Data Processing Agreement

This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between

The legal entity or individual agreeing to the Principal Agreement (e.g., the EasyFindAi Terms of Service) which incorporates this DPA by reference
(the "Company" or "Data Controller")

and

DocumentFlow Ab

Örnvägen 22

AX-22150 Jomala, Åland Islands

(the "Data Processor" or "Processor")

(together as the "Parties")

WHEREAS

• The Company acts as a Data Controller with respect to certain Personal Data.
• The Company wishes to subcontract certain Services (as defined below), which imply the processing of Personal Data, to the Data Processor.
• The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or "GDPR").
• The Parties wish to lay down their rights and obligations concerning the processing of Personal Data under the Principal Agreement.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

• "Agreement" means this Data Processing Agreement and all Appendices attached hereto;
• "Company Personal Data" means the Lead Data (as defined below) Processed by the Data Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;
• "Contracted Processor" means a Sub-processor;
• "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
• "EEA" means the European Economic Area;
• "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
• "GDPR" means Regulation (EU) 2016/679 (the EU General Data Protection Regulation);
• "Data Transfer" means:
  • a transfer of Company Personal Data from the Company to a Contracted Processor; or
  • an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,

  in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of appropriate safeguards;

• "Lead Data" means the Personal Data collected through the chatbot provided via the Services on behalf of the Company, typically including Full Name and Email Address of the Company's website visitors (Data Subjects);
• "Services" means the provision of the EasyFindAi software-as-a-service platform, including hosting, maintenance, and support, which enables the Company (Customer) to deploy an AI-powered chatbot on its website(s) for the purpose of interacting with end-users and collecting Lead Data based on the Company's configuration and instructions, accessible via the website https://www.easyfindai.com/ or associated applications;
• "Sub-processor" means any third party appointed by or on behalf of the Data Processor to process Company Personal Data in connection with this Agreement and the Principal Agreement.

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Processor shall:

• comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
• not Process Company Personal Data other than on the Company's documented instructions, unless required to do so by Union or Member State law to which the Processor is subject.

2.2 The Company instructs Processor to Process Company Personal Data only for the provision of the Services, as further detailed in Appendix 1 (Details of Processing) to this Agreement. Processor shall Process Company Personal Data only on documented instructions from the Company, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Company of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Principal Agreement and this Agreement constitute the Company's initial documented instructions regarding the Processing of Company Personal Data.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Such measures shall include, without limitation, those measures specified in Appendix 2 (Security Measures) to this Agreement.

4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Company Personal Data transmitted, stored or otherwise Processed (a "Personal Data Breach").

5. Sub-processing

5.1 The Company grants the Processor general written authorisation pursuant to Article 28(2) of the GDPR to engage Sub-processors to process Company Personal Data for the provision of the Services. The Processor shall maintain an up-to-date list of its Sub-processors, which is provided in Appendix 3 (Sub-processors) to this Agreement.

5.2 The Processor shall inform the Company of any intended changes concerning the addition or replacement of other Sub-processors at least 14 days prior to the engagement of the Sub-processor, thereby giving the Company the opportunity to object to such changes in writing within 7 days after being informed. Objections must be reasonable and based on documented data protection concerns. If the Company objects, the Parties shall negotiate in good faith to find a resolution. If no resolution is found within a reasonable timeframe, the Company may terminate the Principal Agreement upon written notice to the Processor. If the Company does not object within the specified timeframe, the change shall be deemed accepted.

5.3 Where the Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the Company, the Processor shall impose data protection obligations upon that Sub-processor, by way of a contract, that are equivalent to those set out in this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR (pursuant to Article 28(4) GDPR).

5.4 The Processor shall remain fully liable to the Company for the performance of that Sub-processor's data protection obligations.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company's obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws (as set out in Chapter III of the GDPR).

6.2 Processor shall:

• promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
• ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request. The Company shall be responsible for responding to all such Data Subject requests directed to the Company.

7. Personal Data Breach

7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information (as it becomes available) to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Such notification shall at least:

• describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
• communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• describe the likely consequences of the Personal Data Breach;
• describe the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Company, at the Company's cost, with any data protection impact assessments (pursuant to Article 35 GDPR), and prior consultations with Supervising Authorities or other competent data privacy authorities (pursuant to Article 36 GDPR), which Company reasonably considers to be required by Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or Return of Company Personal Data

9.1 Upon termination of the Principal Agreement, or earlier upon written request from the Company, the Processor shall, at the choice of the Company, securely delete or return all Company Personal Data to the Company, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

9.2 Notwithstanding section 9.1, the Processor provides the Company with controls within the Service dashboard to delete specific Company Personal Data (Lead Data). Deletion via these controls is immediate or near-immediate. Upon termination of the Principal Agreement, all associated Company Personal Data will be deleted by the Processor in accordance with its standard data deletion timelines within 30 days, unless otherwise required by law. The Processor shall provide certification of deletion upon the Company's request.

10. Audit Rights

10.1 Subject to this section 10, Processor shall make available to the Company on request all information reasonably necessary to demonstrate compliance with its obligations under this Agreement and Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Company or another auditor mandated by the Company (provided such auditor is bound by appropriate confidentiality obligations), provided that such audits are:

• conducted with reasonable prior written notice (at least 30 days, unless a shorter period is required due to a Personal Data Breach);
• conducted during the Processor's regular business hours;
• limited in scope to matters covered by this Agreement relevant to the Processing of Company Personal Data;
• conducted in a manner that minimizes disruption to the Processor's business operations; and
• limited to once per calendar year, unless a documented Personal Data Breach or instruction from a competent Supervisory Authority necessitates further inspection.

10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

10.3 The Processor may satisfy its audit obligations under this section by providing an up-to-date third-party audit report (e.g., SOC 2, ISO 27001) where available and relevant to the Services, subject to appropriate confidentiality obligations. The Company shall bear its own costs related to any audit or inspection.

11. Data Transfer

11.1 The Company acknowledges and agrees that, in the provision of the Services, the Processor may engage Sub-processors (as listed in Appendix 3) located outside the European Economic Area (EEA).

11.2 The Processor shall ensure that any transfer of Company Personal Data to a country outside the EEA by the Processor or its Sub-processors is subject to appropriate safeguards as required by Data Protection Laws. These safeguards may include:

• Transferring data to a country deemed to provide an adequate level of protection by the European Commission; or
• Implementing Standard Contractual Clauses (SCCs) adopted or approved by the European Commission between the exporter and the importer of the data; or
• Relying on Binding Corporate Rules (BCRs) approved by competent supervisory authorities.

11.3 Where transfers rely on SCCs, the Processor shall ensure such SCCs are in place with the relevant Sub-processors and shall provide copies to the Company upon reasonable request.

12. General Terms

12.1 Confidentiality

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

• disclosure is required by law;
• the relevant information is already in the public domain other than through a breach of this Agreement;
• disclosure is reasonably required by the Party's professional advisors or insurers provided they are bound by confidentiality obligations.

12.2 Notices

All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement or at such other address as notified from time to time by the Parties changing address. Notices sent by email are deemed received on the day of transmission if sent during normal business hours, otherwise on the next business day.

13. Governing Law and Jurisdiction

13.1 This Agreement is governed by the laws of Finland.

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Åland Islands.

14. Agreement and Acceptance

14.1 This Data Processing Agreement forms an integral part of, and is incorporated by reference into, the Principal Agreement (e.g., the EasyFindAi Terms of Service) entered into between the Company and the Data Processor.

14.2 By accepting or agreeing to the Principal Agreement (for example, by clicking an acceptance button such as "I Agree" or checking a box during the Service registration, purchase, or login process), the Company confirms its agreement to be legally bound by the terms of this DPA.

14.3 This DPA is effective from the date the Company accepts the Principal Agreement incorporating this DPA.

14.4 The current version of this DPA is available for review at: https://www.easyfindai.com/dpa. The Data Processor reserves the right to update this DPA as required, subject to the notification provisions in the Principal Agreement.

Appendix 1: Details of Processing

(a) Subject-matter of Processing:

The provision of the EasyFindAi chatbot service as defined in the Principal Agreement and this DPA, enabling the Company to collect Lead Data from Data Subjects interacting with the chatbot on the Company's website(s).

(b) Duration of Processing:

For the term of the Principal Agreement between the Company and the Data Processor, plus any period required for the deletion of Company Personal Data as specified in Section 9 of this DPA.

(c) Nature and Purpose of Processing:

Collection, storage, retrieval, and management of Lead Data submitted by Data Subjects via the chatbot interface. Processing is performed solely to enable the Company to access and manage leads generated through the Service (e.g., for follow-up, demo scheduling, inquiry responses, as determined by the Company). Processing includes secure storage within the Service platform, providing access to the Company via a secure dashboard, and secure deletion upon instruction or termination.

(d) Type of Personal Data:

Lead Data, consisting of:

• Full Name
• Email Address

(e) Categories of Data Subjects:

Visitors and end-users of the Company's website(s) who interact with the EasyFindAi chatbot and voluntarily submit their Personal Data (Lead Data).

Appendix 2: Security Measures

The Data Processor implements and maintains the following technical and organizational security measures to protect Company Personal Data:

1. Encryption:
   • Encryption of Company Personal Data in transit using industry-standard protocols (e.g., TLS 1.2 or higher).
   • Encryption of Company Personal Data at rest within the database (PlanetScale).
2. Access Control:
   • Use of a secure authentication service (Clerk) to manage access to the Service dashboard for authorized Company personnel.
   • Role-based access controls to limit access to Company Personal Data within the Data Processor's systems to personnel with a legitimate need-to-know.
   • Regular review of access privileges.
3. Infrastructure Security:
   • Use of reputable cloud infrastructure providers (AWS, Vercel, PlanetScale) with robust physical and network security measures.
   • Implementation of firewalls, intrusion detection/prevention systems where appropriate.
   • Regular patching and vulnerability management for systems involved in processing Company Personal Data.
4. Data Minimization:
   • Processing only the Company Personal Data necessary for the provision of the Services (Full Name, Email Address).
5. Personnel Security:
   • Confidentiality agreements with personnel who have access to Company Personal Data.
   • Training for relevant personnel on data protection and security obligations.
6. Breach Detection and Response:
   • Monitoring systems for potential security incidents.
   • Established incident response plan to address Personal Data Breaches in accordance with Section 7 of this DPA.
7. Secure Development:
   • Incorporating security considerations into the software development lifecycle.
8. Deletion:
   • Secure deletion processes for Company Personal Data upon instruction or termination as outlined in Section 9 of this DPA.

(Note: This list should accurately reflect your measures. Add or remove items as necessary after review with your technical team and legal counsel).

Appendix 3: Sub-processors

The Company provides general written authorisation for the Data Processor to engage the following Sub-processors for the provision of the Services:

(Note: Ensure this list is accurate and kept up-to-date. Specify the Email Provider. Confirm locations with providers if possible. You might link to this list on your website instead of embedding it directly, as allowed in Section 5.1).