Data Processing Addendum

This Pollination Data Processing Addendum forms part of and is subject to the provisions of, the Pollination Terms of Service.

1. Definitions

The following definitions apply solely to this Data Processing Addendum:

(a) "Data Protection Legislation" means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679).

(b) "Data Processor", "Data Subject", "Processor", "Processing", "Sub-Processor" and "Supervisory Authority" be interpreted in accordance with applicable Data Protection Legislation.

(c) "Your Controlled Data" as used in this Addendum means information relating to an identifiable or identified Data Subject, which Pollination Processes as a Data Processor in the course of providing you with the Services.

(d). "Breach" means a breach of the security measures resulting in access to Pollination's equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored, or processed by Pollination on your behalf and instructions through the Services.

2. Applicability

This Data Processing Addendum only applies to you if you or your customers are data subjects located within the EU and only applies in respect of Your Controlled Data. You agree that Pollination is not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.

3. Data Protection

When Pollination Processes Personal Data in the course of providing the Services, Pollination will:

• 3.1. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;

• 3.2. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to Pollination's Processing of the Personal Data;

• 3.3. notify you promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;

• 3.4. ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Customer Personal Data; and

• 3.5. upon the termination of the Agreement, Pollination will promptly initiate its purge process to delete or anonymize the Personal Data.

4.Processing Roles and Activities

4.1 Pollination as Processor and You as Controller

You are the controller and Pollination is the processor of Your Controlled Data.

4.2 Pollination as Controller

Pollination may also be an independent controller for some personal data relating to you. Please see our Privacy Policy and Terms of Service for details about this personal data which we control.

4.3 Description of Processing Activities

We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured, or modified from within your Account (the “Purpose”).

4.4 Compliance with Laws

You will ensure that your instructions comply with all laws, regulations, and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules, and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules, or regulations. You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Addendum. Pollination will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement, or regulatory body.

5. Our Processing Responsibilities

5.1 How We Process

We warrant that we will process Your Controlled Data for the Purpose, only, and in accordance with requirements of the GDPR including without limitations its Article 28 and Article 32, respectively, the the Agreement or instructions you give us through your Account. Additional instructions outside the scope of this Data Processing Addendum require a prior written agreement between you and us, including the agreement on any additional fees payable by you to us for carrying out such instructions.

5.2 Data Transfer

If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties shall ensure that the personal data are adequately protected. To achieve this, the parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

5.3 Notification of Breach

We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under applicable Data Protection Legislation. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgment by Pollination of any fault or liability of Pollination with respect to the Breach. Despite the foregoing, Pollination's obligations under this Section do not apply to incidents that are caused by you, any activity on your Account, and/or Third-Party Services.

5.4 Sub-Processors

1. We warrant that we will meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).

2. We will therefore not engage another processor (sub-processor) for the fulfillment of the DPA without the prior general written authorization of the data controller.

3. You give us the general authorization for the engagement of sub-processors. We shall inform you in writing of any intended changes concerning the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving you the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). The list of sub-processors already authorized by the data controller can be found in the Subprocessors document.

4. Where we engage a sub-processor for carrying out specific processing activities on behalf of you, the same data protection obligations as set out in the DPA shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the DPA and the GDPR.

5. A copy of such a sub-processor agreement and subsequent amendments shall – at your request – be submitted to you, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the DPA are imposed on the sub-processor. DPA on business related content that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.

6. If the sub-processor does not fulfil his data protection obligations, we remain fully liable to you for the fulfillment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against neither you nor us, including the sub-processor.

6. Liability

The liability of each party under this Data Processing Addendum is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by Pollination in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Addendum or Data Protection Legislation shall reduce Pollination's maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.

7. Conflict

In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For the avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that Pollination may amend this Addendum from time to time by posting the relevant amended and restated Addendum and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Services after the amended Addendum is posted to Pollination's website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service.

8. Miscellaneous

You are responsible for any costs and expenses arising from Pollination's compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Addendum) which fall outside the standard functionality made available by Pollination generally through the Services.