Data Processing Agreement

This Data Processing Agreement (“DPA”) is made and entered into as of this ____ day of ____, 2020 forms part  of the Master Services Agreement (the “Agreement”). You acknowledge that you, on behalf of [______]  incorporated under __________ law, with its principal offices located at ____________________  (“Organization”) (collectively, ”You”, ”Your”, “Client”, or “Data Controller”) have read and understood and  agree to comply with this DPA, and are entering into a binding legal agreement with Cyber Hunters Inc., or Cyber  Hunters Ltd. (as applicable) (“Hunters”, ”Us”, ”We”, ”Our”, “Service Provider” or “Data Processor”) to  reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) of  GDPR-protected individuals. Both parties shall be referred to as the “Parties” and each, a “Party”.  

WHEREAS, Hunters shall provide the services set forth in the Agreement (collectively, the “Services”) for  Client, as described in the Agreement; and 

WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal  Data on your behalf, in the capacity of a “Data Processor”; and the Parties wish to set forth the  arrangements concerning the processing of Personal Data (defined below) within the context of  the Services and agree to comply with the following provisions with respect to any Personal  Data, each acting reasonably and in good faith. 

NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable  consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending  to be legally bound, agree as follows: 

1. INTERPRETATION AND DEFINITIONS

1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to  limit or otherwise affect the provisions of this DPA. References to clauses or sections are  references to the clauses or sections of this DPA unless otherwise stated. Words used  in the singular include the plural and vice versa, as the context may require. Capitalized  terms not defined herein shall have the meanings assigned to such terms in the Agreement.  Definitions:  

(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is  under common control with the subject entity. “Control”, for purposes of this  definition, means direct or indirect ownership or control of more than 50% of the voting  interests of the subject entity. 

(b) “Authorized Affiliate” means any of Client’s Affiliate(s) which (a) is subject to the  Data Protection Laws And Regulations of the European Union, the European Economic  Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is  permitted to use the Services pursuant to the Agreement between Client and Hunters,  but has not signed its own agreement with Hunters and is not a “Client” as defined  under the Agreement. 

(c) “Controller” or “Data Controller” means the entity which determines the purposes  and means of the Processing of Personal Data. For the purposes of this DPA only, and  except where indicated otherwise, the term “Data Controller” shall include yourself,  the Organization and/or the Organization’s Authorized Affiliates.  

(d) “Data Protection Laws and Regulations” means all laws and regulations of the  European Union, the European Economic Area and their Member States, and the  United Kingdom, applicable to the Processing of Personal Data under the Agreement. 

(e) “Data Subject” means the identified or identifiable person to whom the Personal Data  relates. 

(f) “Member State” means a country that belongs to the European Union and/or the  European Economic Area. “Union” means the European Union. 

(g) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the  Council of 27 April 2016 on the protection of natural persons with regard to the  processing of personal data and on the free movement of such data, and repealing  Directive 95/46/EC (General Data Protection Regulation).

(h) “Personal Data” means any information relating to an identified or identifiable natural  person; an identifiable natural person is one who can be identified, directly or indirectly,  in particular by reference to an identifier such as a name, an identification number,  location data, an online identifier or to one or more factors specific to the physical,  physiological, genetic, mental, economic, cultural or social identity of that natural  person. 

(i) “Process(ing)” means any operation or set of operations which is performed upon  Personal Data, whether or not by automatic means, such as collection, recording,  organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,  disclosure by transmission, dissemination or otherwise making available, alignment or  combination, restriction, erasure or destruction. 

(j) “Processor” or “Data Processor” means the entity which Processes Personal Data on  behalf of the Controller. 

(k) “Security Documentation” means the Security Documentation applicable to the  specific Services purchased by Client, as updated from time to time, and as made  reasonably available by Hunters.  

(l) “Sub-processor” means any Processor engaged by Hunters and/or Hunters Affiliate. 

(m) “Supervisory Authority” means an independent public authority which is established  by an EU Member State pursuant to the GDPR. 

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing  of Personal Data, (i) Client is the Data Controller, (ii) Hunters is the Data Processor and that  (iii) Hunters or its Affiliates may engage Sub-processors pursuant to the requirements set  forth in Section 5 “Sub-processors” below. 

2.2 Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal  Data in accordance with the requirements of Data Protection Laws and Regulations and  comply at all times with the obligations applicable to data controllers (including, without  limitation, Article 24 of the GDPR). For the avoidance of doubt, Client’s instructions for  the Processing of Personal Data shall comply with Data Protection Laws and Regulations.  Client shall have sole responsibility for the means by which Client acquired Personal Data.  Without limitation, Client shall comply with any and all transparency-related obligations  (including, without limitation, displaying any and all relevant and required privacy notices  or policies) and shall have any and all required legal bases in order to collect, Process and  transfer to Hunters the Personal Data and to authorize the Processing by Hunters of the  Personal Data which is authorized in this DPA. Client shall defend, hold harmless and  indemnify Hunters, its Affiliates and subsidiaries (including without limitation their  directors, officers, agents, subcontractors and/or employees) from and against any liability  of any kind related to any breach, violation or infringement by Client and/or its authorized  users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.  

2.3 Hunters’ Processing of Personal Data.  

2.3.1 Subject to the Agreement, Hunters and its Affiliates (as applicable) shall Process  Personal Data only in accordance with Client’s documented instructions as  necessary for the performance of the Services and for the performance of the  Agreement and this DPA, unless required to otherwise by Union or Member State  law or any other applicable law to which Hunters and its Affiliates are subject, in  which case, Hunters shall inform the Client of the legal requirement before  processing, unless that law prohibits such information on important grounds of  public interest. The duration of the Processing, the nature and purposes of the  Processing, as well as the types of Personal Data Processed and categories of Data  Subjects under this DPA are further specified in Schedule 1 (Details of the  Processing) to this DPA.  

2.3.2 To the extent that Hunters or its Affiliates cannot comply with a request (including,  without limitation, any instruction, direction, code of conduct, certification, or  change of any kind) from Client and/or its authorized users relating to Processing  of Personal Data or where Hunters considers such a request to be unlawful, Hunters (i) shall inform Client, providing relevant details of the problem, (ii) Hunters may,  without any kind of liability towards Client, temporarily cease all Processing of the  affected Personal Data (other than securely storing those data), and (iii) if the Parties  do not agree on a resolution to the issue in question and the costs thereof, each Party  may, as its sole remedy, terminate the Agreement and this DPA with respect to the  affected Processing, and Client shall pay to Hunters all the amounts owed to Hunters or due before the date of termination. Client will have no further claims against  Hunters (including, without limitation, requesting refunds for Services) due to the  termination of the Agreement and/or the DPA in the situation described in this  paragraph (excluding the obligations relating to the termination of this DPA set  forth below). 

2.3.3 Hunters will not be liable in the event of any claim brought by a third party,  including, without limitation, a Data Subject, arising from any act or omission of  Hunters, to the extent that such is a result of Client’s instructions. 

3. RIGHTS OF DATA SUBJECTS.

   If Hunters receives a request from a Data Subject to exercise its  right to be informed, right of access, right to rectification, erasure, restriction of Processing, data  portability, right to object, or its right not to be subject to a decision solely based on automated  processing, including profiling (“Data Subject Request”), Hunters shall, to the extent legally  permitted, promptly notify and forward such Data Subject Request to Client. Taking into account  the nature of the Processing, Hunters shall use commercially reasonable efforts to assist Client by  appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of  Client’s obligation to respond to a Data Subject Request under Data Protection Laws and  Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from  Hunters’ provision of such assistance.  
   

4. HUNTERS PERSONNEL

4.1 Confidentiality. Hunters shall grant access to the Personal Data to persons under its authority  (including, without limitation, its personnel) only on a need to know basis and ensure that  such persons engaged in the Processing of Personal Data have committed themselves to  confidentiality. 

4.2 Hunters may disclose and Process the Personal Data (a) as permitted hereunder (b) to the  extent required by a court of competent jurisdiction or other Supervisory Authority and/or  otherwise as required by applicable laws or applicable Data Protection Laws and Regulations  (in such a case, Hunters shall inform the Client of the legal requirement before the disclosure,  unless that law prohibits such information on important grounds of public interest), or (c) on  a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data  protection advisor(s), accountant(s), investors or potential acquirers. 

5. AUTHORIZATION REGARDING SUB-PROCESSORS

5.1.1 Hunters’ current list of Sub-processors is included in https://docs.google.com/document/d/1Gx1UyYDfej41SOR6tNOpeG81j2w8zDGo (“Sub-processor List”) and is hereby approved by Data Controller. The Sub-processor  List as of the date of execution of this DPA, is hereby, authorized by Client. In any  event, the Sub-processor List shall be deemed authorized by Client unless it provides a  written reasonable objection for reasons related to the GDPR within ten (10) business  days following the publication of the Sub-processor List. Client may reasonably object  for reasons related to the GDPR to Hunters’ use of an existing Sub-processor by providing a written objection to privacy@hunters.ai. In the event Client reasonably  objects to an existing Sub-processor, as permitted in the preceding sentences, and the  parties do not find a solution in good faith to the issue in question, then Client may, as a  sole remedy, terminate the applicable Agreement and this DPA with respect only to  those Services which cannot be provided by Hunters without the use of the objected-to  Sub-processor by providing written notice to Hunters provided that all amounts due  under the Agreement before the termination date with respect to the Processing at issue  shall be duly paid to Hunters. Client will have no further claims against Hunters due to  (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the  DPA in the situation described in this paragraph. 

5.1.2 Hunters shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services. 

5.2 Objection Right for New Sub-processors. Client may reasonably object to Hunters’ use of a new Sub-processor for reasons related to the GDPR by notifying Hunters promptly in writing within fourteen (14) days after receipt of Hunters’ notice and such written objection  shall include the reasons related to the GDPR for objecting to Hunters’ use of such new  Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business  days following Hunters’ notice shall be deemed as acceptance of the new Sub-Processor. In the event Client reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Hunters will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client. If Hunters is unable to make available such change within  a reasonable period of time, which shall not exceed forty-five (45) days, Client may, as a sole  remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Hunters without the use of the objected-to new Sub processor by providing written notice to Hunters provided that all amounts due under the  Agreement before the termination date with respect to the Processing at issue shall be duly paid to  Hunters. Until a decision is made regarding the new Sub-processor, Hunters may temporarily  suspend the Processing of the affected Personal Data. Client will have no further claims against  Hunters due to the termination of the Agreement (including, without limitation, requesting refunds)  and/or the DPA in the situation described in this paragraph. 

6. SECURITY

6.1 Controls for the Protection of Personal Data. Taking into account the state of the art, Hunters shall maintain industry-standard technical and organizational measures required pursuant to  Article 32 of the GDPR for protection of the security (including protection against  unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or  alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality  and integrity of Personal Data, as set forth in the Security Documentation which are hereby  approved by Client. Upon the Client’s request, Hunters will use commercially reasonable  efforts to assist Client, at Client’s cost, in ensuring compliance with the obligations pursuant  to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state  of the art, the costs of implementation, the scope, the context, the purposes of the Processing  and the information available to Hunters. 

6.2 Third-Party Certifications and Audits. Upon Client’s written request at reasonable intervals,  and subject to the confidentiality obligations set forth in the Agreement and this DPA,  Hunters shall make available to Client that is not a competitor of Hunters (or Client’s  independent, third-party auditor that is not a competitor of Hunters) a copy or a summary of  Hunters’ then most recent third-party audits or certifications, as applicable (provided,  however, that such audits, certifications and the results therefrom, including the documents  reflecting the outcome of the audit and/or the certifications, shall only be used by Client to  assess compliance with this DPA, and shall not be used for any other purpose or disclosed  to any third party without Hunters’ prior written approval and, upon Hunters’ first request,  Client shall return all records or documentation in Client’s possession or control provided by  Hunters in the context of the audit and/or the certification). At Client’s cost and expense,  Hunters shall allow for and contribute to audits, including inspections of Hunters’, conducted  by the controller or another auditor mandated by the controller (who is not a direct or indirect  competitor of Hunters) provided that the parties shall agree on the scope, methodology,  timing and conditions of such audits and inspections. Notwithstanding anything to the  contrary, such audits and/or inspections shall not contain any information, including without  limitation, personal data that does not belong to Client. 

7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION.

   To the extent  required under applicable Data Protection Laws and Regulations, Hunters shall notify Client  without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration,  unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored  or otherwise Processed by Hunters or its Sub-processors of which Hunters becomes aware (a “Personal Data Incident”). Hunters shall make reasonable efforts to identify the cause of such  Personal Data Incident and take those steps as Hunters deems necessary, possible and reasonable in  order to remediate the cause of such a Personal Data Incident to the extent the remediation is within  Hunters’ reasonable control. The obligations herein shall not apply to incidents that are caused by  Client or Client’s users. In any event, Client will be the party responsible for notifying supervisory  authorities and/or concerned data subjects (where required by Data Protection Laws and  Regulations). 
   
   

8. RETURN AND DELETION OF PERSONAL DATA.

   Subject to the Agreement, Hunters shall,  at the choice of Client, delete or return the Personal Data to Client after the end of the provision of  the Services relating to processing, and shall delete existing copies unless applicable law requires  storage of the Personal Data. In any event, to the extent required or allowed by applicable law,  Hunters may retain one copy of the Personal Data for evidence purposes and/or for the  establishment, exercise or defence of legal claims and/or to comply with applicable laws and  regulations. If the Client requests the Personal Data to be returned, the Personal Data shall be  returned in the format generally available for Hunters’ Clients.  
   
   

9. AUTHORIZED AFFILIATES

9.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA,  the Client enters into the DPA on behalf of itself and, as applicable, in the name and on  behalf of its Authorized Affiliates, thereby establishing a separate DPA between Hunters.  Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access  to and use of the Services by Authorized Affiliates must comply with the terms and  conditions of the Agreement and this DPA and any violation of the terms and conditions  therein by an Authorized Affiliate shall be deemed a violation by Client. 

9.2 Communication. The Client shall remain responsible for coordinating all communication  with Hunters under the Agreement and this DPA and shall be entitled to make and receive  any communication in relation to this DPA on behalf of its Authorized Affiliates. 

10. TRANSFERS OF DATA

10.1 Transfers to countries that offer adequate level of data protection. Personal Data may be  transferred from the EU Member States, the three EEA member countries (Norway,  Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that  offer adequate level of data protection under or pursuant to the adequacy decisions published  by the relevant data protection authorities of the EEA, the Union, the Member States or the  European Commission (“Adequacy Decisions”), without any further safeguard being  necessary. 

10.2 Transfers to other countries. If the Processing of Personal Data includes transfers from the  EEA to countries outside the EEA which do not offer adequate level of data protection or  which have not been subject to an Adequacy Decision (“Other Countries”), upon Client’s  request, the Parties shall comply with Chapter V of the GDPR, including, if necessary,  executing the standard data protection clauses adopted by the relevant data protection  authorities of the EEA, the Union, the Member States or the European Commission or  comply with any of the other mechanisms provided for in the GDPR for transferring Personal  Data to such Other Countries. 

11. TERMINATION

    This DPA shall automatically terminate upon the termination or expiration of  the Agreement under which the Services are provided. Sections 2.2, 2.3.3, 2.3.4 and 12 shall survive  the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be  terminated separately to the Agreement, except where the Processing ends before the termination  of the Agreement, in which case, this DPA shall automatically terminate.  
    
    

12. RELATIONSHIP WITH AGREEMENT.

    In the event of any conflict between the provisions of  this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the  conflicting provisions of the Agreement. Notwithstanding anything to the contrary in the  Agreement and/or in any agreement between the parties and to the maximum extent permitted by  law: (A) Hunters’ (including Hunters’ Affiliates’) entire, total and aggregate liability, related to  personal data or information, privacy, or for breach of, this DPA and/or Data Protection Laws and  Regulations, including, without limitation, if any, any indemnification obligation under the  Agreement or applicable law regarding data protection or privacy, shall be limited to the amounts  paid to Hunters under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will  Hunters and/or Hunters Affiliates and/or their third-party providers, be liable under, or otherwise  in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or  punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or  damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute  goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this  Section shall apply: (i) even if Hunters, Hunters Affiliates or third-party providers, have been  advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy  in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability  (such as, but not limited to, breach of contract or tort). 

13. AMENDMENTS

    This DPA may be amended at any time by a written instrument duly signed by  each of the Parties. 
    
    

14. LEGAL EFFECT.

    This DPA shall only become legally binding between Client and Hunters when  the formalities steps set out in the Section “INSTRUCTIONS ON HOW TO EXECUTE THIS  DPA” below have been fully completed. Hunters may assign this DPA or its rights or obligations  hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a  merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating  to this DPA or the Agreement. Any Hunters obligation hereunder may be performed (in whole or  in part), and any Hunters right (including invoice and payment rights) or remedy may be exercised  (in whole or in part), by an Affiliate of Hunters. 
    
    

15. SIGNATURE.

    The Parties represent and warrant that they each have the power to enter into,  execute, perform and be bound by this DPA. You, as the signing person on behalf of Client,  represent and warrant that you have, or you were granted, full authority to bind the Organization  and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to,  bind the Organization and/or its Authorized Affiliates, you shall not supply or provide Personal  Data to Hunters. By signing this DPA, Client enters into this DPA on behalf of itself and, to the  extent required or permitted under applicable Data Protection Laws and Regulations, in the name  and on behalf of its Authorized Affiliates, if and to the extent that Hunters processes Personal Data  for which such Authorized Affiliates qualify as the/a “data controller”.  

This DPA has been pre-signed on behalf of Hunters.  

Instructions on how to execute this DPA. 

1. To complete this DPA, you must complete the missing information; and 
2. Send the completed and signed DPA to us by email, indicating the Client’s name, to  privacy@hunters.ai. 

List of Schedules 

• SCHEDULE 1 – DETAILS OF THE PROCESSING

The parties’ authorized signatories have duly executed this Agreement: 

CLIENT: 

Signature: 

Client Legal Name: 

Print Name: 

Title: 

Date: 

Cyber Hunters Inc. 

Signature: 

Legal Name:  

Print Name:  

Title:  

Date:

SCHEDULE 1 – DETAILS OF THE PROCESSING

Subject matter. Hunters will Process Personal Data as necessary to perform the Services pursuant to the  Agreement, as further instructed by Client in its use of the Services. 

Nature and Purpose of Processing 

1. Providing the Service(s) to Client. 
2. For Client to be able to use the Services. 
3. For Hunters to comply with documented reasonable instructions provided by Client where such  instructions are consistent with the terms of the Agreement.  
4. Performing the Agreement, this DPA and/or other contracts executed by the Parties.  5. Providing support and technical maintenance, if agreed in the Agreement. 
5. Enforcing the Agreement, this DPA and/or defending Hunters’ rights. 
6. Management of the Agreement, the DPA and/or other contracts executed by the Parties,  including fees payment, account administration, accounting, tax, management, litigation; and 
7. Complying with applicable laws and regulations, including for cooperating with local and  foreign tax authorities, preventing fraud, money laundering and terrorist financing. 
8. All tasks related with any of the above. 

1.1. Duration of Processing. 

Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing  and the consequences of the expiration or termination thereof, Hunters will Process Personal Data  for the duration of the Agreement, unless otherwise agreed upon in writing. 

1.2. Type of Personal Data. 

Client may submit Personal Data to the Services, the extent of which is determined and controlled  by Client in its sole discretion, and which may include, but is not limited to the following categories  of Personal Data:  

• Full name 
• Address 
• Phone number 
• Email address 
• Personal workstation technical information 
• Position in the organisational structure 
• Any other Personal Data or information that the Client decides to provide to the Hunters or the Services. 

The Client and the Data Subjects shall provide the Personal data to Hunters by supplying the Personal  data to Hunters’ Service.  

In some limited circumstances Personal Data may also come from others sources, for example, in the  case of anti-money laundering research, fraud detection or as required by applicable law. For clarity,  Client shall always be deemed the “Data Controller” and Hunters shall always be deemed the “Data  Processor” (as such terms are defined in the GDPR).  

1.3. Categories of Data Subjects 

As part of providing the Services and during the scanning Hunters may temporarily access compute  disks storing personal data related to Client’s customers, employees and service providers.  

Additionally, Client may submit Personal Data to the Services, the extent of which is determined and  controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data  relating to the following categories of data subjects: 

• Client’s customers and/or clients
• Client’s users authorized by Client to use the Services 
• Employees, agents, advisors, freelancers of Client (who are natural persons) ● Prospects, Clients, business partners and vendors of Client (who are natural persons) 
• Employees or contact persons of Client’s prospects, Clients, business partners and vendors