WHEREAS:

• A. Customer acts as a Data Controller and has engaged Syncro Soft to provide the Oxygen Content Fusion platform services ("Platform" or "Services") pursuant to the Agreement;
• B. In the course of providing the Services, Syncro Soft will Process Personal Data on behalf of and in accordance with Customer's documented instructions;
• C. The parties wish to ensure such Processing is conducted in accordance with applicable Data Protection Laws, in particular the General Data Protection Regulation (EU) 2016/679 ("GDPR");
• D. This DPA sets forth the terms and conditions that govern such Processing and the parties' respective obligations.

NOW, THEREFORE, in consideration of the mutual covenants and agreements herein contained, the parties agree as follows:

1. DEFINITIONS AND INTERPRETATION

1.2 Definitions

Unless otherwise defined in this DPA, capitalized terms have the meanings assigned to them in the Organization Agreement. The following additional definitions apply:

1. "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where "control" means ownership of at least 50% of the voting rights or equity interests.
2. "Authorized User" means any individual invited by Customer to access and use the Organization Workspace, including employees, contractors, consultants, and other representatives of Customer.
3. "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
4. "Data Protection Laws" means all applicable laws and regulations relating to privacy, data protection, and data security, including but not limited to:
   • Regulation (EU) 2016/679 (General Data Protection Regulation or "GDPR")
   • EU GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, "UK Data Protection Law");
   • Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances
   • California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, including any implementing regulations (“CCPA”);
   • The ePrivacy Directive (2002/58/EC) as amended
   • Any successor or replacement legislation
   • Any other applicable national or international privacy or data protection laws
5. “U.S. Privacy Laws” means the subset of Data Protection Laws applicable to residents of the United States, including without limitation the CCPA.
6. “Data Privacy Frameworks” or “DPF” means (as applicable) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce and any respective successors.
7. “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s. 119A(1) of the UK Data Protection Act 2018, as it is revised under s. 18 therein, as may be amended or superseded from time to time.
8. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed. For purposes of this DPA, Data Subjects include Authorized Users and any other individuals whose Personal Data appears in Organization Content.
9. "EEA" means the European Economic Area, comprising the EU member states plus Iceland, Liechtenstein, and Norway.
10. "International Transfer" means a transfer of Personal Data from the EEA to a country outside the EEA that has not received an adequacy decision from the European Commission.
11. "Organization Content" means all documents, data, files, information, and other content created, uploaded, transmitted, or processed within Customer's Organization Workspace by Customer or Authorized Users, including any Personal Data contained therein.
12. "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
13. “Personal Information” has the meaning assigned to it in the CCPA and applies solely where Customer qualifies as a “Business” and Syncro Soft processes such information as a “Service Provider” under the CCPA. For clarity, Personal Information may include categories of information that are not considered Personal Data under the GDPR, and obligations under this Agreement apply to each term only within the scope of its respective legislation.
14. “Customer Personal Data” means all Personal Data and Personal Information processed by Syncro Soft on behalf of Customer under this Agreement
15. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, as defined in Article 4(12) of the GDPR.
16. "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For purposes of this DPA, Syncro Soft is the Processor.
17. "Processing" or "Process" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.
18. "Security Incident" means any actual or reasonably suspected Personal Data Breach or any other actual or reasonably suspected breach of Syncro Soft's security obligations under this DPA.
19. "Standard Contractual Clauses" or "SCCs" means the standard data protection clauses for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection, as approved by the European Commission pursuant to Decision 2021/914 dated 4 June 2021, or any subsequent version thereof.
20. "Sub-processor" means any entity engaged by Syncro Soft to process Personal Data on behalf of Customer in connection with the Services.
21. "Supervisory Authority" means an independent public authority established by an EU member state pursuant to GDPR Article 51, or any equivalent authority under other applicable Data Protection Laws.

1.2 Interpretation

In this DPA, unless the context otherwise requires:

• References to "including" shall mean "including without limitation"
• References to "Section" or "Annex" are references to sections of or annexes to this DPA
• References to "writing" or "written" include email and other electronic communications
• Words in the singular shall include the plural and vice versa
• Headings are for convenience only and shall not affect the interpretation of this DPA
• The terms "herein," "hereof," and "hereunder" refer to this DPA as a whole
• All obligations in this DPA relating to the processing of Personal Data shall apply equally to Customer Personal Data, unless expressly stated otherwise.

The annexes form an integral part of this DPA.

2. ROLES AND SCOPE OF PROCESSING

2.1 Scope of Processing

This DPA applies to the processing of Personal Data by Syncro Soft on behalf of Customer in connection with the provision of the Services as described in the Agreement, specifically:

1. Processing of Personal Data in Organization Content: When Customer or Authorized Users upload, create, transmit, or store Personal Data within the Organization Workspace.
2. Processing of Authorized User Data: Personal Data about Authorized Users necessary to provide access to and use of the Services, including names, email addresses, account credentials, and usage information.
3. Purpose Limitation: Syncro Soft will process Personal Data only for the purposes of providing the Services as set forth in the Agreement and as instructed by Customer through its use of the Services.

1. Customer as Controller: Customer is the Controller of all Personal Data processed within the Organization Workspace. Customer determines the purposes and means of processing Personal Data and is responsible for ensuring that its processing has a lawful basis under Data Protection Laws.
2. Syncro Soft as Processor: Syncro Soft is the Processor of Personal Data within the Organization Workspace. Syncro Soft processes Personal Data only on behalf of and according to the documented instructions of Customer. For the avoidance of doubt, to the extent Processing of Personal Data is subject to the CCPA, the parties agree that Customer is the “Business” and Syncro Soft is the “Service Provider” (as those terms are defined by the CCPA).
3. Independent Controllers: Each Party is an independent Controller with respect to Personal Data for which it determines the purposes and means of processing. For example:
   • Syncro Soft is an independent Controller for Personal Data it collects directly from users for account administration, billing, and service improvement purposes (as described in Syncro Soft's Privacy Policy)
   • This DPA applies only to Personal Data for which Customer is the Controller and Syncro Soft is the Processor.

2.3 Customer's Instructions

1. Documented Instructions: Customer's instructions for the processing of Personal Data are documented in:
   • This DPA and its Annexes
   • The Agreement
   • Customer's use and configuration of the Services (including inviting Authorized Users, uploading content, setting permissions, and using Platform features)
   • Any other written instructions provided by Customer that Syncro Soft acknowledges in writing
2. Compliance with Instructions: Syncro Soft shall process Personal Data only in accordance with Customer's documented instructions unless required to do so by applicable law, in which case Syncro Soft shall inform Customer of that legal requirement before processing (unless prohibited by law from doing so).
3. Unlawful Instructions: If Syncro Soft believes that any instruction from Customer violates Data Protection Laws, Syncro Soft will promptly inform Customer and may suspend performance of the instruction until Customer confirms or modifies the instruction. Syncro Soft will not be liable for any failure to process Personal Data to the extent that such failure results from Customer's unlawful instructions.
4. Additional Instructions: Customer may issue additional written instructions regarding the processing of Personal Data that are consistent with the terms of this DPA and the Agreement. Syncro Soft will evaluate such instructions and may charge reasonable fees if complying with the instructions requires work beyond the scope of the Services or this DPA. If Syncro Soft cannot reasonably comply with an instruction, the Parties will work together in good faith to find an alternative solution.

3. DETAILS OF PROCESSING

The details of the processing of Personal Data by Syncro Soft on behalf of Customer are set forth in Annex I (Details of Processing) to this DPA, including:

• Subject matter of processing
• Duration of processing
• Nature and purpose of processing
• Types of Personal Data processed
• Categories of Data Subjects

Customer acknowledges that the details in Annex I provide a general description of the processing activities and that actual processing may vary based on Customer's specific use of the Services.

4. CUSTOMER'S OBLIGATIONS

4.1 Lawfulness of Processing

Customer warrants and represents that:

1. Lawful Basis: Customer has a lawful basis under Data Protection Laws for the processing of Personal Data through the Services, including any necessary consents, contractual necessity, legal obligations, legitimate interests, or other lawful basis.
2. Data Subject Rights: Customer has provided Data Subjects with appropriate information about the processing of their Personal Data (including information required by Articles 13 and 14 of the GDPR) and has obtained any necessary consents or authorizations.
3. Lawful Transfer: If Customer transfers Personal Data to Syncro Soft from jurisdictions outside the EEA, Customer has ensured that such transfers comply with applicable Data Protection Laws in the originating jurisdiction.
4. Special Categories of Personal Data: Customer will not process Special Categories of Personal Data (as defined in Article 9 of the GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) through the Services without first notifying Syncro Soft in writing and obtaining Syncro Soft's prior written consent. If such processing is authorized, the Parties will implement additional safeguards as required by Data Protection Laws.
5. To the extent U.S. Privacy Laws apply, Customer agrees to not take any action that would (a) render the provision of Personal Information to Syncro Soft a “sale” under U.S. Privacy Laws or a “share” under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render Syncro Soft not a “service provider” under the CCPA.

4.2 Accuracy and Minimization

Customer is responsible for:

1. Data Accuracy: Ensuring that Personal Data processed through the Services is accurate, adequate, relevant, and limited to what is necessary for the purposes of processing.
2. Data Minimization: Uploading only Personal Data that is necessary for Customer's legitimate business purposes.
3. Data Quality: Maintaining the quality and integrity of Personal Data within the Organization Workspace.

4.3 Authorized User Compliance

Customer is responsible for:

1. User Authorization: Ensuring that all Authorized Users are authorized to access the Organization Workspace and the Personal Data contained therein.
2. User Training: Providing appropriate training to Authorized Users regarding their obligations under Data Protection Laws and this DPA.
3. User Actions: The actions of Authorized Users within the Organization Workspace, including their compliance with Data Protection Laws.
4. User Notification: Informing Authorized Users that their activities within the Organization Workspace may be monitored and that Syncro Soft processes their Personal Data as described in this DPA and Syncro Soft's Privacy Policy.

4.4 Instructions and Configuration

Customer acknowledges that:

1. Configuration Responsibility: Customer is responsible for properly configuring the Services, including access controls, permissions, and security settings.
2. Instruction Clarity: Customer's instructions must be clear and within the technical capabilities of the Services. Syncro Soft is not responsible for processing that results from Customer's misconfiguration or unclear instructions.

5. PROCESSOR'S OBLIGATIONS

6. SUB-PROCESSORS

6.1 Authorized Sub-processors

Customer provides general authorization for Syncro Soft to engage Sub-processors to process Personal Data on Customer's behalf, provided that Syncro Soft complies with the requirements of this Section 6. A current list of Sub-processors is set forth in Annex III (Sub-processors) and is also available at [SUBPROCESSOR LIST URL] or upon written request to privacy@oxygenxml.com.

Syncro Soft currently uses or may use Sub-processors in the following categories:

• Cloud Infrastructure Providers: Hosting, storage, and computing resources (e.g., AWS, Google Cloud Platform, Microsoft Azure)
• Content Delivery Networks (CDNs): Distribution and caching of content for improved performance
• Security and Monitoring Services: Security scanning, threat detection, and system monitoring
• Email Delivery Services: Transactional and notification email delivery
• Customer Support Tools: Customer support ticketing and communication platforms
• Analytics and Performance Monitoring: Application performance monitoring and usage analytics (with pseudonymization or aggregation where possible)
• Payment Processors: Payment processing and billing services
• Backup and Disaster Recovery: Data backup and recovery services
• AI Service providers
• Single Sign On Providers: Google, GitHub

6.2 Sub-processor Requirements

When engaging a Sub-processor, Syncro Soft shall:

1. Impose Equivalent Obligations:
   1. Enter into a written contract with each Sub-processor imposing data protection obligations that are substantially similar to those imposed on Syncro Soft under this DPA, and, to the extent applicable, including the restrictions required under U.S. Privacy Laws such as prohibitions on selling, sharing, or retaining, using, or disclosing Personal Information beyond what is permitted under the Agreement.
   2. Ensure Sub-processors are bound by confidentiality obligations
   3. Ensure Sub-processors implement appropriate technical and organizational security measures
2. Remain Liable:
   1. Remain fully liable to Customer for the performance of the Sub-processor's obligations
   2. Be responsible for the acts and omissions of Sub-processors to the same extent as if performing the services directly
3. Monitor Compliance:
   1. Monitor Sub-processor compliance with data protection obligations
   2. Take reasonable steps to ensure Sub-processors comply with Data Protection Laws

6.3 Changes to Sub-processors

Notification. Syncro Soft shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before authorizing any new Sub-processor to process Personal Data.

Objection Customer may object to Syncro Soft's appointment of a new Sub-processor or material change to an existing Sub-processor on reasonable data protection grounds by notifying Syncro Soft in writing within 30 days of receiving notice of the intended change.

Resolution If Customer objects, the Parties shall work together in good faith to find a commercially reasonable solution to address Customer's concerns, which may include:

• Syncro Soft providing additional safeguards or commitments regarding the Sub-processor
• Syncro Soft not using the Sub-processor for Customer's Personal Data
• Syncro Soft using an alternative Sub-processor
• Customer adjusting its use of affected Services to avoid the Sub-processor (if technically feasible)

Termination Right: If the parties cannot reach a resolution within 30 days and Customer has reasonable grounds for its objection, Customer may terminate the affected Services by providing written notice to Syncro Soft, with termination effective:

1. at the end of Customer's then-current billing period.
2. immediately, and Customer will receive a pro-rata refund of prepaid fees for the terminated Services for the period after termination.

This termination right is Customer's sole and exclusive remedy if Customer objects to a new Sub-processor.

Deemed acceptance. Customer's failure to object within 30 days of notification shall constitute consent to the use of the new Sub-processor.

6.4 No Objection to Current Sub-processors

By entering into this DPA, Customer agrees to the engagement of the Sub-processors listed in Annex III as of the Effective Date of this DPA.

7. INTERNATIONAL TRANSFERS

7.1 Transfers Outside EEA

Customer acknowledges and agrees that Syncro Soft may transfer Personal Data to countries outside the European Economic Area ("EEA"), including to the United States and other jurisdictions where Subprocessors are located, for the purposes of providing the Services.

Processor shall ensure that any such transfer of Personal Data in a country outside the EEA is subject to appropriate safeguards as required by Data Protection Law, including:

For any such transfers, Syncro Soft shall ensure that an appropriate safeguard under Data Protection Law is in place. Depending on the destination, Syncro Soft may rely on one or more of the following mechanisms:

1. Adequacy Decisions: Where the European Commission has adopted an adequacy decision recognizing that a third country provides an adequate level of data protection, Processor may rely on such adequacy decision for transfers of Personal Data to that country.
2. EU–U.S. Data Privacy Framework (DPF): For transfers to Subprocessors located in the United States that are certified under the EU–U.S. Data Privacy Framework (or any successor framework), Syncro Soft may rely on such certification as an adequacy mechanism under Article 45 GDPR.
3. Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision from the European Commission, Processor will implement the Standard Contractual Clauses approved by the European Commission pursuant to Decision 2021/914 (Module Two: Controller to Processor) or any subsequent version approved by the European Commission.

7.2 Standard Contractual Clauses

The Standard Contractual Clauses are incorporated into and form part of this DPA. Where there is any conflict between the provisions of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

The parties agree to the following specific terms regarding the Standard Contractual Clauses:

• Module: The parties agree that Module Two (Controller to Processor) of the Standard Contractual Clauses applies to the processing activities under this DPA.
• Clause 7 (Docking Clause): The parties agree that the docking clause applies, allowing entities that are not party to this DPA to accede to the Standard Contractual Clauses.
• Clause 9 (Use of Subprocessors): The parties agree to Option 2 (General Written Authorization), whereby Controller provides general authorization for Processor to engage Subprocessors, subject to the notification and objection procedures set forth in Section 6 of this DPA.
• Clause 11 (Redress): The parties agree that the optional language regarding the independent dispute resolution body shall not apply.
• Clause 17 (Governing Law): The Standard Contractual Clauses shall be governed by the law of Romania.
• Clause 18 (Choice of Forum and Jurisdiction): Any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Bucharest, Romania.
• Annexes to SCCs: The information required for Annexes I, II, and III of the Standard Contractual Clauses is set forth in the Annexes to this DPA

To the extent the Personal Data is subject to UK Data Protection Law, Syncro Soft agrees to Process such Personal Data in compliance with the SCCs, with the following modifications: The SCCs shall be deemed amended as specified by Part 2 of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Annex 1-3 of this DPA (as applicable); and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”

7.3 Additional Safeguards for Transfers

In addition to implementing the Standard Contractual Clauses, Syncro Soft shall implement the following supplementary measures to ensure appropriate protection for Personal Data transferred outside the EEA:

• Technical measures such as encryption of data in transit and at rest
• Organizational measures such as access controls and confidentiality commitments
• Contractual measures requiring Sub-processors to implement equivalent safeguards
• Regular review and assessment of the effectiveness of these measures

7.4 Government Access Requests

Syncro Soft shall implement policies and procedures to handle government or law enforcement requests for access to Personal Data transferred outside the EEA:

• Assessment: Syncro Soft will assess the legality, scope, and proportionality of any such request before complying.
• Challenge: Where Syncro Soft determines that a request is unlawful, overbroad, or disproportionate, Syncro Soft will challenge the request through available legal mechanisms.
• Notification: Syncro Soft will notify Customer of any request for access to Personal Data, unless prohibited by law from doing so. Where notification is prohibited, Syncro Soft will use best efforts to obtain a waiver of the prohibition and to inform Customer to the greatest extent possible.
• Minimization: If required to disclose Personal Data in response to a government request, Syncro Soft will disclose only the minimum amount of Personal Data necessary to comply with the request.
• Documentation: Syncro Soft will document all government requests for access to Personal Data and the responses provided, and will make such documentation available to Customer upon request (to the extent permitted by law).

7.5 Suspension of Transfers

If:

• The Standard Contractual Clauses are invalidated, revoked, or declared unlawful by a competent court or regulatory authority;
• Syncro Soft is unable to implement appropriate supplementary measures to ensure adequate protection for Personal Data transferred outside the EEA;
• Syncro Soft becomes aware that local laws in the recipient country prevent it from fulfilling its obligations under this DPA or the Standard Contractual Clauses; or
• A competent supervisory authority orders suspension of transfers;

then Syncro Soft shall immediately notify Customer and shall suspend transfers of Personal Data outside the EEA until such time as an alternative legal mechanism for transfers is identified and implemented, or the issues are otherwise resolved. If transfers cannot be resumed within 60 days, either party may terminate the affected portion of the Services upon written notice.

8. PERSONAL DATA BREACHES

8.1 Notification to Customer

Syncro Soft will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any event within 72 hours of becoming aware of the breach, unless a longer period is permitted by applicable law.

Personal Data Breach notifications shall be sent via email to Customer's designated security contact (as specified in Customer's account settings) and to all Organization Workspace administrators. Notifications may also be sent via the Platform interface or support ticket system.

8.2 Content of Notification

To the extent the information is available to Syncro Soft at the time of notification, Syncro Soft will include in the notification:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned

• The name and contact details of Syncro Soft's data protection officer or other contact point from whom more information may be obtained

• A description of the likely consequences of the Personal Data Breach

• A description of the measures taken or proposed to be taken by Syncro Soft to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

If not all information is available at the time of initial notification, Syncro Soft will provide the information in phases without undue further delay as it becomes available.

8.3 Investigation and Remediation

Upon becoming aware of a Personal Data Breach, Syncro Soft will:

• Promptly investigate the breach to determine its cause, scope, and impact
• Take reasonable steps to mitigate the effects of the Personal Data Breach
• Preserve evidence relating to the breach
• Cooperate with Customer's reasonable requests for information and assistance in relation to the breach
• Provide Customer with reasonable assistance in notifying Data Subjects or Supervisory Authorities if required under Data Protection Laws
• Implement measures to prevent similar breaches in the future

8.4 Customer's Responsibilities

Customer is responsible for:

• Determining whether notification to Data Subjects or Supervisory Authorities is required under applicable Data Protection Laws
• Complying with any notification obligations to Data Subjects or Supervisory Authorities under Data Protection Laws
• Taking any additional measures required by Data Protection Laws in response to the breach

Syncro Soft will provide reasonable cooperation and assistance to Customer in fulfilling these responsibilities.

8.5 No Acknowledgment of Fault

Syncro Soft's notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgment by Syncro Soft of any fault or liability with respect to the breach. Syncro Soft's liability for Personal Data Breaches is subject to the limitations and exclusions set forth in the Agreement.

8.6 Security Incidents vs. Personal Data Breaches

For clarity, not every security incident constitutes a Personal Data Breach. Events such as unsuccessful login attempts, scanning, pings, port scans, denial of service attacks, or other events that do not result in unauthorized access to or loss of Personal Data are not Personal Data Breaches and will not trigger the notification obligations under this Section 8. However, Syncro Soft may notify Customer of such security incidents as part of its general security practices.

9. AUDIT RIGHTS

9.1 Customer's Right to Audit

Customer has the right to audit Syncro Soft's compliance with this DPA and Data Protection Law, subject to the procedures and limitations set forth in this Section 9.

Audits may be conducted for the following purposes:

• Verifying Syncro Soft's compliance with the obligations set forth in this DPA
• Assessing the adequacy of Syncro Soft's technical and organizational security measures
• Investigating suspected data breaches or security incidents
• Complying with Customer's own legal or regulatory obligations (e.g., demonstrating compliance to supervisory authorities or in response to Data Subject requests)

9.2 Audit Procedures

Audits shall be conducted in accordance with the following procedures:

• Advance Notice: Customer shall provide Syncro Soft with at least 60 days' advance written notice of any intended audit, unless the audit is required on shorter notice due to a data breach, regulatory investigation, or other urgent circumstances, in which case reasonable notice under the circumstances shall be provided.
• Scope and Objectives: The audit notice shall specify the scope of the audit, the audit objectives, the proposed timing, the identity of the auditors (including any third-party auditors), and any specific areas of concern.
• Reasonable Timing: Audits shall be scheduled at mutually convenient times during Syncro Soft's normal business hours and shall be conducted in a manner that minimizes disruption to Syncro Soft's operations.
• Qualified Auditors: Audits conducted by third parties must be performed by qualified, independent auditors who are not competitors of Syncro Soft and who have executed appropriate confidentiality agreements.
• Confidentiality: Customer and any third-party auditors shall execute Syncro Soft's standard confidentiality agreement and shall treat all information obtained during the audit as Syncro Soft's confidential information, except to the extent necessary to demonstrate compliance with Data Protection Law to supervisory authorities.
• Cooperation: Syncro Soft shall provide reasonable cooperation and assistance during the audit, including providing access to relevant documentation, personnel, and systems, subject to the security and confidentiality restrictions below.

9.3 Limitations on Audit Rights

Audit rights are subject to the following limitations:

• Frequency: Customer may conduct on-site audits no more than once per 12-month period, unless a data breach or security incident has occurred or a supervisory authority requires an audit.
• Scope Restrictions: Audits shall be limited to aspects of Syncro Soft's systems and operations that are relevant to the processing of Customer's Personal Data.
• Security Requirements: Auditors must comply with Syncro Soft's security policies and procedures while on Syncro Soft's premises or accessing Syncro Soft's systems.
• Cost: Customer is responsible for all costs associated with audits, including travel expenses for auditors, fees for third-party auditors, and reasonable costs incurred by Syncro Soft in supporting the audit (e.g., personnel time for extensive audits). Syncro Soft may charge reasonable fees for audits that require more than 16 hours of Syncro Soft personnel time.
• No Disruption: Customer and auditors shall conduct audits in a manner that does not disrupt Syncro Soft's business operations or compromise the security or confidentiality of Syncro Soft's systems or other customers' data.

9.4 Alternative Compliance Verification

In lieu of on-site audits, Customer may request that Syncro Soft provide alternative evidence of compliance, including:

• Certifications and Audit Reports: Syncro Soft's ISO 27001 certification, or other independent third-party audit reports or certifications demonstrating compliance with recognized security standards.
• Self-Assessment Questionnaires: Completed security questionnaires or Data Protection Impact Assessments (DPIAs) prepared by Syncro Soft.
• Standard Audit Reports: Syncro Soft's standard audit reports covering its data protection and security practices, which may be made available to all customers.
• Remote Assessments: Virtual audits conducted via video conference, remote access to documentation, and interviews with Syncro Soft personnel.
• Subprocessor Compliance Evidence: Documentation or audit reports demonstrating Subprocessors' compliance with data protection obligations.

Syncro Soft may require Customer to accept such alternative compliance verification methods in lieu of on-site audits, particularly where:

• On-site audits would be excessively disruptive or costly
• Syncro Soft has recently undergone independent third-party audits
• Multiple customers are requesting audits within a short time period

If Customer is not satisfied with alternative compliance verification and reasonably requires an on-site audit for legitimate compliance purposes, the parties shall work together in good faith to arrange an audit that meets Customer's needs while respecting Syncro Soft's operational constraints.

9.5 Audit Reports and Findings

Following completion of an audit:

• Draft Report: Customer or its auditors shall provide Syncro Soft with a draft audit report and an opportunity to respond to any findings or recommendations before the report is finalized.
• Response: Syncro Soft shall have 15 business days to review the draft report and provide written responses, including corrections to any factual inaccuracies, context or explanations for any findings and remediation plans for any identified deficiencies
• Final Report: Customer shall consider Syncro Soft's responses and shall provide a final audit report within 15 business days of receiving Syncro Soft's response.
• Remediation: If the audit identifies any material non-compliance with this DPA or Data Protection Law, Syncro Soft shall promptly develop and implement a remediation plan to address the deficiencies. Syncro Soft shall provide Customer with written updates on remediation progress at reasonable intervals.
• Confidentiality of Reports: Audit reports shall be treated as confidential information of both parties and shall not be disclosed to third parties except:
  • To supervisory authorities or other regulatory bodies as required by law
  • To Customer's legal counsel, auditors, or advisors subject to confidentiality obligations
  • As required to establish compliance with Data Protection Law

9.6 Supervisory Authority Audits

If a supervisory authority requests or requires an audit of Syncro Soft's data processing activities in connection with Customer's Personal Data, Processor shall:

• Cooperate: Fully cooperate with the supervisory authority and provide requested information, documentation, and access to facilities and systems.
• Notify Customer: Notify Customer of the supervisory authority's audit request, except where prohibited by law or the supervisory authority.
• Share Findings: Share with Customer any findings or recommendations from the supervisory authority that relate to Customer's Personal Data, to the extent permitted by law and the supervisory authority.
• Remediation: Implement any corrective actions required by the supervisory authority in a timely manner and inform Customer of the remediation measures taken.

10. DELETION AND RETURN OF PERSONAL DATA

10.1 Return or Deletion Upon Termination

Upon termination or expiration of the Agreement, Syncro Soft shall, at Customer's choice:

1. Return Personal Data: Return a complete copy of all Personal Data processed on Customer's behalf in a commonly used, machine-readable format; or
2. Delete Personal Data: Securely delete or destroy all Personal Data processed on Customer's behalf, including all copies, backups, and archived data.

   Prior to deletion, Syncro Soft will make Customer Personal Data available for Customer to retrieve for a period of 30 days following termination as described in the Agreement. Customer is responsible for retrieving Customer Personal Data during the Retrieval Period.

Customer shall notify Syncro Soft of its choice in writing within 30 days of termination. If Customer does not provide such instruction, Syncro Soft shall delete all Personal Data in accordance with Section 10.2 below.

10.2 Deletion Procedures and Timeline

If Customer instructs Syncro Soft to delete Personal Data, or if Customer does not provide instructions within 30 days of termination, Syncro Soft shall:

• Immediate Deletion from Active Systems: Delete Personal Data from all active production systems within 7 days of the end of the data retrieval period specified in the Agreement (typically 30 days after termination).
• Deletion from Backups: Delete Personal Data from backup systems, archives, and disaster recovery systems within 90 days of deletion from active systems. Syncro Soft acknowledges that backup systems typically operate on scheduled cycles and that complete deletion from all backups may require up to 180 days.

10.3 Exceptions to Deletion

Notwithstanding the deletion obligations in Sections 10.1 and 10.2, Syncro Soft may retain Personal Data to the extent and for the period required by:

1. Legal Obligations: Applicable laws, regulations, or legal process requiring retention of specific data (e.g., tax records, accounting records, audit trails). Syncro Soft shall limit retention to the minimum required by law.
2. Legitimate Business Needs: Syncro Soft's legitimate business needs, such as:
   • Retaining billing and payment records for accounting and tax purposes (typically 7 years)
   • Retaining records necessary to defend against legal claims or establish compliance with contractual obligations
   • Retaining aggregated, anonymized data that cannot be linked back to Customer or any individual
3. Archival Systems: Personal Data retained in archived logs, system snapshots, or disaster recovery systems that are not readily accessible and are subject to the same security measures as active data. Such data shall be deleted in accordance with Syncro Soft's standard data retention policies, typically within 90-180 days.

Syncro Soft shall maintain records of any Personal Data retained under these exceptions and shall make such records available to Customer upon reasonable request.

10.4 Aggregated and Anonymized Data

Syncro Soft may retain aggregated, anonymized, or de-identified data derived from Personal Data that can no longer be attributed to Customer or to any identified or identifiable individual. Such data is not considered Personal Data under Data Protection Law and is not subject to the return or deletion obligations in this Section 10.

Anonymization shall be performed using recognized techniques that ensure the data cannot reasonably be re-identified, including:

• Removal of all direct identifiers (names, email addresses, account IDs, etc.)
• Aggregation to sufficiently large groups to prevent singling out individuals
• Assessment of re-identification risks considering both the data itself and any auxiliary information

10.5 Subprocessor Deletion Obligations

Syncro Soft shall ensure that all Subprocessors are contractually obligated to return or delete Personal Data in accordance with the requirements of this Section 10. Syncro Soft shall take reasonable steps to verify Subprocessor compliance with deletion obligations, including obtaining certificates of deletion where appropriate.

11. DATA SUBJECT RIGHTS ASSISTANCE

11.1 Customer's Responsibility for Data Subject Requests

Customer is responsible for responding to requests from Data Subjects seeking to exercise their rights under Data Protection Laws ("Data Subject Requests"), including:

• Right of access (GDPR Article 15)
• Right to rectification (GDPR Article 16)
• Right to erasure / "right to be forgotten" (GDPR Article 17)
• Right to restriction of processing (GDPR Article 18)
• Right to data portability (GDPR Article 20)
• Right to object (GDPR Article 21)
• Rights related to automated decision-making (GDPR Article 22)

If Syncro Soft receives a Data Subject request directly from a Data Subject, Syncro Soft will promptly redirect the Data Subject to Customer and will not respond to the request directly unless required to do so by applicable law or unless Customer has authorized Syncro Soft to respond. Syncro Soft will inform Customer of any such direct requests within 5 business days.

11.2 Syncro Soft's Assistance Obligations

Taking into account the nature of the processing, Syncro Soft shall provide reasonable assistance to Customer to enable Customer to respond to Data Subject Requests, including:

1. Redirecting Requests: If a Data Subject submits a request directly to Syncro Soft regarding Personal Data processed in Customer's Organization Workspace, Syncro Soft will:
   1. Promptly inform Customer of the request (within 5 business days)
   2. Not respond to the Data Subject directly (except to inform them to contact Customer), unless required by applicable law
   3. Forward the request to Customer for handling
2. Providing Access: Upon Customer's request, Syncro Soft will provide Customer with access to relevant Personal Data to enable Customer to respond to Data Subject Requests. Customer can access most Personal Data directly through the Platform interface.
3. Facilitating Rectification: Customer can rectify inaccurate Personal Data directly through the Platform interface. Syncro Soft will provide technical support if Customer encounters difficulties.
4. Facilitating Erasure: Customer can delete Personal Data directly through the Platform interface. Upon Customer's request, Syncro Soft will:
   1. Confirm deletion of specified Personal Data from active systems
   2. Confirm deletion from backups in accordance with backup retention schedules (typically within 90 days)
   3. Provide written confirmation of deletion upon request
5. Facilitating Data Portability: Syncro Soft provides data export functionality within the Platform that enables Customer to download Personal Data in commonly used, machine-readable formats (such as XML). Upon request, Syncro Soft will provide reasonable assistance if standard export functionality is insufficient.
6. Facilitating Restriction: If Customer requests that Syncro Soft restrict processing of specific Personal Data pending resolution of a Data Subject Request:
   1. Customer shall mark or tag the relevant data within the Platform (if functionality available)
   2. Syncro Soft will work with Customer to implement appropriate technical restrictions
   3. Syncro Soft will only process the restricted data as permitted by GDPR Article 18(2)
7. Providing Information: Upon Customer's request, Syncro Soft will provide information about the processing activities, Sub-processors, security measures, and other details necessary for Customer to respond to Data Subject Requests regarding the processing performed by Syncro Soft

11.3 Limitations on Assistance

Syncro Soft's assistance obligations under this Section 11 are subject to the following limitations:

• Technical Limitations: Syncro Soft's assistance is limited by the technical capabilities of the Platform. Syncro Soft is not obligated to develop new features or functionality to facilitate Data Subject Requests.
• Reasonable Efforts: Syncro Soft will provide assistance using commercially reasonable efforts, but cannot guarantee that all Data Subject Requests can be fully satisfied, particularly for complex or unusual requests.
• Customer's Access: In most cases, Customer can respond to Data Subject Requests using self-service tools available in the Platform without requiring Syncro Soft's assistance.
• Time and Resources: For requests requiring significant manual effort or custom development beyond standard Platform functionality, Syncro Soft may charge reasonable fees for assistance provided. Syncro Soft will notify Customer of any anticipated fees before performing chargeable work.

12. LIABILITY AND INDEMNIFICATION

12.1 Syncro Soft's Liability to Customer

Syncro Soft's liability to Customer for any breach of this DPA, including but not limited to unauthorized or unlawful processing, data breaches, failure to implement appropriate security measures, or failure to comply with Customer's lawful instructions, shall be governed by the limitation of liability provisions set forth in the Organization Agreement.

Notwithstanding any limitations of liability in the Organization Agreement, Syncro Soft shall be liable for damages arising from:

• Syncro Soft's failure to comply with obligations under Data Protection Law that are specifically directed at processors (such as the security requirements under GDPR Article 32)
• Syncro Soft acting outside or contrary to Customer's lawful instructions
• Gross negligence or willful misconduct in processing Personal Data

To the extent that Data Protection Law provides for direct liability of processors to Data Subjects (such as under GDPR Article 82), nothing in this DPA or the Organization Agreement shall limit such liability.

12.2 Allocation of Liability Between Parties

Where both Customer and Syncro Soft are liable to Data Subjects for the same damage under Data Protection Law (such as under GDPR Article 82):

• Joint and Several Liability: Customer and Syncro Soft shall be jointly and severally liable to the Data Subject for the full amount of the damage.
• Internal Allocation: As between Customer and Syncro Soft, liability shall be allocated as follows:
  • Customer shall be solely liable for damages arising from Customer's own breach of Data Protection Law or from Customer providing unlawful instructions to Syncro Soft
  • Syncro Soft shall be solely liable for damages arising from Syncro Soft's breach of its obligations under Data Protection Law or this DPA, including processing outside or contrary to Customer's lawful instructions
  • Where the damage results from the acts or omissions of both parties, liability shall be allocated in proportion to each party's degree of fault
• Right of Recovery: If either party pays more than its proportionate share of damages to a Data Subject, that party shall have a right of recovery against the other party for the excess amount paid, in accordance with the internal allocation of liability above.

12.3 Customer's Indemnification of Syncro Soft

Customer shall indemnify, defend, and hold harmless Syncro Soft and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:

• Unlawful Instructions: Customer's instructions to Syncro Soft that violate Data Protection Law or the rights of Data Subjects.
• Customer's Data Protection Violations: Customer's own violations of Data Protection Law, including:
  • Processing Personal Data without a lawful basis
  • Failure to obtain necessary consents from Data Subjects
  • Failure to comply with transparency obligations toward Data Subjects
  • Failure to respond appropriately to Data Subject requests
  • Violation of data minimization, purpose limitation, or other data protection principles
• Third-Party Claims: Third-party claims (including claims by Data Subjects) arising from Customer's processing of Personal Data or Customer's use of the Services in violation of Data Protection Law.
• Customer Content: Claims that Customer's Personal Data infringes third-party intellectual property rights, violates third-party privacy or publicity rights, or otherwise violates third-party rights.

This indemnification obligation is subject to Customer:

• Receiving prompt written notice of the claim
• Having sole control of the defense and settlement (provided that Customer may not settle any claim in a manner that admits liability on Syncro Soft's behalf or imposes obligations on Syncro Soft without Syncro Soft's consent)
• Receiving reasonable cooperation from Syncro Soft in the defense (at Customer's expense)

12.4 Syncro Softt's Indemnification of Customer

Syncro Soft shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:

• Syncro Soft's Data Protection Violations: Syncro Soft's breach of this DPA or Data Protection Law, including:
  • Failure to implement appropriate technical and organizational security measures
  • Unauthorized or unlawful processing of Personal Data
  • Processing Personal Data outside or contrary to Customer's lawful instructions
  • Failure to assist Customer in complying with Data Subject requests
  • Unauthorized disclosure of Personal Data
• Data Breaches: Data breaches resulting from Syncro Soft's failure to implement appropriate security measures or from Syncro Soft's gross negligence or willful misconduct.
• Subprocessor Violations: Violations of Data Protection Law by Subprocessors engaged by Syncro Soft, except where caused by Customer's instructions or actions.

This indemnification obligation is subject to Syncro Soft:

• Receiving prompt written notice of the claim
• Having sole control of the defense and settlement (provided that Syncro Soft may not settle any claim in a manner that admits liability on Customer's behalf or imposes obligations on Customer without Customer's consent)
• Receiving reasonable cooperation from Customer in the defense (at Processor's expense)

Each party shall promptly notify the other party of any regulatory investigation, enforcement action, or proceeding by a supervisory authority that relates to the processing of Personal Data under this DPA.

Neither party shall make any admission of liability or agree to any settlement or consent order with a supervisory authority that would adversely affect the other party without that party's prior written consent (not to be unreasonably withheld).

13. TERM AND TERMINATION

13.1 Term

This DPA shall commence on the Effective Date of the Organization Agreement and shall remain in effect for as long as Syncro Soft processes Personal Data on behalf of Customer under the Organization Agreement.

13.2 Effect of Agreement Termination

Upon termination or expiration of the Organization Agreement, this DPA shall automatically terminate, except that:

Survival of Obligations: The following provisions shall survive termination:

• Section 10 (Return and Deletion of Personal Data) - for the time necessary to complete return or deletion
• Section 12 (Liability and Indemnification) - for any claims arising before or as a result of termination
• Section 7 (International Data Transfers) - for any Personal Data not yet returned or deleted
• Section 5.1 (Confidentiality) - indefinitely or until Personal Data is returned or deleted
• Section 14 (General Provisions) - to the extent necessary to give effect to surviving provisions

Final Processing Activities: Syncro Soft may continue to process Personal Data to the extent necessary to:

• Provide Customer with access to retrieve Personal Data during the retrieval period
• Complete return of Personal Data to Customer if requested
• Comply with legal obligations requiring retention of Personal Data
• Establish, exercise, or defend legal claims

13.3 Termination for Breach of DPA

Either party may terminate this DPA (and the Organization Agreement) immediately upon written notice if the other party materially breaches this DPA and:

• Fails to cure the breach within 30 days of receiving written notice specifying the breach, or
• The breach cannot be cured (such as unauthorized disclosure of Personal Data), or
• The breach exposes the non-breaching party to material risk of regulatory penalties or liability

Customer's Right to Terminate: Customer may terminate if:

• Syncro Soft breaches security obligations, resulting in a data breach or significant risk of unauthorized access
• Syncro Soft processes Personal Data outside or contrary to Customer's instructions
• Syncro Soft fails to provide assistance required under Sections 11.2
• Syncro Soft engages a Subprocessor without proper authorization or notification

Syncro Soft's Right to Terminate: Processor may terminate if:

• Customer provides instructions that violate Data Protection Law and refuses to modify such instructions after notice from Processor
• Customer materially breaches its payment obligations under the Organization Agreement
• Continuing to process Personal Data would expose Processor to material legal or regulatory risk

13.4 Effect of DPA Termination

Upon termination of this DPA:

• Immediate Cessation: Syncro Soft shall immediately cease all processing of Personal Data, except as permitted under Section 10.3.
• Return or Deletion: Syncro Soft shall return or delete Personal Data in accordance with Section 10, unless Customer has already retrieved all Personal Data during the retrieval period.
• Certification: Syncro Soft shall provide Customer with written certification of deletion as specified in Section 10.2.
• No Further Use: Syncro Soft shall not make any further use of Personal Data for any purpose.
• Subprocessor Instructions: Syncro Soft shall instruct all Subprocessors to immediately cease processing and to return or delete Personal Data.

13.5 No Prejudice to Other Rights

Termination of this DPA shall be without prejudice to any other rights or remedies either party may have under the Organization Agreement, Data Protection Law, or applicable law, including:

• The right to seek damages for breaches occurring before termination
• The right to seek injunctive relief to prevent ongoing breaches
• The obligation to pay outstanding fees or charges
• The right of Data Subjects to seek compensation for damages

14. AMENDMENTS AND UPDATES

14.1 Changes to Data Protection Law

If changes to Data Protection Law require amendments to this DPA to maintain compliance, Processor may update this DPA by:

• Providing Customer with at least 30 days' advance written notice of the proposed changes
• Making the updated DPA available at [DPA URL] and in the customer portal
• Continuing to process Personal Data under the existing DPA during the notice period

Customer may object to changes by providing written notice within 30 days. If Customer objects on reasonable data protection grounds, the parties shall work together in good faith to reach an agreeable solution. If no solution can be reached, Customer may terminate the Organization Agreement in accordance with Section 13.3.

If Customer does not object within 30 days, the updated DPA shall take effect automatically at the end of the notice period.

12.2 Changes Required by Supervisory Authorities

If a supervisory authority requires changes to this DPA as a condition of approving the processing or in response to an investigation or enforcement action, Processor shall notify Customer and implement the required changes. Such changes shall take effect immediately upon implementation, and Customer's continued use of the Services constitutes acceptance of the changes.

12.3 Updates to Subprocessor List

Updates to the list of Subprocessors shall be made in accordance with Section 6 (Subprocessors and Subcontracting), not under this Section 12.

12.4 Administrative Updates

Processor may make administrative updates to this DPA without prior notice, including:

• Corrections of typographical errors or formatting
• Updates to contact information or addresses
• Clarifications that do not materially change the parties' rights or obligations
• Updates to cross-references or defined terms

Such administrative updates shall be posted at [DPA URL] and shall take effect immediately.

15. GENERAL PROVISIONS

14.1 Relationship to Organization Agreement

This DPA is incorporated into and forms part of the Organization Agreement. In the event of any conflict between the provisions of this DPA and the Organization Agreement with respect to the processing of Personal Data, the provisions of this DPA shall control.

All provisions of the Organization Agreement that are not inconsistent with this DPA shall continue in full force and effect, including but not limited to provisions regarding:

• Payment and fees
• Intellectual property rights
• Confidentiality (except as modified by this DPA)
• Warranties and disclaimers (except as modified by this DPA)
• Limitation of liability (except as modified by this DPA)
• Termination
• Dispute resolution

14.2 Order of Precedence

In the event of any conflict or inconsistency between the documents that form the Agreement, the following order of precedence shall apply (from highest to lowest):

1. Standard Contractual Clauses (if applicable)
2. This Data Processing Agreement (DPA)
3. Organization Agreement
4. Other appendices or exhibits to the Organization Agreement
5. Privacy Policy and other policies referenced in the agreements

14.3 Entire Agreement on Data Processing

This DPA, together with the Organization Agreement and the Standard Contractual Clauses (if applicable), constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written, regarding this subject matter.

14.4 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction or supervisory authority, such provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving its intent, or if such modification is not possible, such provision shall be severed from this DPA.

The remaining provisions of this DPA shall remain in full force and effect and shall be construed as if the invalid provision had never been included, unless such severance would materially alter the balance of rights and obligations under this DPA.

14.5 No Waiver

No failure or delay by either party in exercising any right or remedy under this DPA shall constitute a waiver of that right or remedy, nor shall any single or partial exercise of any right or remedy preclude any other or further exercise of that right or remedy or the exercise of any other right or remedy.

Any waiver must be in writing and signed by an authorized representative of the party granting the waiver. A waiver of any breach of this DPA shall not constitute a waiver of any subsequent breach.

14.6 Third-Party Beneficiaries

Data Subjects as Third-Party Beneficiaries: Data Subjects are third-party beneficiaries of this DPA to the extent necessary to enforce their rights under Data Protection Law, including:

• The right to enforce certain provisions of this DPA against Syncro Soft (such as security obligations and return/deletion of data)
• The right to enforce the Standard Contractual Clauses (if applicable)
• The right to seek compensation for damages in accordance with Data Protection Law

No Other Third-Party Rights: Except as provided above for Data Subjects, this DPA does not confer any rights upon any person or entity other than the parties to this DPA and their permitted successors and assigns.

14.7 Assignment

Neither party may assign, transfer, or delegate this DPA or any rights or obligations under this DPA without the prior written consent of the other party, except that:

• Syncro Soft's Assignment Rights: Syncro Soft may assign this DPA without Customer's consent:
  • To an affiliate or subsidiary of Syncro Soft
  • In connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of Syncro Soft's assets, provided that the assignee agrees in writing to be bound by the terms of this DPA
• Customer's Assignment Rights: Customer may assign this DPA without Syncro Soft's consent in connection with a merger, acquisition, or corporate reorganization, provided that the assignee agrees in writing to be bound by the terms of this DPA and the Organization Agreement.

Any attempted assignment in violation of this Section shall be void and of no effect.

14.8 Notices

All notices, requests, consents, and other communications under this DPA shall be in writing and shall be deemed given when:

• Sent by confirmed email (with read receipt or reply acknowledgment)
• Sent by internationally recognized courier with tracking confirmation
• Sent by registered or certified mail, return receipt requested

14.9 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Romania, without regard to its conflict of law principles, except where the Standard Contractual Clauses (if applicable) specify a different governing law. Subject to the provisions of the Standard Contractual Clauses (if applicable), any dispute arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the courts of Bucharest, Romania.

Supervisory Authority: For the purposes of Data Protection Law, the competent supervisory authority shall be:

• For Syncro Soft: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) - the Romanian Data Protection Authority.
• For Customer: The supervisory authority in Customer's jurisdiction.

14.10 Language

This DPA is executed in English. If this DPA is translated into any other language, the English version shall prevail in the event of any conflict or ambiguity between the English version and the translated version.

14.11 Counterparts and Electronic Signatures

This DPA may be executed in any number of counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument.

This DPA may be executed by electronic signature, which shall be considered as an original signature for all purposes and shall have the same force and effect as an original signature. Electronic acceptance through the Platform interface (such as clicking "I Accept" during the organization setup process) shall constitute valid execution of this DPA.

14.12 Survival

The provisions of this DPA that by their nature should survive termination or expiration shall survive, including but not limited to:

• Section 5.1 (Confidentiality)
• Section 10 (Return and Deletion of Personal Data)
• Section 12 (Liability and Indemnification)
• Section 14 (General Provisions)

14.13 Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under this DPA (except for payment obligations) to the extent such failure or delay is caused by circumstances beyond its reasonable control, including:

• Acts of God, natural disasters, or extreme weather events
• War, terrorism, civil unrest, or acts of government
• Pandemics, epidemics, or public health emergencies
• Labor disputes or strikes (other than those involving the party's own employees)
• Failures of the internet, telecommunications infrastructure, or utility services
• Cyber attacks, malware outbreaks, or other malicious activities (provided the affected party has implemented appropriate security measures)

The party affected by a force majeure event shall:

• Notify the other party promptly of the force majeure event and its expected duration
• Use reasonable efforts to mitigate the effects of the force majeure event
• Resume performance as soon as reasonably practicable

If a force majeure event continues for more than 60 days, either party may terminate this DPA (and the Organization Agreement) upon written notice to the other party.

14.14 No Partnership or Agency

Nothing in this DPA creates any partnership, joint venture, agency, employment, or franchise relationship between the parties. Neither party has the authority to bind the other or to incur any obligation on the other's behalf without prior written consent.

14.15 Compliance with Laws

Each party shall comply with all applicable laws and regulations in performing its obligations under this DPA, including but not limited to:

• Data Protection Law
• Anti-corruption and anti-bribery laws
• Export control and sanctions laws
• Labor and employment laws
• Health and safety laws

16. CONTACT INFORMATION

For all matters relating to this DPA, including Data Subject requests, data breaches, audits, and general data protection inquiries, please contact:

• Syncro Soft SRL - Data Protection Team
  • General Email (Audit Requests,DPA Questions) privacy@oxygenxml.com
  • Data Breach Notifications: security@oxygenxml.com
  • Phone: +1-650-352-1250 (business hours: Monday-Friday, 9:00 AM - 6:00 PM EET/EEST)
  • Postal Address:

    Syncro Soft SRL

    Attention: Data Protection / Privacy

    Remus 5A, Craiova, 200082, Romania

ANNEXES TO DPA

The following annexes form part of this Data Processing Agreement and provide the information required by the Standard Contractual Clauses:

1. ANNEX I: DETAILS OF PROCESSING
2. ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES
3. ANNEX III: LIST OF SUBPROCESSORS