Data Processing Addendum

1. Introduction

ULTEH is committed to ensuring the privacy, security, and compliance of customer data. This Data Processing Addendum (DPA) outlines the terms governing how we process, store, and protect personal data in accordance with applicable data protection laws and regulations. This DPA is an extension of our main agreement with Customers and applies when ULTEH processes personal data on behalf of the Customer as a data processor. It establishes clear responsibilities for both parties regarding data handling, ensuring compliance with relevant privacy laws. By using ULTEH, Customers acknowledge and agree to the terms set forth in this DPA. If you require a signed copy of this agreement for compliance purposes, please contact us.

2. Definitions

Affiliate refers to any entity that directly or indirectly controls, is controlled by, or is under common control with a party. "Control" means the direct or indirect ownership of at least 50% of the voting shares, equity interests, or similar rights in the entity, giving the ability to influence its management and policies. Affiliates are considered bound by the obligations and responsibilities outlined in this DPA to the extent they engage with the processing of Personal Data.

Authorized Sub-Processor means any third-party vendor, service provider, or contractor engaged by the Company to process the Customer’s Personal Data strictly on behalf of and under the instructions of the Company. Authorized Sub-Processors assist in fulfilling the Company’s obligations under this DPA and the main Agreement. The Company ensures that all Sub-Processors comply with the same data protection obligations imposed under this DPA, maintaining security, confidentiality, and regulatory compliance.

Company Account Data refers to all business-related information collected, stored, and processed by the Company in relation to its contractual relationship with the Customer. This includes, but is not limited to, the names, email addresses, phone numbers, payment details, and access credentials of individuals authorized by the Customer to manage and operate the Customer’s account on the Company’s platform. Company Account Data is used strictly for administrative, billing, and support purposes.

Data Protection Laws encompass all applicable laws, regulations, and frameworks governing the collection, processing, storage, transfer, and protection of Personal Data. This includes, but is not limited to, the General Data Protection Regulation (GDPR) of the European Union, the UK GDPR applicable to the United Kingdom, the California Consumer Privacy Act (CCPA), and any other national or international privacy laws relevant to data processing activities under this Agreement. Compliance with these laws ensures that Personal Data is handled lawfully, transparently, and securely.

Personal Data refers to any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable person is one who can be directly or indirectly identified, particularly by reference to identifiers such as a name, email address, phone number, location data, an online identifier (such as IP address or cookies), or other unique factors that define their identity. Personal Data excludes anonymized or aggregated data that cannot be used to identify an individual.

Processing means any operation or set of operations performed on Personal Data, whether by automated means or manually. This includes, but is not limited to, collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, restricting, erasing, or destroying Personal Data. Processing is conducted in accordance with the Customer’s instructions and applicable Data Protection Laws.

Security Measures refer to the technical and organizational safeguards implemented to ensure the confidentiality, integrity, and availability of Personal Data. These measures include encryption, access controls, firewalls, data masking, pseudonymization, regular security audits, and breach notification mechanisms. Security Measures are designed to prevent unauthorized access, accidental loss, or unlawful processing of Personal Data.

Supervisory Authority refers to an independent public authority responsible for monitoring and enforcing compliance with Data Protection Laws. Examples include the **European Data Protection Board (EDPB)** for GDPR-related matters, the **UK Information Commissioner’s Office (ICO)** for UK GDPR, and the **California Privacy Protection Agency (CPPA)** for CCPA enforcement. The Supervisory Authority has the legal power to investigate complaints, issue guidance, and impose penalties for non-compliance.

Data Subject Rights refer to the rights granted to individuals under applicable Data Protection Laws. These rights may include the right to access, rectify, delete, restrict, or transfer their Personal Data, as well as the right to object to processing and lodge complaints with a Supervisory Authority. The Company assists Customers in facilitating the exercise of these rights when applicable.

3. Processing of Data

The Customer may act as either a Data Controller or a Data Processor, depending on its relationship with the Data Subject and the purposes for which Personal Data is processed. In all cases, the Company (ULTEH) acts as a Data Processor, processing Personal Data on behalf of and under the instructions of the Customer.

The Customer is responsible for ensuring that all data processing activities conducted using the Company's Services comply with Applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable privacy regulations. The Customer acknowledges that it has the legal basis to process Personal Data and indemnifies the Company against any claims, liabilities, or damages resulting from non-compliance with these legal requirements.

The Company shall process Personal Data only in accordance with the Customer’s written instructions and solely as required to provide the Services, unless otherwise mandated by law. The Company will not use, disclose, or share Personal Data for any purpose other than those authorized by the Customer or explicitly outlined in this Agreement.

Upon termination of the Agreement or the Customer’s request, the Company shall, at the Customer’s discretion, either: (a) Securely delete all Personal Data processed under this Agreement, ensuring that no copies remain unless required by law, or (b) Return the Personal Data to the Customer in a structured, commonly used, and machine-readable format before deletion. The Customer must provide such requests within a reasonable timeframe before termination.

If the Company is legally required to retain Personal Data beyond termination, it will notify the Customer (unless legally prohibited from doing so) and ensure that such data remains protected in compliance with Data Protection Laws.

4. Security and Confidentiality

The Company (ULTEH) is committed to protecting the security and confidentiality of Personal Data processed on behalf of the Customer. To ensure data integrity and security, the Company implements and maintains industry-leading security measures designed to prevent unauthorized access, disclosure, alteration, or destruction of Personal Data.

These security measures include, but are not limited to:

• Data Encryption: Personal Data is encrypted both in transit and at rest using industry-standard encryption protocols to protect against unauthorized access.
• Access Controls: Strict access management policies ensure that only authorized personnel have access to Personal Data based on the principle of least privilege.
• Network and System Security: Firewalls, intrusion detection systems, and continuous monitoring help prevent unauthorized access and cyber threats.
• Data Anonymization and Pseudonymization: Where applicable, Personal Data may be anonymized or pseudonymized to reduce risks associated with data exposure.
• Regular Security Audits: The Company conducts periodic security assessments, vulnerability testing, and compliance checks to identify and mitigate risks.
• Incident Response Plan: A structured incident response protocol ensures that any security breach is promptly identified, mitigated, and reported in compliance with applicable Data Protection Laws.

Any individual, including employees, contractors, and authorized service providers, who processes Personal Data on behalf of the Company is bound by strict confidentiality obligations. This includes signing legally enforceable non-disclosure agreements (NDAs) and adhering to internal data handling policies to ensure compliance with data privacy and security standards.

The Company will promptly notify the Customer of any **confirmed security breach** that may result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data. Such notifications will include details of the incident, potential impact, and remediation efforts taken to mitigate risks.

The Company continuously reviews and updates its security measures in accordance with evolving industry standards and regulatory requirements to ensure the ongoing protection of Customer data.

5. Sub-Processors

The Company (ULTEH) may engage third-party Sub-Processors to assist in providing and maintaining the Services. These Sub-Processors perform specific functions such as data storage, infrastructure hosting, analytics, or customer support. The Company ensures that all engaged Sub-Processors adhere to strict data protection obligations equivalent to those outlined in this DPA.

The Company maintains an up-to-date list of Sub-Processors, including their roles and processing locations. Customers may request information about the current Sub-Processors at any time by contacting the Company.

Customer Rights & Objections:

• The Company will notify Customers of any **new Sub-Processor engagements** at least 10 days in advance.
• Customers may submit a written **objection** to the use of a new Sub-Processor within this 10-day period if they have legitimate **data protection concerns**.
• Upon receiving an objection, the Company will engage in **good-faith discussions** to address concerns, which may include finding alternative solutions.
• If a mutually acceptable resolution is not reached, the Customer may have the right to **terminate the affected Services** in accordance with the Agreement.

The Company remains fully responsible and liable for the actions of its Sub-Processors and ensures that they comply with:

• Data Protection Laws, including GDPR, CCPA, and other applicable regulations.
• Confidentiality agreements to protect Personal Data.
• Industry-standard security measures to prevent unauthorized access or misuse of data.

The Company reserves the right to **update or replace** its Sub-Processors as needed, with due consideration for Customer concerns and ongoing compliance obligations.

6. Transfers of Personal Data

The Company (ULTEH) may transfer Personal Data outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to facilitate the provision of Services. When such transfers occur, the Company ensures that appropriate legal safeguards are in place to protect the transferred data in compliance with applicable Data Protection Laws.

The Company relies on recognized data transfer mechanisms, including but not limited to:

• Standard Contractual Clauses (SCCs): The Company incorporates SCCs approved by the European Commission or other competent authorities to ensure lawful data transfers.
• Supplementary Measures: Where necessary, the Company applies additional technical, organizational, and contractual safeguards to enhance data protection.
• Binding Corporate Rules (BCRs): When applicable, Company-affiliated entities adhere to BCRs ensuring a high level of data protection across international operations.
• Other Approved Transfer Mechanisms: The Company complies with any additional frameworks, certifications, or legal instruments recognized for lawful cross-border data transfers.

Customer Rights & Assistance: The Company is committed to assisting the Customer in ensuring compliance with th rights of Data Subjects under applicable Data Protection Laws. This includes, but is not limited to:

• Access Requests: Enabling Data Subjects to access their Personal Data.
• Rectification Requests: Allowing for corrections to inaccurate or incomplete data.
• Erasure Requests ("Right to be Forgotten"): Assisting with the deletion of Personal Data upon request, where legally permissible.
• Objection & Restriction of Processing: Supporting Data Subjects in exercising their rights to object to or restrict data processing activities.
• Data Portability: Facilitating the transfer of Personal Data to another data controller, where applicable.

The Company continuously monitors global privacy regulations to ensure compliance with **cross-border data transfer requirements** and will notify the Customer if changes in the legal framework impact its data processing obligations.

7. Data Subject Rights

The Company (ULTEH) recognizes and respects the rights of **Data Subjects** under applicable **Data Protection Laws**. The Company will assist the **Customer**, as the Data Controller, in responding to requests from individuals regarding their **Personal Data**.

Data Subjects may exercise the following rights:

• Right of Access: The ability to request and obtain confirmation of whether their data is being processed, along with access to the data.
• Right to Rectification: The right to correct or update inaccurate or incomplete Personal Data.
• Right to Erasure ("Right to be Forgotten"): The right to request deletion of Personal Data, subject to legal and contractual obligations.
• Right to Restrict Processing: The ability to limit the processing of Personal Data under certain conditions.
• Right to Data Portability: The ability to obtain and transfer Personal Data to another service provider where technically feasible.
• Right to Object: The right to object to processing based on legitimate interests, direct marketing, or automated decision-making.
• Right to Withdraw Consent: If processing is based on consent, the Data Subject may withdraw consent at any time.

Customer Responsibilities: The Customer, acting as the Data Controller, is responsible for handling Data Subject requests. The Company will provide **reasonable assistance** upon request, ensuring that responses are handled **promptly and in compliance** with applicable laws.

The Company shall not respond directly to a Data Subject request unless legally required to do so or explicitly authorized by the Customer.

8. Data Breach Notification

The Company (ULTEH) takes security seriously and implements **preventative measures** to safeguard Personal Data. However, in the event of a **Personal Data Breach**, the Company shall act **swiftly and transparently**.

Data Breach Response Plan: If the Company becomes aware of a **confirmed Personal Data Breach** that may result in the **unauthorized access, loss, alteration, or disclosure** of Personal Data, it will:

• **Assess the impact** of the breach and take immediate steps to mitigate risks.
• **Notify the Customer without undue delay** (typically within 48 hours of confirmation).
• Provide details including:
  • The nature and scope of the breach.
  • The type of data affected.
  • The potential consequences.
  • Measures taken or proposed to address the breach.
• **Assist the Customer** in fulfilling any regulatory obligations, including notifications to authorities and affected Data Subjects, where required.
• **Implement corrective actions** to prevent future breaches.

Customer Responsibilities: The Customer is responsible for determining whether to notify regulatory authorities and Data Subjects in compliance with applicable Data Protection Laws.

The Company shall document all breaches and maintain records of its **investigation, mitigation efforts, and remediation actions**.

9. Data Retention and Deletion

The Company (ULTEH) retains **Personal Data only for as long as necessary** to fulfill its obligations under this Agreement or as required by applicable laws.

Data Retention Policy:

• The Company follows **data minimization principles**, ensuring that data is retained only for **legitimate business and compliance needs**.
• Data will be deleted or anonymized once it is **no longer necessary** for processing purposes.
• Retention periods may vary depending on **legal, contractual, or regulatory requirements**.

Customer-Controlled Data Deletion:

• Customers may request **deletion of Personal Data** at any time.
• Upon termination of services, the Company shall **delete or return Personal Data** in accordance with the Customer's instructions.
• If no deletion request is made, the Company will **automatically delete** Personal Data within a reasonable timeframe, unless legally required to retain it.

Exceptions to Data Deletion: In certain cases, the Company may **retain Personal Data** beyond the agreed retention period, including:

• To comply with **legal obligations** (e.g., tax, auditing, or regulatory requirements).
• For **legitimate interests**, such as fraud prevention or security investigations.
• When required by a **binding legal request** (e.g., court order).

The Company ensures that **secure deletion procedures** are followed, preventing any unauthorized recovery or misuse of Personal Data.

10. Governing Law and Dispute Resolution

This Data Processing Addendum (DPA) shall be governed by and interpreted in accordance with the **same laws and jurisdiction** as defined in the main agreement between the Company (ULTEH) and the Customer.

Dispute Resolution Process: If any dispute arises regarding this DPA, both parties agree to follow a structured resolution process, including:

• Good-Faith Negotiation: The parties will first attempt to resolve disputes through direct discussions and negotiations.
• Mediation or Arbitration: If negotiation fails, the dispute may be referred to mediation or arbitration, as outlined in the main agreement.
• Legal Proceedings: If no resolution is reached, disputes may be settled through formal legal proceedings in the applicable jurisdiction.

In the event of any conflict between this DPA and the main agreement, **the terms of this DPA shall take precedence** solely concerning data protection matters, ensuring compliance with applicable Data Protection Laws.

11. Final Provisions

This Data Processing Addendum forms an integral part of the overall agreement between the Company (ULTEH) and the Customer. By continuing to use the Services, the Customer acknowledges and **accepts the terms of this DPA**.

If any provision of this DPA is found to be **invalid or unenforceable**, the remaining provisions shall continue in full force and effect. The parties agree to replace any unenforceable provision with one that reflects the original intent as closely as possible while remaining compliant with applicable laws.

Amendments & Updates: The Company reserves the right to **modify or update this DPA** to reflect changes in applicable **Data Protection Laws, industry practices, or operational needs**. Customers will be notified of any material changes, and continued use of the Services constitutes acceptance of the updated terms.

Contact Information: For any questions, concerns, or to request a signed copy of this DPA, Customers may contact the Company at: dpa@ulteh.com.