Data Processing Agreement

1. Data Processing Addendum

ULTEH is committed to ensuring the privacy, security, and compliance of customer data. This Data Processing Addendum (DPA) outlines the terms governing how we process, store, and protect personal data in accordance with applicable data protection laws and regulations. This DPA is an extension of our main agreement with Customers and applies when ULTEH processes personal data on behalf of the Customer as a data processor. It establishes clear responsibilities for both parties regarding data handling, ensuring compliance with relevant privacy laws. By using ULTEH, Customers acknowledge and agree to the terms set forth in this DPA. If you require a signed copy of this agreement for compliance purposes, please contact us.

2. Definitions

Affiliate refers to any entity that directly or indirectly controls, is controlled by, or is under common control with a party. "Control" means the direct or indirect ownership of at least 50% of the voting shares, equity interests, or similar rights in the entity, giving the ability to influence its management and policies. Affiliates are considered bound by the obligations and responsibilities outlined in this DPA to the extent they engage with the processing of Personal Data.

Authorized Sub-Processor means any third-party vendor, service provider, or contractor engaged by the Service Provider to process the Customer's Personal Data strictly on behalf of and under the instructions of the Service Provider. Authorized Sub-Processors assist in fulfilling obligations under this DPA and the main Agreement. All Sub-Processors must comply with the same data protection obligations, maintaining security, confidentiality, and regulatory compliance.

Account Data refers to all business-related information collected, stored, and processed by the Service Provider in relation to its contractual relationship with the Customer. This includes, but is not limited to, the names, email addresses, phone numbers, payment details, and access credentials of individuals authorized by the Customer to manage and operate their account on the Service Provider's platform. Account Data is used strictly for administrative, billing, and support purposes.

Data Protection Laws encompass all applicable laws, regulations, and frameworks governing the collection, processing, storage, transfer, and protection of Personal Data. This includes, but is not limited to, the General Data Protection Regulation (GDPR) of the European Union, the UK GDPR applicable to the United Kingdom, the California Consumer Privacy Act (CCPA), and any other national or international privacy laws relevant to data processing activities under this Agreement. Compliance with these laws ensures that Personal Data is handled lawfully, transparently, and securely.

Personal Data refers to any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable person is one who can be directly or indirectly identified, particularly by reference to identifiers such as a name, email address, phone number, location data, an online identifier (such as IP address or cookies), or other unique factors that define their identity. Personal Data excludes anonymized or aggregated data that cannot be used to identify an individual.

Processing means any operation or set of operations performed on Personal Data, whether by automated means or manually. This includes, but is not limited to, collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, restricting, erasing, or destroying Personal Data. Processing is conducted in accordance with the Customer's instructions and applicable Data Protection Laws.

Security Measures refer to the technical and organizational safeguards implemented to ensure the confidentiality, integrity, and availability of Personal Data. These measures include encryption, access controls, firewalls, data masking, pseudonymization, regular security audits, and breach notification mechanisms. Security Measures are designed to prevent unauthorized access, accidental loss, or unlawful processing of Personal Data.

Supervisory Authority refers to an independent public authority responsible for monitoring and enforcing compliance with Data Protection Laws. Examples include the European Data Protection Board (EDPB) for GDPR-related matters, the UK Information Commissioner's Office (ICO) for UK GDPR, and the California Privacy Protection Agency (CPPA) for CCPA enforcement. The Supervisory Authority has the legal power to investigate complaints, issue guidance, and impose penalties for non-compliance.

Data Subject Rights refer to the rights granted to individuals under applicable Data Protection Laws. These rights may include the right to access, rectify, delete, restrict, or transfer their Personal Data, as well as the right to object to processing and lodge complaints with a Supervisory Authority. The Service Provider assists Customers in facilitating the exercise of these rights when applicable.

3. Processing of Data

The Customer may act as either a Data Controller or a Data Processor, depending on its relationship with the Data Subject and the purposes for which Personal Data is processed. In all cases, ULTEH acts as a Data Processor, processing Personal Data on behalf of and under the instructions of the Customer.

The Customer is responsible for ensuring that all data processing activities conducted using our Services comply with Applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable privacy regulations. The Customer acknowledges that it has the legal basis to process Personal Data and indemnifies us against any claims, liabilities, or damages resulting from non-compliance with these legal requirements.

We shall process Personal Data only in accordance with the Customer's written instructions and solely as required to provide the Services, unless otherwise mandated by law. We will not use, disclose, or share Personal Data for any purpose other than those authorized by the Customer or explicitly outlined in this Agreement.

Upon termination of the Agreement or the Customer's request, we shall, at the Customer's discretion, either: (a) Securely delete all Personal Data processed under this Agreement, ensuring that no copies remain unless required by law, or (b) Return the Personal Data to the Customer in a structured, commonly used, and machine-readable format before deletion. The Customer must provide such requests within a reasonable timeframe before termination.

If we are legally required to retain Personal Data beyond termination, we will notify the Customer (unless legally prohibited from doing so) and ensure that such data remains protected in compliance with Data Protection Laws.

4. Security and Confidentiality

ULTEH is committed to protecting the security and confidentiality of Personal Data processed on behalf of the Customer. To ensure data integrity and security, we implement and maintain industry-leading security measures designed to prevent unauthorized access, disclosure, alteration, or destruction of Personal Data.

These security measures include, but are not limited to:

• Data Encryption: Personal Data is encrypted both in transit and at rest using industry-standard encryption protocols to protect against unauthorized access.
• Access Controls: Strict access management policies ensure that only authorized personnel have access to Personal Data based on the principle of least privilege.
• Network and System Security: Firewalls, intrusion detection systems, and continuous monitoring help prevent unauthorized access and cyber threats.
• Data Anonymization and Pseudonymization: Where applicable, Personal Data may be anonymized or pseudonymized to reduce risks associated with data exposure.
• Regular Security Audits: We conduct periodic security assessments, vulnerability testing, and compliance checks to identify and mitigate risks.
• Incident Response Plan: A structured incident response protocol ensures that any security breach is promptly identified, mitigated, and reported in compliance with applicable Data Protection Laws.

Any individual, including employees, contractors, and authorized service providers, who processes Personal Data on our behalf is bound by strict confidentiality obligations. This includes signing legally enforceable non-disclosure agreements (NDAs) and adhering to internal data handling policies to ensure compliance with data privacy and security standards.

We will promptly notify the Customer of any confirmed security breach that may result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data. Such notifications will include details of the incident, potential impact, and remediation efforts taken to mitigate risks.

We continuously review and update our security measures in accordance with evolving industry standards and regulatory requirements to ensure the ongoing protection of Customer data.

5. Sub-Processors

ULTEH may engage third-party Sub-Processors to assist in providing and maintaining the Services. These Sub-Processors perform specific functions such as data storage, infrastructure hosting, analytics, or customer support. We ensure that all engaged Sub-Processors adhere to strict data protection obligations equivalent to those outlined in this DPA.

We maintain an up-to-date list of Sub-Processors, including their roles and processing locations. Customers may request information about the current Sub-Processors at any time by contacting us.

Customer Rights & Objections:

• We will notify Customers of any new Sub-Processor engagements at least 10 days in advance.
• Customers may submit a written objection to the use of a new Sub-Processor within this 10-day period if they have legitimate data protection concerns.
• Upon receiving an objection, we will engage in good-faith discussions to address concerns, which may include finding alternative solutions.
• If a mutually acceptable resolution is not reached, the Customer may have the right to terminate the affected Services in accordance with the Agreement.

We remain fully responsible and liable for the actions of our Sub-Processors and ensure that they comply with:

• Data Protection Laws, including GDPR, CCPA, and other applicable regulations.
• Confidentiality agreements to protect Personal Data.
• Industry-standard security measures to prevent unauthorized access or misuse of data.

We reserve the right to update or replace our Sub-Processors as needed, with due consideration for Customer concerns and ongoing compliance obligations.

6. Transfers of Personal Data

ULTEH may transfer Personal Data outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to facilitate the provision of Services. When such transfers occur, we ensure that appropriate legal safeguards are in place to protect the transferred data in compliance with applicable Data Protection Laws.

We rely on recognized data transfer mechanisms, including but not limited to:

• Standard Contractual Clauses (SCCs): We incorporate SCCs approved by the European Commission or other competent authorities to ensure lawful data transfers.
• Supplementary Measures: Where necessary, we apply additional technical, organizational, and contractual safeguards to enhance data protection.
• Binding Corporate Rules (BCRs): When applicable, our affiliated entities adhere to BCRs ensuring a high level of data protection across international operations.
• Other Approved Transfer Mechanisms: We comply with any additional frameworks, certifications, or legal instruments recognized for lawful cross-border data transfers.

Customer Rights & Assistance: We are committed to assisting the Customer in ensuring compliance with the rights of Data Subjects under applicable Data Protection Laws. This includes, but is not limited to:

• Access Requests: Enabling Data Subjects to access their Personal Data.
• Rectification Requests: Allowing for corrections to inaccurate or incomplete data.
• Erasure Requests ("Right to be Forgotten"): Assisting with the deletion of Personal Data upon request, where legally permissible.
• Objection & Restriction of Processing: Supporting Data Subjects in exercising their rights to object to or restrict data processing activities.
• Data Portability: Facilitating the transfer of Personal Data to another data controller, where applicable.

We continuously monitor global privacy regulations to ensure compliance with cross-border data transfer requirements and will notify the Customer if changes in the legal framework impact our data processing obligations.

7. Data Subject Rights

ULTEH recognizes and respects the rights of Data Subjects under applicable Data Protection Laws. We will assist the Customer, as the Data Controller, in responding to requests from individuals regarding their Personal Data.

Data Subjects may exercise the following rights:

• Right of Access: The ability to request and obtain confirmation of whether their data is being processed, along with access to the data.
• Right to Rectification: The right to correct or update inaccurate or incomplete Personal Data.
• Right to Erasure ("Right to be Forgotten"): The right to request deletion of Personal Data, subject to legal and contractual obligations.
• Right to Restrict Processing: The ability to limit the processing of Personal Data under certain conditions.
• Right to Data Portability: The ability to obtain and transfer Personal Data to another service provider where technically feasible.
• Right to Object: The right to object to processing based on legitimate interests, direct marketing, or automated decision-making.
• Right to Withdraw Consent: If processing is based on consent, the Data Subject may withdraw consent at any time.

Customer Responsibilities: The Customer, acting as the Data Controller, is responsible for handling Data Subject requests. We will provide reasonable assistance upon request, ensuring that responses are handled promptly and in compliance with applicable laws.

We shall not respond directly to a Data Subject request unless legally required to do so or explicitly authorized by the Customer.

8. Data Breach Notification

ULTEH takes security seriously and implements preventative measures to safeguard Personal Data. However, in the event of a Personal Data Breach, we shall act swiftly and transparently.

Data Breach Response Plan: If we become aware of a confirmed Personal Data Breach that may result in the unauthorized access, loss, alteration, or disclosure of Personal Data, we will:

• Assess the impact of the breach and take immediate steps to mitigate risks.
• Notify the Customer without undue delay (typically within 48 hours of confirmation).
• Provide details including:
  • The nature and scope of the breach.
  • The type of data affected.
  • The potential consequences.
  • Measures taken or proposed to address the breach.
• Assist the Customer in fulfilling any regulatory obligations, including notifications to authorities and affected Data Subjects, where required.
• Implement corrective actions to prevent future breaches.

Customer Responsibilities: The Customer is responsible for determining whether to notify regulatory authorities and Data Subjects in compliance with applicable Data Protection Laws.

We shall document all breaches and maintain records of our investigation, mitigation efforts, and remediation actions.

9. Data Retention and Deletion

ULTEH retains Personal Data only for as long as necessary to fulfill its obligations under this Agreement or as required by applicable laws.

Data Retention Policy:

• We follow data minimization principles, ensuring that data is retained only for legitimate business and compliance needs.
• Data will be deleted or anonymized once it is no longer necessary for processing purposes.
• Retention periods may vary depending on legal, contractual, or regulatory requirements.

Customer-Controlled Data Deletion:

• Customers may request deletion of Personal Data at any time.
• Upon termination of services, we shall delete or return Personal Data in accordance with the Customer's instructions.
• If no deletion request is made, we will automatically delete Personal Data within a reasonable timeframe, unless legally required to retain it.

Exceptions to Data Deletion: In certain cases, we may retain Personal Data beyond the agreed retention period, including:

• To comply with legal obligations (e.g., tax, auditing, or regulatory requirements).
• For legitimate interests, such as fraud prevention or security investigations.
• When required by a binding legal request (e.g., court order).

We ensure that secure deletion procedures are followed, preventing any unauthorized recovery or misuse of Personal Data.

10. Governing Law and Dispute Resolution

This Data Processing Addendum (DPA) shall be governed by and interpreted in accordance with the same laws and jurisdiction as defined in the main agreement between ULTEH and the Customer.

Dispute Resolution Process: If any dispute arises regarding this DPA, both parties agree to follow a structured resolution process, including:

• Good-Faith Negotiation: The parties will first attempt to resolve disputes through direct discussions and negotiations.
• Mediation or Arbitration: If negotiation fails, the dispute may be referred to mediation or arbitration, as outlined in the main agreement.
• Legal Proceedings: If no resolution is reached, disputes may be settled through formal legal proceedings in the applicable jurisdiction.

In the event of any conflict between this DPA and the main agreement, the terms of this DPA shall take precedence solely concerning data protection matters, ensuring compliance with applicable Data Protection Laws.

11. Final Provisions

This Data Processing Addendum forms an integral part of the overall agreement between ULTEH and the Customer. By continuing to use the Services, the Customer acknowledges and accepts the terms of this DPA.

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The parties agree to replace any unenforceable provision with one that reflects the original intent as closely as possible while remaining compliant with applicable laws.

Amendments & Updates: We reserve the right to modify or update this DPA to reflect changes in applicable Data Protection Laws, industry practices, or operational needs. Customers will be notified of any material changes, and continued use of the Services constitutes acceptance of the updated terms.

Contact Information: For any questions, concerns, or to request a signed copy of this DPA, Customers may contact us at: [email protected].