DATA PROCESSING ADDENDUM

1. Definitions

• 1.1 Controller means the entity that determines the purposes and means of the processing of Personal Data.
• 1.2 Processor means the entity that processes Personal Data on behalf of the Controller which is usually Trust Codes Global Limited.
• 1.3 Personal Data means any information relating to an identified or identifiable natural person that is processed under the Agreement, excluding any data that is subject to regulatory exceptions.
• 1.4 Processing means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• 1.5 Sub-processor means any third party appointed by or on behalf of the Processor to process Personal Data.

2. Scope and Processing of Personal Data

• 2.1 The Processor shall process Personal Data only on behalf of the Controller and in accordance with the terms of the Agreement and this Addendum.
• 2.2 The Processor shall process Personal Data only for the specific purposes outlined in the Agreement or as otherwise instructed in writing by the Controller.
• 2.3 The Processor shall not process Personal Data for any purpose other than as required to fulfill its obligations under the Agreement.

3. Compliance with Laws

• 3.1 Each Party shall comply with all applicable data protection laws and regulations, including but not limited to the California Consumer Privacy Act (CCPA) and other relevant federal and state privacy laws.
• 3.2 The Processor shall promptly notify the Controller if it believes that an instruction violates any applicable law.

4. Security Measures

• 4.1 The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• 4.2 The Processor shall ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.

5. Sub-processing

• 5.1 The Processor shall not engage a Sub-processor without prior written consent of the Controller.
• 5.2 If the Controller provides such consent, the Processor shall ensure that the Sub-processor complies with obligations equivalent to those set forth in this Addendum.

6. Data Subject Rights

• 6.1 The Processor shall assist the Controller in responding to data subject requests, including requests for access, correction, deletion, or portability of Personal Data.
• 6.2 The Processor shall notify the Controller promptly upon receiving a data subject request and shall not respond directly unless authorized to do so by the Controller.

7. Data Breach Notification

• 7.1 The Processor shall notify the Controller without undue delay and, where feasible, within 48 hours after becoming aware of a data breach affecting Personal Data.
• 7.2 Such notification shall include details of the nature of the breach, the categories and approximate number of affected individuals, and any measures taken to mitigate the impact.

8. Data Retention and Deletion

• 8.1 The Processor shall retain Personal Data only for as long as required to fulfill its obligations under the Agreement.
• 8.2 Upon termination or expiration of the Agreement, the Processor shall, at the Controller's discretion, either delete or return all Personal Data and certify the deletion.

9. Audits and Inspections

• 9.1 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
• 9.2 The Processor shall make available all information necessary to demonstrate compliance with its obligations under this Addendum.

10. Indemnification

• 10.1 The Processor shall indemnify and hold harmless the Controller against any claims, damages, or fines arising from the Processor's non-compliance with this Addendum.

11. Governing Law and Jurisdiction

• 11.1 This Addendum shall be governed by and construed in accordance with the laws of New Zealand.

12. Miscellaneous

• 12.1 In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail with respect to data protection.
• 12.2 This Addendum shall be effective as of the Effective Date of the Agreement between you and Trust Codes Global Limited and shall remain in force until termination or expiration of the Agreement.

GDPR DATA PROCESSING ADDENDUM

This GDPR Data Processing Addendum ("Addendum") is entered into as of the Effective Date by and between the parties to the Trust Codes Global Limited Standard Agreement ("Parties") and supplements the terms and conditions of the Trust Codes Global Limited Standard Agreement ("Agreement") between the Parties. By using any Trust Codes Global Limited Services or Products, you accept these data addendums.

1. Definitions

• 1.1 "Controller" means the entity that determines the purposes and means of the processing of Personal Data and usually means you, the Customer.
• 1.2 "Processor" means the Trust Codes Global Limited, who processes Personal Data on behalf of the Controller.
• 1.3 "Personal Data" means any information relating to an identified or identifiable natural person that is processed under the Agreement.
• 1.4 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• 1.5 "Sub-processor" means any third party appointed by or on behalf of the Processor to process Personal Data.
• 1.6 "Legitimate Interest" means the lawful basis under Article 6(1)(f) of the GDPR allowing the processing of Personal Data where it is necessary for the purposes of the legitimate interests pursued by the Controller or a third party.

2. Scope and Processing of Personal Data

• 2.1 The Processor shall process Personal Data only on behalf of the Controller and in accordance with the terms of the Agreement and this Addendum.
• 2.2 The Processor shall process Personal Data only for the specific purposes outlined in the Agreement or as otherwise instructed in writing by the Controller.
• 2.3 The Parties acknowledge that Personal Data may be collected and processed under the legitimate interest exception, ensuring that such processing does not override the fundamental rights and freedoms of the data subjects.
• 2.4 The Processor shall ensure that where Personal Data is processed under the legitimate interest basis, an appropriate balancing test is conducted in relation to the Services and Products provided by the Processor.

3. Compliance with Laws

• 3.1 Each Party shall comply with all applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR).
• 3.2 The Processor shall promptly notify the Controller if it believes that an instruction violates any applicable law.

4. Security Measures

• 4.1 The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
• 4.2 The Processor shall ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.

5. Sub-processing

• 5.1 The Processor shall not engage a Sub-processor without prior notification to the Controller.
• 5.2 The Processor shall ensure that the Sub-processor complies with obligations equivalent to those set forth in this Addendum.

6. Data Subject Rights

• 6.1 The Processor shall assist the Controller in responding to data subject requests, including requests for access, correction, deletion, or portability of Personal Data.
• 6.2 The Processor shall notify the Controller promptly upon receiving a data subject request and shall not respond directly unless authorized to do so by the Controller.

7. Data Breach Notification

• 7.1 The Processor shall notify the Controller without undue delay and, where feasible, within 48 hours after becoming aware of a data breach affecting Personal Data.
• 7.2 Such notification shall include details of the nature of the breach, the categories and approximate number of affected individuals, and any measures taken to mitigate the impact.

8. Data Anonymization and Cross-Border Transfers

• 8.1 The Processor shall implement data anonymization techniques to ensure that data stored outside the European Union (EU) does not constitute Personal Data under the GDPR.
• 8.2 The Processor shall ensure that any transfers of Personal Data outside of the EU comply with GDPR requirements, including the use of Standard Contractual Clauses (SCCs) or other appropriate safeguards.

9. Data Retention and Deletion

• 9.1 The Processor shall retain Personal Data only for as long as required to fulfill its obligations under the Agreement and for the broader legitimate purposes of data collection.
• 9.2 Upon termination or expiration of the Agreement, the Processor shall, at the Controller's discretion, either delete or return all Personal Data and certify the deletion.

10. Audits and Inspections

• 10.1 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.
• 10.2 The Processor shall make available all information available and necessary to demonstrate compliance with its obligations under this Addendum.

11. Governing Law and Jurisdiction

• 11.1 This Addendum shall be governed by and construed in accordance with the laws of the European Union and the jurisdiction specified in the Agreement.

12. Miscellaneous

• 12.1 In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail with respect to data protection.
• 12.2 This Addendum shall be effective as of the Effective Date of the Agreement and shall remain in force until termination or expiration of the Agreement.