga, taking into account the nature of the Processing and the information available to Leliuga, shall provide reasonable assistance to Customer, at Customer's cost, with any data protection impact assessments and prior consultations with Supervisory Authorities which Customer reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by Leliuga.

Except to the extent prohibited by applicable law, Customer shall be fully responsible for all time spent by Leliuga (at Leliuga's then-current professional services rates) in Leliuga's provision of any cooperation and assistance provided to Customer under Paragraph 1, and shall on demand reimburse Leliuga any such costs incurred by Leliuga.

3. RESTRICTED TRANSFERS

EU Restricted Transfers

To the extent that any Processing of Customer Personal Data under this DPA involves an EU Restricted Transfer from Customer to Leliuga, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

populated in accordance with Part 1of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.

UK Restricted Transfers

To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Leliuga, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2of Attachment 1 to Annex 2 (European Annex); and
entered into by the Parties and incorporated by reference into this DPA.

Swiss Restricted Transfers

To the extent that any Processing of Customer Personal Data under this DPA involves a Swiss Restricted Transfer from Customer to Leliuga, the Parties shall comply with their respective obligations under the Swiss transfer mechanism, which is hereby deemed to be entered into by the Parties and incorporated by reference into this DPA.

Adoption of new transfer mechanism

Leliuga may on notice vary this DPA and replace the relevant SCCs with:

any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or
another transfer mechanism, other than the SCCs, that enables the lawful transfer of Customer Personal Data to Leliuga under this DPA in compliance with Chapter V of the GDPR.

Provision of full-form SCCs

In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1(Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Leliuga shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer's compliance with Data Protection Laws.

Operational clarifications

When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Leliuga's and its licensors' trade secrets, business secrets, confidential information and/or other commercially sensitive information.

Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Leliuga to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.

For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/ or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.

The terms and conditions of Section 6of the DPA apply in relation to Leliuga's appointment and use of Sub-Processors under the SCCs. Any approval by Customer of Leliuga's appointment of a Sub-Processor that is given expressly or deemed given pursuant to that Section 6 constitutes Customer's documented instructions to effect disclosures and onward transfers to any relevant Sub-Processors if and as required under Clause 8.8 of the SCCs.

The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 10of the DPA.

Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer's written request.

Attachment 1

To Annex 2 (European Annex)

POPULATION OF SCCs

Note

In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 1 of Annex 2 (European Annex) to the DPA).
In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2 of Annex 2 (European Annex) to the DPA).
In the context of any Swiss Restricted Transfer, the SCCs as varied by the Swiss transfer mechanism and populated in accordance with Part 2of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraph 2 of Annex 2 (European Annex) to the DPA).

Part 1: POPULATION OF THE SCCs

1. SIGNATURE OF THE SCCs:

Where the SCCs apply in accordance with Paragraph 3.1 of Annex 2 (European Annex) to the DPA each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

2. MODULES

The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Attachment 1 to Annex 2 (European Annex) to the DPA):

Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right; and/or
Module Three of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.

3. POPULATION OF THE BODY OF THE SCCs

For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

The optional 'Docking Clause' in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
In Clause 9:
- OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Sub-Processors shall be the advance notice period set out in Section 3of the DPA; and
- OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
In Clause 11, the optional language is not used and is deleted.
In Clause 13, all square brackets are removed and all text therein is retained.
In Clause 17:
- OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and
- OPTION 2 is not used and that optional language is deleted.
For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

In this Paragraph 3, references to “Clauses” are references to the Clauses of the SCCs.

4. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs

Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1(Data Processing Details) to the DPA, with:

Customer being 'data exporter'; and
Leliuga being 'data importer'.

Part C of Annex I to the Appendix to the SCCs is populated as below:

The competent supervisory authority shall be determined as follows:

Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer's EU representative relevant to the processing hereunder is based (from time-to-time).
Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Leliuga's contact point for data protection identified in Attachment 1 to Annex 2(European Annex) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

Annex II to the Appendix to the SCCs is populated as below:

General:

Please refer to Section 5of the DPA and Annex 4 (Security Measures) to the Agreement.
In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Leliuga, Customer should email Leliuga's contact point for data protection identified in Annex 1(Data Processing Details) to the DPA.

Sub-Processors: When Leliuga engages a Sub-Processor under these Clauses, Leliuga shall enter into a binding contractual arrangement with such Sub-Processor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:

applicable information security measures;
notification of Personal Data Breaches to Leliuga;
return or deletion of Customer Personal Data as and where required; and engagement of further Sub-Processors.

Supplementary Measures:

To the extent permitted by applicable laws, each Party shall notify the other Party promptly in writing of any subpoena or other judicial or administrative order by a public authority or proceeding seeking access to or disclosure of Personal Data. Such notification shall, to the extent permitted by applicable laws, include details regarding the Data Subject concerned, Personal Data requested, the requesting authority, the legal basis for the request, and any responses provided.
Where Leliuga receives such request, Customer shall have the right to defend such legal challenge in lieu of and/or on behalf of Leliuga to the extent permitted by applicable laws. Customer may, if it so chooses, seek a protective order. Leliuga shall reasonably cooperate with Customer in such defense.
To the extent permitted by applicable laws, each Party shall not disclose the Personal Data requested until all reasonable challenges to the request have been exhausted and shall provide the minimum of information permissible when responding to an order to disclose the Personal Data.
Where the notifying Party is prohibited from satisfying Section 1 of the Supplementary Measures under applicable laws, the notifying Party shall use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. Leliuga agrees to document its best efforts in order to be able to demonstrate them on request of Customer.
Where a Party becomes aware of any direct access by public authorities to Personal Data (including the reasonable suspicion thereof), this Party shall promptly notify the other Party with all information available, unless otherwise prohibited by applicable laws.
Leliuga represents and warrants that (i) Leliuga has not purposefully created backdoors or similar programming that could be used to access its systems or Personal Data, (ii) Leliuga has not purposefully created or changed its business processes in a manner that facilitates access to its systems or to Personal Data by public authorities and shall not voluntarily cooperate with public authorities in relation to the same, and (iii) no applicable law or government policy to which Leliuga is subject requires Leliuga to create or maintain backdoors or to facilitate access to Personal Data or systems or for Leliuga to be in possession of any corresponding encryption keys.

Part 2: UK RESTRICTED TRANSFERS

1. UK TRANSFER ADDENDUM

Where relevant in accordance with Paragraph 2of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –

Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
- Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1(Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and
- Table 4 to the UK Transfer Addendum is completed by the box labelled 'Data Importer' being deemed to have been ticked.
Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.

In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 1.1 of this Part 2.

PART 3: POPULATION OF SWISS TRANSFER MECHANISM

Where relevant in accordance with Paragraph 3.3 of Annex 2 (European Annex) to the DPA, the SCCs also apply as set forth in Part 1 and shall be adjusted as set out below where the FADP applies to Swiss Restricted Transfers:

References to the SCCs mean the SCCs as amended by Part 1 of this Attachment;
The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss Restricted Transfers exclusively subject to the FADP;
The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the SCCs shall be interpreted to include the FADP with respect to Swiss Restricted Transfers;
References to Regulation (EU) 2018/1725 are removed;
References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs;
Where Swiss Restricted Transfers are exclusively subject to the FADP, all references to the GDPR in the SCCs are to be understood to be references to the FADP;
Where Swiss Restricted Transfers are subject to both the FDPA and the GDPR, all references to the GDPR in the SCCs are to be understood to be references to the FDPA insofar as the Swiss Restricted Transfers are subject to the FADP.

Annex 3

Sub-Processors

The following is a list of subprocessors used:

Subprocessor	Function	Location
Google Cloud Platform	Cloud infrastructure and foundational models	United States
Microsoft Azure AI Foundry	Cloud infrastructure and foundational models	United States
Amazon Web Services	Cloud infrastructure and foundational models	United States
Cloudflare	Network infrastructure	United States
HubSpot	User support	United States
Anthropic	Foundational models	United States
OpenAI	Foundational models	United States
Twilio	Communication services	United States
Stripe	Payment processing	United States

Annex 4

Security Measures

As from the Addendum Effective Date, Leliuga will implement and maintain the Security Measures as set out in this Annex 4.

Data security controls which may include segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available encryption for Customer Personal Data.
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
Password controls.
System audit or event logging.
Physical and environmental security of data centres, server room facilities, and other areas containing Customer Personal Data designed to protect information assets from unauthorized physical access or damage.
Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems, including secure disposal of systems and media designed to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Leliuga's possession.
Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to Leliuga's technology and information assets.
Incident management procedures designed to allow Leliuga to investigate, respond to, mitigate, and notify of events related to Leliuga's technology and information assets.
Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.]

Leliuga may update or modify these Security Measures from time to time provided that such updates and modifications do not decrease the overall security of Customer Personal Data.

Annex 5

California Annex

Definitions. In this Annex, the terms “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” shall have the respective meanings given in the CCPA. CCPA and other capitalized terms not defined in this Annex are defined in the DPA.
Leliuga's Obligations.

The business purposes and services for which Leliuga is Processing personal information are for Leliuga to provide the services to and on behalf of Customer as set forth in the Agreement.
It is the Parties' intent that with respect to any personal information, Leliuga is a service provider. Leliuga (a) acknowledges that personal information is disclosed by Customer only for the limited and specific purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to personal information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 10(Audit Rights) of this DPA to help ensure that Leliuga's use of personal information is consistent with Customer's obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Leliuga that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
Leliuga shall not (a) sell or share any personal information; (b) retain, use or disclose any personal information for any purpose other than for the business purposes specified in the Agreement, including retaining, using or disclosing the personal information for a commercial purpose other than the business purpose specified in the Agreement, or as otherwise permitted by CCPA; (c) retain, use or disclose the personal information outside of the direct business relationship between Leliuga and Customer; or (d) except as otherwise permitted by the CCPA, combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) collected from Leliuga's own interaction with any consumer to whom such personal information pertains.