PERSONAL DATA PROCESSING AGREEMENT

1. PARTIES AND THEIR STATUS
   1. The Parties are JABLOTRON CLOUD Services s.r.o., ., reg. No.: 047 86 645, with its registered office at U Přehrady 3204/61, Mšeno nad Nisou, 466 02 Jablonec nad Nisou, Czech Republic, registered in the Commercial Register administered by the Regional Court in Ústí nad Labem, section C, file No. 36983, as the data processor (“Processor”), and a User under the General Terms and Conditions for the Use of Cloud JABLOTRON (“TCU”) in the position of Personal Data controller “Controller”).
2. PURPOSE AND SUBJECT-MATTER OF THE AGREEMENT
   1. The purpose of this Agreement is to ensure proper and lawful processing of Personal Data by the Processor for the Controller and especially to ensure processing in principle on the basis of documented instructions of the Controller.
   2. The Controller collects or otherwise processes Personal Data when using its Account or using the Services or in connection with these activities. The subject-matter of this Agreement is the obligation of the Processor to carry out, under the conditions and according to the instructions of the Controller, processing of the Personal Data specified for the Controller, and the corresponding obligation of the Controller to provide the Processor with all necessary instructions in a proper and timely manner. This Agreement is concluded as free of charge.
   3. The Personal Data in question are captured by Software, Modules and Applications used by the Controller in Cloud JABLOTRON when using specific Services and when using the Devices associated with the Services.
   4. The scope and type of Personal Data subject to processing as well as the categories of Data Subjects whose personal data are processed, and the purpose of processing are specified below in this Agreement.
   5. Purpose of processing. The Processor processes the disclosed Personal Data only for the purpose of providing the Services used by the Controller on the basis of a special contractual arrangement between the Parties, the content of which is set out in the General Terms and Conditions for the Use of Cloud JABLOTRON, to which the Controller has consented together with the conclusion of this Agreement, as well as in the relevant terms and conditions of provision of each Service. The purpose of the processing is thus determined by the Controller’s decision on the use of each Service. Where capitalized terms in this Agreement are not defined in the Agreement, they have the meaning specified in the TCU or in the relevant terms and conditions for the provision of each Service.
   6. Scope of processing. The scope of processing is determined by the technical capabilities of Cloud JABLOTRON, the functionalities and settings of the relevant Service used by the Controller. Cloud JABLOTRON includes a database for the collection and processing of Personal Data necessary for the provision of individual Services by the Processor to the Controller in accordance with the TCU.
   7. Nature of processing. Processing consists in automatically storing data containing Personal Data in Cloud JABLOTRON, backing them up, restoring them and ensuring access to such data by authorised persons in accordance with the TCU and the technical set-up of Cloud JABLOTRON.
3. PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE MYJABLOTRON SERVICE
   1. The purpose of Personal Data Processing for the Controller in the MyJABLOTRON Service is:
      1. technical support of the Controller’s ability to grant access to its Devices to other Users;
      2. processing of photographic records taken by the Controller’s Devices according to the set-up of each Device; and
      3. processing of events received to Cloud JABLOTRON from individual Devices.
   2. Furthermore, in the use of the MyCOMPANY Module, the Purpose of Personal Data Processing is:
      1. management of End Users’ Devices;
      2. management of customer portfolio;
      3. communication or conduct of the Controller towards the Processor or Related Parties;
      4. access to technical support resources of the Provider and Related parties, including technical materials and software tools for setting up and servicing Devices;
      5. management of offers for Device installation;
      6. use of bonus offers, ordering Devices and services from the Controller or Related Parties.
   3. Furthermore, in the use of the JA PARTNER Module, the Purpose of Personal Data Processing is:
      1. setting up, activation, configuration and, where applicable, deactivation and cancellation of Accounts of Installation Partners, Installers and, in some cases, End Users;
      2. registration of Devices to Cloud JABLOTRON and their decommissioning;
      3. setting up or terminating communication of registered Devices to Cloud JABLOTRON;
      4. remote configuration of Devices;
      5. remote execution of tasks for Installation Partners and their cooperating Installers and End Users;
      6. granting other Users the authority to set up Account of End Users and other persons and where the Processor has agreed with the Controller:
      7. operation of the Alarm Receiving Center (ARC);
      8. enabling access to technical support resources of the Provider and Related parties;
      9. provision of information about the availability of individual Cloud JABLOTRON services.
   4. In providing the MyJABLOTRON Service to the Controller, the Processor processes, depending on the settings of the Controller’s Account and the manner and extent of the Controller’s use of the Service:
      1. the following types of Personal Data:
         1. ID of another User to whom the Controller has granted permission to access the Device;
         2. email address of another User to whom the Controller has granted permission to access the Device; and
         3. photographic records from the Device (the appearance of a natural person);
         4. records of events detected by the Device,
      2. the following Data Subjects:
         1. another User to whom the Controller has granted permission to access the Device;
         2. a natural person recorded by the Device;
         3. a natural person handling the Device.
   5. In the event that the Controller also uses the MyCOMPANY Module as part of the MyJABLOTRON Service, the Processor also processes, in providing the MyJABLOTRON Service based on the setup of the Controller’s Account and on the way the Controller uses the Service:
      1. the following types of Personal Data:
         1. name and surname;
         2. date of birth;
         3. phone number;
         4. address;
         5. email address;
         6. Reg. No.;
         7. VAT reg. No.;
         8. phone number of the Device;
         9. registration code of the Device;
         10. IP address;
         11. User ID;
         12. photos of the premises, including the physical appearance of persons depicted in them;
         13. GPS of the guarded premises;
         14. address of the guarded premises;
         15. description of the guarded premises:
         16. vehicle registration number,
      2. the following Data Subjects:
         1. natural person – a potential customer of the Controller;
         2. natural person – a customer of the Controller;
         3. natural person – an employee of the Controller;
   6. In the event that the Controller also uses the JA PARTNER Module as part of the MyJABLOTRON Service, the Processor also processes, in providing the MyJABLOTRON Service based on the setup of the Controller’s Account and on the way the Controller uses the Service:
      1. the following types of Personal Data:
         1. name and surname;
         2. date of birth;
         3. phone number;
         4. address;
         5. email address;
         6. Reg. No.;
         7. VAT reg. No.;
         8. phone number of the Device;
         9. registration code of the Device;
         10. IP address;
         11. User ID;
         12. GPS of the guarded premises;
         13. address of the guarded premises;
         14. description of the guarded premises:
         15. vehicle registration number,
         16. physical appearance of persons;
         17. video recordings made by the Device;
         18. physical appearance of persons depicted in them; and
         19. if the ARC Service is also used, photos of the premises, including the physical appearance of the people depicted in them,
      2. the following Data Subjects:
         1. natural person – a potential customer of the Controller;
         2. natural person – a customer of the Controller;
         3. natural person – an employee of the Controller;
4. PROCESSING OF PERSONAL DATA IN CONNECTION WITH VIDEO SERVICES
   1. The purpose of the processing of Personal Data in the context of the acquisition of Video Sequences and other recordings in the context of the Video Services (currently LIVE, LIVE+, RECORD3 and RECORD7) is to use the information and recordings to identify individuals in connection with certain actions captured by the Camera based on the activation of the recording system according to the Controller’s settings.
   2. In providing the Video Services, the Processor processes, depending on the settings of the Controller’s Account and the manner of the Controller’s use of the Service:
      1. the following types of Personal Data:
         1. video recordings showing the physical appearance of persons in the monitored areas;
         2. information on the movement and location of persons;
         3. vehicle registration numbers;
         4. User ID;
         5. Device location;
         6. MAC address of the Device;
         7. Device name,
      2. the following Data Subjects:
         1. a natural person whose physical appearance is captured by the Controller’s Device.
5. PERSONAL DATA PROCESSING IN CONNECTION WITH THE DRIVER’S LOG SERVICE
   1. The purpose of Personal Data processing in the context of the Driver’s Log Service is in particular the protection and management of property and the keeping of records of journeys in accordance with tax regulations, occupational health regulations or other generally binding legal regulations.
   2. In providing the Driver’s Log Service, the Processor processes, depending on the settings of the Controller’s Account and the manner of the Controller’s use of the Service:
      1. the following types of Personal Data
         1. driver’s log data and their history;
         2. vehicle traffic data, including location data;
         3. name and surname of the person to whom the vehicle has been entrusted,
      2. the following Data Subjects:
         1. natural person who uses the vehicle for which the Controller uses the Driver’s Log Service.
6. OBLIGATIONS OF THE CONTROLLER
   1. The Controller undertakes to:
      1. process only Personal Data for the processing of which the Controller has a legal basis under the Applicable Regulations;
      2. collect and process only Personal Data that are accurate and fit for purpose and the scope is necessary to fulfil the stated purpose;
      3. fulfil its obligation to inform all Data Subjects whose Personal Data are processed and to provide the Data Subjects with all information in a concise, transparent, easy to understand and easily accessible manner using clear and plain language, and to make all communications required by the GDPR and other Applicable Regulations;
      4. act as a point of contact for Data Subjects;
      5. bear liability for the conduct of persons to whom the Controller provided permission to the Controller’s Account and Applications, in particular, for the fact they will act in accordance with Applicable Regulations, this Agreement and the TCU.
7. OBLIGATIONS OF THE PROCESSOR
   1. The Processor undertakes to:
      1. process Personal Data only on the basis of documented instructions from the Controller in the form of its settings in the Account, within the technical capabilities of Cloud JABLOTRON;
      2. maintain confidentiality about the Personal Data processed, in particular not to publish, disseminate or disclose Personal Data to other persons except persons employed by the Processor or other authorised persons entrusted with the processing of Personal Data in accordance with this Agreement;
      3. ensure that all persons involved in the processing are bound by confidentiality obligations, including Processor’s employees and other processors;
      4. adopt technical and organisational measures taking into account the nature of the processing in order to enable the Controller to respect the rights of the Data Subjects and to achieve security for the Personal Data processed, in particular to prevent unauthorised or random access to, alteration, destruction or loss of Personal Data, unauthorised transfers, other unauthorised processing of the data as well as other misuse, and to ensure, in terms of staff and organisational measures, that all obligations of the Data Processor arising from the Applicable Data Protection Regulations;
      5. keep records of the processing;
      6. dispose of the results of the processing and all media containing Personal Data and delete existing copies no later than one month after the termination of this Agreement, with the exception of Personal Data contained in backups not searchable without the data being recovered and with their own erasure period set, and Personal Data the Processor is authorised to process by law;
      7. notify the Controller without undue delay if the Processor finds that the Controller is in breach of the Controller’s obligations as stipulated by the Applicable Data Protection Regulations;
      8. at the request of the Controller, at any time allow an audit or inspection regarding the processing of Personal Data, whereby this step will be charged at an hourly rate according to the Processor’s current price list;
      9. assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (especially the security of processing, reporting of data breaches, Personal Data impact assessment, and previous consultation);
      10. provide the Controller with all the information needed to show that the obligations set out in Article 28 of the GDPR have been met, and allow audits, including inspections, performed by the Controller or by another auditor commissioned by the Controller, and contribute to such audits.
   2. The Processor will ensure at least the following technical and organisational measures:
      1. protection of access rights to personal data in the Cloud JABLOTRON so that unauthorised persons do not gain access to it and cannot use it;
      2. regular backup of data related to personal data in Cloud JABLOTRON;
      3. adequate measures against data loss, data unavailability or malware infection;
      4. encryption of data containing Personal Data and, if encryption is not possible for some data, setting a policy for access and other rights;
      5. adoption and continuous verification (audit) of measures to ensure confidentiality, integrity, availability and resilience of Cloud JABLOTRON and the Services provided;
      6. adoption and continuous verification (audit) of measures to ensure timely availability and access to Personal Data in the event of a physical or technical incident;
      7. creation and verification (audit) of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing of Cloud JABLOTRON and the Services provided;
      8. location of all Personal Data media in a locked environment sufficiently protected against physical access by unauthorised persons, including premises where the servers on which the data containing Personal Data are stored are located;
      9. ensuring access to Personal Data stored on electronic media exclusively to authorised persons and exclusively through individual login credentials demonstrably issued to authorised persons, and with division of user roles according to the rights of persons accessing the Personal Data;
      10. allowing remote access to Personal Data only from secure end devices via encrypted communication.
8. OTHER PROVISIONS ON THE PROCESSING OF PERSONAL DATA
   1. The Parties undertake to notify each other without delay of any facts known to them which could adversely affect the proper and timely performance of the obligations arising from this Agreement.
   2. In the event of a security breach of the data processed, unauthorised or random access to Personal Data, destruction or loss, unauthorised transmission or other unauthorised processing or misuse, the Processor is obliged to inform the Controller without delay and is obliged to take urgent measures to remedy the defective condition. The Processor is obliged to inform the Controller immediately in writing, by email or by text message about the measures taken.
   3. The Processor declares that the protection of personal data is subject to the Processor’s internal security regulations within its information security management system, which is substantially based on the security requirements of ISO 27001.
   4. Processing of Personal Data by the Processor takes place exclusively in the territory of the European Union or the European Economic Area.
   5. The Controller authorises the Processor to engage other processors in processing; their selection is the responsibility of the Processor and is not dependent on an additional specific approval by the Controller. The Processor must ensure that the same obligations the Processor has under this Agreement also apply to the other processor.
      1. At present, the Processor uses the following other processors:
         1. providers of development and servicing services relating to Cloud JABLOTRON;
         2. operators of data centers used by the Processor;
         3. providers of data and internet connectivity of the Processor.
   6. The Parties agree that the Processor’s liability for damage caused in or in connection with the performance of this Agreement is limited to an amount corresponding to the sum of payments made by the Processor to the Controller for the provision of the Services in accordance with the TCU in the six months from the occurrence of such damage
9. FINAL PROVISIONS
   1. This Agreement comes into force and effect on the date of the Controller’s provision of consent to its electronic version.
   2. This Agreement is concluded for the duration of the contractual relationship between the Parties established by the acceptance of the TCU by the Controller. Termination of the contractual relationship between the Parties established by the Controller’s acceptance of the TCU will also automatically result in the termination of the contractual relationship between the Controller and the Processor under this Agreement. In the event of termination of the contractual relationship, the Processor’s obligation to process Personal Data for the Controller on the basis of this Agreement will cease at the time of disposal of the processed Personal Data in accordance with this Agreement.
   3. In the event of any discrepancies between the TCU and this Agreement, this Agreement will prevail.
   4. This Agreement constitutes a complete agreement between the Parties in relation to the subjectmatter of this Agreement and supersedes any prior arrangements regarding the subject- matter of this Agreement.
   5. The legal relations established by this Agreement are governed by the legal order governing the TCU.
   6. The Parties expressly declare that they have been well acquainted with the contents of the Agreement in its entirety, the Agreement reflects the Parties' true and free will. In witness of their agreement, the Parties replace their signatures with electronic means.

* * *

PERSONAL DATA PROCESSING AGREEMENT

1. PARTIES AND THEIR STATUS
   1. The Parties are JABLOTRON CLOUD Services s.r.o., ., reg. No.: 047 86 645, with its registered office at U Přehrady 3204/61, Mšeno nad Nisou, 466 02 Jablonec nad Nisou, Czech Republic, registered in the Commercial Register administered by the Regional Court in Ústí nad Labem, section C, file No. 36983, as the data processor (“Processor”), and a User under the General Terms and Conditions for the Use of Cloud JABLOTRON (“TCU”) in the position of Personal Data controller “Controller”).
2. PURPOSE AND SUBJECT-MATTER OF THE AGREEMENT
   1. The purpose of this Agreement is to ensure proper and lawful processing of Personal Data by the Processor for the Controller and especially to ensure processing in principle on the basis of documented instructions of the Controller.
   2. The Controller collects or otherwise processes Personal Data when using its Account or using the Services or in connection with these activities. The subject-matter of this Agreement is the obligation of the Processor to carry out, under the conditions and according to the instructions of the Controller, processing of the Personal Data specified for the Controller, and the corresponding obligation of the Controller to provide the Processor with all necessary instructions in a proper and timely manner. This Agreement is concluded as free of charge.
   3. The Personal Data in question are captured by Software, Modules and Applications used by the Controller in Cloud JABLOTRON when using specific Services and when using the Devices associated with the Services.
   4. The scope and type of Personal Data subject to processing as well as the categories of Data Subjects whose personal data are processed, and the purpose of processing are specified below in this Agreement.
   5. Purpose of processing. The Processor processes the disclosed Personal Data only for the purpose of providing the Services used by the Controller on the basis of a special contractual arrangement between the Parties, the content of which is set out in the General Terms and Conditions for the Use of Cloud JABLOTRON, to which the Controller has consented together with the conclusion of this Agreement, as well as in the relevant terms and conditions of provision of each Service. The purpose of the processing is thus determined by the Controller’s decision on the use of each Service. Where capitalized terms in this Agreement are not defined in the Agreement, they have the meaning specified in the TCU or in the relevant terms and conditions for the provision of each Service.
   6. Scope of processing. The scope of processing is determined by the technical capabilities of Cloud JABLOTRON, the functionalities and settings of the relevant Service used by the Controller. Cloud JABLOTRON includes a database for the collection and processing of Personal Data necessary for the provision of individual Services by the Processor to the Controller in accordance with the TCU.
   7. Nature of processing. Processing consists in automatically storing data containing Personal Data in Cloud JABLOTRON, backing them up, restoring them and ensuring access to such data by authorised persons in accordance with the TCU and the technical set-up of Cloud JABLOTRON.
3. PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE MYJABLOTRON SERVICE
   1. The purpose of Personal Data Processing for the Controller in the MyJABLOTRON Service is:
      1. technical support of the Controller’s ability to grant access to its Devices to other Users;
      2. processing of photographic records taken by the Controller’s Devices according to the set-up of each Device; and
      3. processing of events received to Cloud JABLOTRON from individual Devices.
   2. Furthermore, in the use of the MyCOMPANY Module, the Purpose of Personal Data Processing is:
      1. management of End Users’ Devices;
      2. management of customer portfolio;
      3. communication or conduct of the Controller towards the Processor or Related Parties;
      4. access to technical support resources of the Provider and Related parties, including technical materials and software tools for setting up and servicing Devices;
      5. management of offers for Device installation;
      6. use of bonus offers, ordering Devices and services from the Controller or Related Parties.
   3. Furthermore, in the use of the JA PARTNER Module, the Purpose of Personal Data Processing is:
      1. setting up, activation, configuration and, where applicable, deactivation and cancellation of Accounts of Installation Partners, Installers and, in some cases, End Users;
      2. registration of Devices to Cloud JABLOTRON and their decommissioning;
      3. setting up or terminating communication of registered Devices to Cloud JABLOTRON;
      4. remote configuration of Devices;
      5. remote execution of tasks for Installation Partners and their cooperating Installers and End Users;
      6. granting other Users the authority to set up Account of End Users and other persons and where the Processor has agreed with the Controller:
      7. operation of the Alarm Receiving Center (ARC);
      8. enabling access to technical support resources of the Provider and Related parties;
      9. provision of information about the availability of individual Cloud JABLOTRON services.
   4. In providing the MyJABLOTRON Service to the Controller, the Processor processes, depending on the settings of the Controller’s Account and the manner and extent of the Controller’s use of the Service:
      1. the following types of Personal Data:
         1. ID of another User to whom the Controller has granted permission to access the Device;
         2. email address of another User to whom the Controller has granted permission to access the Device; and
         3. photographic records from the Device (the appearance of a natural person);
         4. records of events detected by the Device,
      2. the following Data Subjects:
         1. another User to whom the Controller has granted permission to access the Device;
         2. a natural person recorded by the Device;
         3. a natural person handling the Device.
   5. In the event that the Controller also uses the MyCOMPANY Module as part of the MyJABLOTRON Service, the Processor also processes, in providing the MyJABLOTRON Service based on the setup of the Controller’s Account and on the way the Controller uses the Service:
      1. the following types of Personal Data:
         1. name and surname;
         2. date of birth;
         3. phone number;
         4. address;
         5. email address;
         6. Reg. No.;
         7. VAT reg. No.;
         8. phone number of the Device;
         9. registration code of the Device;
         10. IP address;
         11. User ID;
         12. photos of the premises, including the physical appearance of persons depicted in them;
         13. GPS of the guarded premises;
         14. address of the guarded premises;
         15. description of the guarded premises:
         16. vehicle registration number,
      2. the following Data Subjects:
         1. natural person – a potential customer of the Controller;
         2. natural person – a customer of the Controller;
         3. natural person – an employee of the Controller;
   6. In the event that the Controller also uses the JA PARTNER Module as part of the MyJABLOTRON Service, the Processor also processes, in providing the MyJABLOTRON Service based on the setup of the Controller’s Account and on the way the Controller uses the Service:
      1. the following types of Personal Data:
         1. name and surname;
         2. date of birth;
         3. phone number;
         4. address;
         5. email address;
         6. Reg. No.;
         7. VAT reg. No.;
         8. phone number of the Device;
         9. registration code of the Device;
         10. IP address;
         11. User ID;
         12. GPS of the guarded premises;
         13. address of the guarded premises;
         14. description of the guarded premises:
         15. vehicle registration number,
         16. physical appearance of persons;
         17. video recordings made by the Device;
         18. physical appearance of persons depicted in them; and
         19. if the ARC Service is also used, photos of the premises, including the physical appearance of the people depicted in them,
      2. the following Data Subjects:
         1. natural person – a potential customer of the Controller;
         2. natural person – a customer of the Controller;
         3. natural person – an employee of the Controller;
4. PROCESSING OF PERSONAL DATA IN CONNECTION WITH VIDEO SERVICES
   1. The purpose of the processing of Personal Data in the context of the acquisition of Video Sequences and other recordings in the context of the Video Services (currently LIVE, LIVE+, RECORD3 and RECORD7) is to use the information and recordings to identify individuals in connection with certain actions captured by the Camera based on the activation of the recording system according to the Controller’s settings.
   2. In providing the Video Services, the Processor processes, depending on the settings of the Controller’s Account and the manner of the Controller’s use of the Service:
      1. the following types of Personal Data:
         1. video recordings showing the physical appearance of persons in the monitored areas;
         2. information on the movement and location of persons;
         3. vehicle registration numbers;
         4. User ID;
         5. Device location;
         6. MAC address of the Device;
         7. Device name,
      2. the following Data Subjects:
         1. a natural person whose physical appearance is captured by the Controller’s Device.
5. PERSONAL DATA PROCESSING IN CONNECTION WITH THE DRIVER’S LOG SERVICE
   1. The purpose of Personal Data processing in the context of the Driver’s Log Service is in particular the protection and management of property and the keeping of records of journeys in accordance with tax regulations, occupational health regulations or other generally binding legal regulations.
   2. In providing the Driver’s Log Service, the Processor processes, depending on the settings of the Controller’s Account and the manner of the Controller’s use of the Service:
      1. the following types of Personal Data
         1. driver’s log data and their history;
         2. vehicle traffic data, including location data;
         3. name and surname of the person to whom the vehicle has been entrusted,
      2. the following Data Subjects:
         1. natural person who uses the vehicle for which the Controller uses the Driver’s Log Service.
6. PERSONAL DATA PROCESSING IN THE NOTIFICATION SERVICE
   1. The purpose of Personal Data processing in the Notification Service is to inform the User and other natural persons selected by the User of events registered by the Device using a Notification in the form of an SMS, voice notification, push notification or Email.
   2. In providing the Notification Service, the Processor processes, based on the settings of the Controller’s Account and on the manner of use of the Service by the Controller:
      1. the following types of Personal Data:
         1. phone number;
         2. email;
      2. of the following Data Subjects:
         1. a natural person whose contact information was provided by the Controller for the sending of the Notification.
7. OBLIGATIONS OF THE CONTROLLER
   1. The Controller undertakes to:
      1. process only Personal Data for the processing of which the Controller has a legal basis under the Applicable Regulations;
      2. collect and process only Personal Data that are accurate and fit for purpose and the scope is necessary to fulfil the stated purpose;
      3. fulfil its obligation to inform all Data Subjects whose Personal Data are processed and to provide the Data Subjects with all information in a concise, transparent, easy to understand and easily accessible manner using clear and plain language, and to make all communications required by the GDPR and other Applicable Regulations;
      4. act as a point of contact for Data Subjects;
      5. bear liability for the conduct of persons to whom the Controller provided permission to the Controller’s Account and Applications, in particular, for the fact they will act in accordance with Applicable Regulations, this Agreement and the TCU.
8. OBLIGATIONS OF THE PROCESSOR
   1. The Processor undertakes to:
      1. process Personal Data only on the basis of documented instructions from the Controller in the form of its settings in the Account, within the technical capabilities of Cloud JABLOTRON;
      2. maintain confidentiality about the Personal Data processed, in particular not to publish, disseminate or disclose Personal Data to other persons except persons employed by the Processor or other authorised persons entrusted with the processing of Personal Data in accordance with this Agreement;
      3. ensure that all persons involved in the processing are bound by confidentiality obligations, including Processor’s employees and other processors;
      4. adopt technical and organisational measures taking into account the nature of the processing in order to enable the Controller to respect the rights of the Data Subjects and to achieve security for the Personal Data processed, in particular to prevent unauthorised or random access to, alteration, destruction or loss of Personal Data, unauthorised transfers, other unauthorised processing of the data as well as other misuse, and to ensure, in terms of staff and organisational measures, that all obligations of the Data Processor arising from the Applicable Data Protection Regulations;
      5. keep records of the processing;
      6. dispose of the results of the processing and all media containing Personal Data and delete existing copies no later than one month after the termination of this Agreement, with the exception of Personal Data contained in backups not searchable without the data being recovered and with their own erasure period set, and Personal Data the Processor is authorised to process by law;
      7. notify the Controller without undue delay if the Processor finds that the Controller is in breach of the Controller’s obligations as stipulated by the Applicable Data Protection Regulations;
      8. at the request of the Controller, at any time allow an audit or inspection regarding the processing of Personal Data, whereby this step will be charged at an hourly rate according to the Processor’s current price list;
      9. assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (especially the security of processing, reporting of data breaches, Personal Data impact assessment, and previous consultation);
      10. provide the Controller with all the information needed to show that the obligations set out in Article 28 of the GDPR have been met, and allow audits, including inspections, performed by the Controller or by another auditor commissioned by the Controller, and contribute to such audits.
   2. The Processor will ensure at least the following technical and organisational measures:
      1. protection of access rights to personal data in the Cloud JABLOTRON so that unauthorised persons do not gain access to it and cannot use it;
      2. regular backup of data related to personal data in Cloud JABLOTRON;
      3. adequate measures against data loss, data unavailability or malware infection;
      4. encryption of data containing Personal Data and, if encryption is not possible for some data, setting a policy for access and other rights;
      5. adoption and continuous verification (audit) of measures to ensure confidentiality, integrity, availability and resilience of Cloud JABLOTRON and the Services provided;
      6. adoption and continuous verification (audit) of measures to ensure timely availability and access to Personal Data in the event of a physical or technical incident;
      7. creation and verification (audit) of processes for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing of Cloud JABLOTRON and the Services provided;
      8. location of all Personal Data media in a locked environment sufficiently protected against physical access by unauthorised persons, including premises where the servers on which the data containing Personal Data are stored are located;
      9. ensuring access to Personal Data stored on electronic media exclusively to authorised persons and exclusively through individual login credentials demonstrably issued to authorised persons, and with division of user roles according to the rights of persons accessing the Personal Data;
      10. allowing remote access to Personal Data only from secure end devices via encrypted communication.
9. OTHER PROVISIONS ON THE PROCESSING OF PERSONAL DATA
   1. The Parties undertake to notify each other without delay of any facts known to them which could adversely affect the proper and timely performance of the obligations arising from this Agreement.
   2. In the event of a security breach of the data processed, unauthorised or random access to Personal Data, destruction or loss, unauthorised transmission or other unauthorised processing or misuse, the Processor is obliged to inform the Controller without delay and is obliged to take urgent measures to remedy the defective condition. The Processor is obliged to inform the Controller immediately in writing, by email or by text message about the measures taken.
   3. The Processor declares that the protection of personal data is subject to the Processor’s internal security regulations within its information security management system, which is substantially based on the security requirements of ISO 27001.
   4. Processing of Personal Data by the Processor takes place exclusively in the territory of the European Union or the European Economic Area.
   5. The Controller authorises the Processor to engage other processors in processing; their selection is the responsibility of the Processor and is not dependent on an additional specific approval by the Controller. The Processor must ensure that the same obligations the Processor has under this Agreement also apply to the other processor.
      1. At present, the Processor uses the following other processors:
         1. providers of development and servicing services relating to Cloud JABLOTRON;
         2. operators of data centers used by the Processor;
         3. providers of data and internet connectivity of the Processor.
   6. The Parties agree that the Processor’s liability for damage caused in or in connection with the performance of this Agreement is limited to an amount corresponding to the sum of payments made by the Processor to the Controller for the provision of the Services in accordance with the TCU in the six months from the occurrence of such damage
10. FINAL PROVISIONS
    1. This Agreement comes into force and effect on the date of the Controller’s provision of consent to its electronic version.
    2. This Agreement is concluded for the duration of the contractual relationship between the Parties established by the acceptance of the TCU by the Controller. Termination of the contractual relationship between the Parties established by the Controller’s acceptance of the TCU will also automatically result in the termination of the contractual relationship between the Controller and the Processor under this Agreement. In the event of termination of the contractual relationship, the Processor’s obligation to process Personal Data for the Controller on the basis of this Agreement will cease at the time of disposal of the processed Personal Data in accordance with this Agreement.
    3. In the event of any discrepancies between the TCU and this Agreement, this Agreement will prevail.
    4. This Agreement constitutes a complete agreement between the Parties in relation to the subjectmatter of this Agreement and supersedes any prior arrangements regarding the subject- matter of this Agreement.
    5. The legal relations established by this Agreement are governed by the legal order governing the TCU.
    6. The Parties expressly declare that they have been well acquainted with the contents of the Agreement in its entirety, the Agreement reflects the Parties' true and free will. In witness of their agreement, the Parties replace their signatures with electronic means.

* * *