This Data Processing Agreement (including any terms set forth in a schedule, appendix or addendum hereto, “DPA”), dated as of the effective date of the Service Agreement (“Effective Date”), is by and between the customer identified in the Service Agreement (“Customer”), and atlasGO SA, a Belgian Société Anonyme (“Vendor”).  Customer and Vendor may be referred to herein together as the “Parties”, and each may be referred to herein as a “Party”. To the extent that the Parties have entered into a prior agreement governing the processing of personal data (the “Prior Agreement”), the Parties understand and agree that this DPA shall supersede and replace such Prior Agreement. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Customer and Vendor hereby agree as follows:

1. Definitions.  

• “Applicable Laws” means, collectively, all now existing or hereinafter enacted or amended laws, rules, regulations (including, without limitation, self-regulatory obligations), and/or sanctions programs applicable to a Party’s performance hereunder and/or obligations with respect to data protection. 
• “Customer Data” means all information, data, content and other materials, in any form or medium, that is submitted, posted, collected, transmitted or otherwise provided by or on behalf of Customer through the Services. 
• “Customer Personal Data” means Customer Data that is Personal Data processed by Vendor on behalf of Customer in the provision of the Services under the Service Agreement(s).
• “Controller” means (i) under and in the context of European Data Protection Law, the data “controller” (as defined by GDPR), and (ii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “controller”, “business”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
• “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (and each successor regulation, directive or other text of the foregoing, in each case as amended from time to time).
• “European Data Protection Law” means each of EU GDPR, UK GDPR, and the Federal Data Protection Act of 19 June 1992 (Switzerland) (as the same may be superseded by the Swiss Data Protection Act 2020 and as amended from time to time).
• “DSGVO” means, as applicable, (i) the EU GDPR and/or (ii) the UK GDPR.
• “Personal Data” means any information that constitutes (a) “personal data” (as defined by, and in the context of, European Data Protection Law), and/or (b) “personal data,” “personal information,” or other term denoting a substantially similar definition and obligations under, and in the context of, any other Applicable Laws, in each case that is (i) made available or otherwise provided by Customer to Vendor in connection with the Services and/or (ii) collected or accessed by Vendor under a Service Agreement(s) via a pixel, cookie, tag, or similar technology on any of Customer’s digital properties.
• “Process” means any operation or set of computer operations performed on Personal Data, including, but not limited to, collection, recording, organization, structuring, storage, access, adaptation, alteration, retrieval, consultation, use, transfer, transmit, sale, rental, disclosure, dissemination, making available, alignment, combination, deletion, erasure, or destruction.
• “Processor” means (i) under and in the context of European Data Protection Law, the data “processor” (as defined by GDPR), and (ii) under and in the context of any other privacy or data protection law, rule, or regulation applicable to a Party’s performance hereunder, a “processor”, “service provider”, or corresponding term denoting a substantially similar definition, role, and obligations under such law, rule or regulation.
• “Security Incident” means (i) any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data or (ii) any other event that constitutes a “security breach”, “personal data breach”, or substantially similar term with respect to Personal Data under an Applicable Law(s).
• “Service Agreements” means, collectively, the agreements and/or terms of service (including, as applicable, each of the Statements of Work/SOWs/Orders/Order Forms and exhibits thereunder) between Customer and Vendor.
• “Services” means, collectively, the products and/or services provided by Vendor to Customer under the Service Agreements.
• “Sub-Processor” means a contractor, subcontractor, consultant, third-party service provider, or agent engaged by Vendor for further Processing of Personal Data.
• “UK GDPR” has the meaning ascribed thereto in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018 (as amended from time to time).

2. Data Processing Obligations.  

2.1. General.  

• Each Party shall comply with its obligations relating to Personal Data under this DPA and under Applicable Laws at its own cost. With respect to Personal Data, (i) Customer is a Controller and (ii) Vendor is a Processor that acts upon the instructions of Customer, including, without limitation, in accordance with the applicable Service Agreement, this DPA, and any other documented instructions provided by Customer.
• With regard to Vendor employees engaged in Processing Personal Data, Vendor shall ensure that such employees are informed of the confidential nature of the Personal Data and are subject to appropriate confidentiality obligations sufficient to comply with the terms of the applicable Service Agreement(s) and this DPA, which confidentiality obligations shall survive following termination of this DPA for at least as long as the period(s) required by the applicable Service Agreement(s) and this DPA.
• Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data, including, without limitation, obtaining appropriate consent to collect the Customer Personal Data and share such data with Vendor in accordance with Applicable Laws.

2.2. Standard Contractual Clauses. 

If Vendor Processes Personal Data relating to an EEA, United Kingdom, or Switzerland data subject (including, without limitation, the transfer of such Personal Data from the EEA, United Kingdom, or Switzerland to a third country not providing an adequate level of protection) outside of the EEA, United Kingdom, and Switzerland, the Processing will be further governed by Schedule I to this DPA, with Customer as data exporter and Vendor as data importer (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “Personal Data SCCs”), which is incorporated by reference into this DPA solely with respect to Personal Data relating to EEA, United Kingdom and/or Switzerland data subjects.  If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the Personal Data SCCs, on the other hand, then, with respect to Personal Data relating to an EEA, United Kingdom and/or Switzerland data subject(s), the terms and conditions of the Personal Data SCCs will prevail and control.  Vendor may only transfer Personal Data relating to an EEA, United Kingdom, or Switzerland data subject outside the EEA, United Kingdom, and Switzerland in compliance with Applicable Laws and the Personal Data SCCs.

2.3. Changes in Applicable Laws. 

If, due to any change in Applicable Laws, a Party reasonably believes that (a) Vendor ceases to be able to provide a Service(s) in whole or in part (e.g., with respect to a particular jurisdiction) and/or Customer ceases to be able to use a Service(s) in whole or in part under the then-current terms and conditions of the applicable Service Agreement(s) and this DPA, each Party may terminate the applicable Service Agreement(s) (in whole or, if reasonably practicable, in part).

3. Security.  

3.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks. Such measures will include reasonable administrative, physical, and technical security controls (including those required by Applicable Laws) that prevent the collection, use, disclosure, or access to Personal Data and Customer confidential information that the Service Agreements do not expressly authorize, including maintaining a comprehensive information security program that safeguards Personal Data and Customer confidential information. These security measures include, but are not limited to: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. 

3.2. When assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

4. Supplementary Measures and Safeguards.

4.1. Assistance; Risk Assessment.  

• Vendor shall assist Customer to ensure compliance with Applicable Laws in connection with the Processing of Personal Data.  

4.2. Orders.

Vendor shall notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and/or on behalf of Vendor. Customer may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Customer in such defense.

5. Notifications. 

5.1. Security Incidents. 

Vendor has and will maintain a security incident response plan that includes procedures to be followed in the event of a Security Incident. Vendor will provide Customer with written notice promptly after discovering a Security Incident (including those affecting Vendor or its Sub-Processors), including any information that Customer is required by law to provide to an applicable regulatory agency or to the individuals whose personal data was involved in the Security Incident. 

5.2. Data Subject Requests. 

Vendor shall (i) promptly notify Customer about any request under Applicable Law(s) with respect to Personal Data received from or on behalf of the applicable data subject and (ii) reasonably cooperate with Customer’s reasonable requests in connection with data subject requests with respect to Personal Data.  Vendor shall assist Customer, through appropriate technical and organizational measures, to fulfill its obligations with respect to requests of data subjects seeking to exercise rights under Applicable Law with respect to Personal Data.

6. Sub-Processors.

6.1. Vendor shall not have Personal Data Processed by a Sub-Processor unless such Sub-Processor is bound by a written agreement with Vendor that includes data protection obligations at least as protective as those contained in this DPA and the applicable Service Agreement(s) and that meet the requirements of Applicable Laws. Vendor is and shall remain fully liable to Customer for any failure by any Sub-Processor to fulfill Vendor’s data protection obligations under Applicable Laws.

6.2. Vendor’s list of all Sub-Processors who access Personal Data is available at Annex III of Exhibit A (the “Sub-Processor List”). Customer specifically authorizes and instructs Vendor to engage the Sub-Processors listed in the Sub-Processor List. Vendor will notify Customer of any changes to the Sub-Processors listed on the Sub-Processor List and grant Customer the opportunity to object to such change. Upon Customer’s request, Vendor will provide all information necessary to demonstrate that the Sub-Processors will meet all requirements pursuant to Section 6.1. If Customer objects to any Sub-Processor, Vendor can choose to either not engage the Sub-Processor or to terminate this DPA with thirty (30) days’ prior written notice.

6.3. Third-party providers that maintain IT systems whereby access to Personal Data is not needed but can technically also not be excluded do not qualify as Sub-Processors within the meaning of this Section 6. They can be engaged based on regular confidentiality undertakings and subject to Vendor’s reasonable monitoring.

7. Deletion.

Vendor shall, at the choice of Customer: (i) delete or return all Customer Data to Customer after such Customer Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Customer Data. 

8. Documentation.  

• Vendor shall, upon Customer’s request, provide Customer (a) comprehensive documentation of Vendor’s technical and organizational security measures, (b) any and all third-party audits and certifications available with respect to such security measures, and (c) and all other information reasonably necessary to demonstrate compliance with the Vendor’s obligations under this DPA and/or under Applicable Laws.

9. Term; Termination. 

This DPA shall remain in effect until (a) all Service Agreements have terminated and (b) all obligations that Vendor has under the Service Agreements and under Applicable Laws with respect to Personal Data, and all rights that Customer has under the Service Agreements and under Applicable Laws with respect to Personal Data, have terminated.  Notwithstanding termination of this DPA, any provisions hereof that by their nature are intended to survive, shall survive termination.

10. Miscellaneous.

10.1. Any notice made pursuant to this DPA will be in writing and will be deemed delivered on (a) the date of delivery if delivered personally, (b) five (5) calendar days (or upon written confirmed receipt) after mailing if duly deposited in registered or certified mail or express commercial carrier, or (c) one (1) calendar day (or upon written confirmed receipt) after being sent by email, addressed to Customer at the address or email address on record with Vendor, or addressed to Vendor at the address or email address designated below, or to such other address or email address as may be hereafter designated by either Party: 

Olivier Kaeser, CEO

olivier@atlasgo.org

Avenue Arnaud Fraiteur 15/23, 1050 Ixelles, Belgium

10.2. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Service Agreements, unless required otherwise by Applicable Laws.

10.3. Neither Party may assign or transfer any part of this DPA without the written consent of the other Party; provided, however, that this DPA, collectively with all Service Agreements, may be assigned without the other Party’s written consent by either Party to a person or entity who acquires, by sale, merger or otherwise, all or substantially all of such assigning Party’s assets, stock or business.  Subject to the foregoing, this DPA shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns.  Any attempted assignment in violation of this Section 10.3 shall be void and of no effect.

10.4. This DPA is the Parties’ entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject; provided, however, that, notwithstanding the foregoing but subject to the last sentence of this Section 10.4, nothing in this DPA shall be deemed to supersede any of the Service Agreements. Vendor may modify the terms of this DPA if, as reasonably determined by Vendor, such modification is (i) reasonably necessary to comply with Applicable Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency; and (ii) does not: (a) result in a degradation of the overall security of the Services, (b) expand the scope of, or remove any restrictions on, Vendor’s processing of Personal Data, and (c) otherwise have a material adverse impact on Customer’s rights under this DPA. Any other amendments must be executed by both of the Parties and expressly state that they are amending this DPA.  Failure to enforce any provision of this DPA shall not constitute a waiver.  If any provision of this DPA is found unenforceable, it and any related provisions shall be interpreted to best accomplish the unenforceable provision’s essential purpose.  The headings contained in this DPA are for reference purposes only and shall not affect in any way the meaning or interpretation of this DPA.  In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of any Service Agreement, the terms and conditions of this DPA shall govern.

SCHEDULE I

EU SCCs

1. Definitions

• “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in this Schedule I.
• “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the DPA Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in this Schedule I.

2. With respect to Personal Data transferred from the European Economic Area, the EU SCCs will apply and form part of this Schedule I, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:

• Because Customer is a Controller and Vendor is a Processor of the Personal Data, Module 2 applies.
• Clause 7 (the optional docking clause) is not included.
• Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable. 
• Under Clause 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights).  The Parties select the law of Belgium.
• Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Belgium.
• Annexes I, II and III of the EU SCCs are set forth in Exhibit A to this Schedule I.
• By entering into this DPA, the Parties are deemed to be signing the EU SCCs.

3. With respect to Personal Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this Schedule I and take precedence over the rest of this Schedule I as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows: 

• Table 1 of the UK SCCs:
  • The Parties’ details are the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Exhibit A.  
  • The Key Contacts are the contacts set forth in Exhibit A.
• Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 are the EU SCCs as executed by the Parties pursuant to this Schedule I. 
• Table 3 of the UK SCCs: Annex 1A, 1B, II and III are set forth in Exhibit A.
• Table 4 of the UK SCCs: Either party may terminate the Service Agreements as set forth in Section 19 of the UK SCCs.
• By entering into the DPA, the Parties are deemed to be signing the UK SCCs and their applicable Tables and Appendix Information.

4. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):

• References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
• The term “member state” in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
• References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
• Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

EXHIBIT A

ANNEX I

A. LIST OF PARTIES

Data exporter(s): 

Name: Entity identified as “Customer” in the DPA.

Address: See the Service Agreement(s).

Contact person’s name, position and contact details: See the Service Agreement(s).

Activities relevant to the data transferred under these Clauses: To receive the Services (as defined in the DPA).

Role (controller/processor): Controller.

Data importer(s): 

Name: atlasGO SA (“Vendor”)

Address: Avenue Arnaud Fraiteur 15/23, 1050 Ixelles, Belgium

Contact person’s name, position and contact details:

Name: Olivier Kaeser (olivier@atlasgo.org)

Role: CEO

Address: Avenue Arnaud Fraiteur 15/23, 1050 Ixelles, Belgium

Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).

Role (controller/processor): Processor.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Individuals affiliated with Customer that register to use Vendor’s online platform (collectively, “Users”).

Categories of personal data transferred

• User name
• User email address
• User affiliation to aGO customer
• images that may depict User or other individuals
• details of activities that User participates in such as nature of activity, dates the activity was undertaken and distance completed during the activity 
• personal data that may be included in the text that the User adds to the User’s profile, within the chat feature, or otherwise posts to AU’s platform 
• IP address (location can technically be determined via IP address)
• User activity with respect to the posts of other users (e.g., likes)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

For the duration of the Services pursuant to the Service Agreement(s).

Nature of the processing

To provide the Services pursuant to the Service Agreement(s).

Purpose(s) of the data transfer and further processing

To provide the Services pursuant to the Service Agreement(s).

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As long as necessary to provide the Services pursuant to the Service Agreement(s).

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

To provide the Services pursuant to the Service Agreement(s).

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The Supervisory Authority where the Data Exporter is located.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

1. Access Control

• Access rights are only given to teroGO employees who need that access to fulfill their tasks. In compliance with our Data Classification and Security Policy, we use a subprocessor to manage access rights to systems and data.
• Segregation of duties between individuals responsible for approving, granting and reviewing access logs is ensured. COO / Data Protection Officer in coordination with CTO are responsible to manage access rights..
• All IT infrastructure is secured with MFA and/or digital certificates where applicable.

2. Asset Management

• A documented, approved and communicated policy to classify data and/or objects containing data that includes data definitions, access restrictions and controls specific to our service is in place. Classification is part of the data classification and security policy and is shared with all new teroGO employees and current teroGO employees.
• We have documented, approved and communicated procedures governing the usage, storage or transmission of information and assets used to access information reflected in our application management and security and data classification and security policies.

3. Business Continuity Management

• We have a documented, approved and communicated Business Continuity Plan (BCP) in place.
• We have an incident and crisis management plan in place.
• We have a documented, approved and communicated Disaster Recovery Plan (DRP) that prioritizes the recovery of critical systems and infrastructure in place.

4. Operations Security

• Operational Security with regards to the development and maintenance of our solution is covered in our Application Management and Security Policy.
• We have a clear segregation of duties between those responsible for requesting, approving, implementing and reviewing production changes. 
• All security patches are applied by both automated system checks and semi-automatic checks that inform developers daily.
• We use an ACL to limit access to resources on a per-user basis with fine grained access controls.
• We have a documented, approved and communicated data backup and restoration processes outlined in our Disaster Recovery Policy.
• All of the third-party providers we pick are holding themselves to the highest industry security standards and data protection agreements are signed with our sub-service vendors.
• Our Information Security Policies and Standards include a section on Cloud Computing.

• Privacy and related processes and policies are a responsibility of our management (COO/CTO).
• A documented, approved and communicated privacy policy is accessible under atlasgo.org/privacy
• Dedicated person(s) responsible for privacy compliance are appointed (COO/CTO)
• All teroGO employees and contractors sign a Confidentiality Agreement before joining teroGO and before access is given to any data.
• Initial training of employees and on the job training for employees is ensured. For sub-vendors, we review and sign Data Protection Agreements.
• Enforcement policy or procedure for those who violate privacy confidentiality and privacy requirements is in place.
• Documented, approved and communicated process for reporting and responding to privacy complaints, privacy incidents, unauthorized disclosure, unauthorized access or data breaches is in place
• Documented, approved and communicated process for responding to individual requests regarding personal data, such as amending, erasing or limiting access.
• We only collect the minimum amount of data necessary to provide our service in a meaningful way.

5. Information Security Incident Management

• Documented, approved and communicated information security incident management program is in place
• Documented, approved and communicated escalation process for notifying a client when an incident may impact the security of their data or systems is in place.

6. System Acquisition, Development, and Maintenance

• Our development/QA process addresses common application vulnerabilities as defined by OWASP.
• Sensitive Data Exposure – All endpoints return the least amount of user data necessary for providing the endpoint’s service. Endpoints that give up sensitive data like the user’s email require the user’s own session key to retrieve.
• All changes go through a rigorous testing process by multiple parties. All possible affected stakeholders are also notified before deployment. Code changes are reviewed or scanned to identify potential vulnerabilities prior to deployment.
• Development, testing and production environments are segregated. We have a development environment that doubles as testing. The production environment is isolated from both development and testing. Production data is not allowed to be used in testing and development environments.
• We restrict access to source code libraries, version control tools and testing environments to appropriately authorized IT personnel.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

• Atlas Unlimited Inc.