DATA PROCESSING ADDENDUM

Effective Date: February 1, 2025
Last Updated: February 1, 2025

This Data Processing Addendum ("DPA") forms part of the agreement between the Subscriber and Metorial ("Service"), operated by Tobias Herber. This DPA governs the processing of App End-Users' personal data by Metorial on behalf of the Subscriber and supplements Metorial's Terms of Service.

1. DEFINITIONS

  1. Subscriber: The entity that has entered into an agreement with Metorial for the use of its AI-powered workflow services.
  2. App End-User: Any individual who interacts with or is affected by the Subscriber's use of Metorial's services.
  3. Applicable Data Protection Laws: All laws and regulations governing the processing, privacy, and security of personal data, including but not limited to the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
  4. Personal Data: Any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
  5. Processing: Any operation or set of operations performed on Personal Data, including collection, storage, modification, and deletion.
  6. Sub-Processor: Any third party engaged by Metorial to process Personal Data on behalf of the Subscriber.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties

  • The Subscriber acts as the Controller of App End-Users' Personal Data.
  • Metorial acts as the Processor, processing Personal Data on behalf of the Subscriber strictly for the purposes defined in the agreement.

2.2. Purpose and Scope

  • Metorial processes Personal Data solely to provide AI-powered workflow services as requested by the Subscriber.
  • Metorial will not use Personal Data for its own purposes, except as required by law.

2.3. Subscriber Responsibilities

  • The Subscriber ensures that it has obtained all necessary consents and legal bases for processing Personal Data.
  • The Subscriber must not use Metorial's services in a manner that violates Applicable Data Protection Laws.

3. DATA SECURITY AND CONFIDENTIALITY

3.1. Security Measures

  • Metorial implements appropriate technical and organizational security measures to protect Personal Data against unauthorized access, loss, or alteration.
  • Security measures include but are not limited to encryption, access controls, and data minimization.

3.2. Confidentiality

  • Metorial ensures that employees and sub-processors authorized to process Personal Data are bound by confidentiality obligations.

4. SUB-PROCESSORS

4.1. Engagement of Sub-Processors

  • Metorial may engage third-party Sub-Processors for the provision of its services.
  • A list of current Sub-Processors is available upon request.

4.2. Obligations of Sub-Processors

  • Metorial ensures that all Sub-Processors are subject to contractual obligations that provide the same level of data protection as this DPA.

5. DATA SUBJECT RIGHTS

5.1. Assistance to the Subscriber

  • Metorial provides reasonable assistance to enable the Subscriber to fulfill its obligations related to Data Subject rights, such as access, rectification, deletion, or restriction requests.

6. DATA BREACH NOTIFICATION

6.1. Incident Response

  • Metorial will notify the Subscriber without undue delay upon becoming aware of a data breach affecting Personal Data.
  • Metorial will provide information necessary to assist the Subscriber in fulfilling regulatory reporting obligations.

7. DATA TRANSFERS

7.1. International Data Transfers

  • If Personal Data is transferred outside the European Economic Area (EEA) or other regions with data transfer restrictions, Metorial ensures compliance with standard contractual clauses or other lawful mechanisms.

8. TERM AND TERMINATION

8.1. Duration

  • This DPA remains in effect as long as Metorial processes Personal Data on behalf of the Subscriber.

8.2. Data Deletion

  • Upon termination of services, Metorial will either delete or return all Personal Data, unless retention is required by law.

9. LIMITATION OF LIABILITY

9.1. Exclusion of Liability

  • Metorial shall not be liable for indirect, consequential, or incidental damages arising out of this DPA.
  • Metorial's total liability under this DPA shall be limited to the fees paid by the Subscriber for the services in the preceding 12 months.

10. MISCELLANEOUS

10.1. Governing Law

  • This DPA shall be governed by and construed in accordance with the laws of Austria.

10.2. Conflict with Terms of Service

  • In the event of a conflict between this DPA and Metorial's Terms of Service, the provisions of this DPA shall prevail solely with respect to data processing matters.

15. Contact Us

For questions about this Data Processing Addendum or our data processing practices, contact:

Tobias Herber Kristein 3 4470 Enns Austria Email: [email protected]

16. Supervisory Authority

You have the right to lodge complaints with the Austrian Data Protection Authority:

Datenschutzbehörde Barichgasse 40-42 1030 Vienna Austria Website: https://www.dsb.gv.at

17. Disclaimer of Liability

To the maximum extent permitted by law, we disclaim all liability for unauthorized access, use, or disclosure of your information. Your use of our Services is at your own risk.

IN WITNESS WHEREOF, the parties have executed this Data Processing Addendum as of the Effective Date of the Subscriber's agreement with Metorial.