Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between TraceFlows ("Processor") and the Customer ("Controller") and applies to the processing of Personal Data by Processor on behalf of the Controller in the course of providing the Service.

In this DPA, the following terms shall have the meanings set out below and other capitalized terms shall have the meaning given to them in the Agreement:

• "Data Protection Laws" means all applicable laws relating to data protection and privacy including, without limitation, the GDPR and any implementing or successor legislation.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• The terms "Personal Data," "Data Subject," "Processing," "Controller," and "Processor" shall have the meanings ascribed to them in the GDPR.

The parties acknowledge and agree that for the purposes of the Processing of Personal Data, the Customer is the Controller and TraceFlows is the Processor. The Controller is responsible for the lawfulness of the Processing of Personal Data. The Processor will process Personal Data in accordance with the Controller's instructions as set out in this DPA and the Agreement.

• Subject Matter: The subject matter of the Processing is the provision of the Service by the Processor to the Controller.
• Duration: The Processing will continue for the term of the Agreement and until the deletion of all Customer Data as described in this DPA.
• Nature and Purpose: The purpose of the Processing is to enable the Controller to analyze user behavior on their websites, debug issues, and improve user experience through session recording and analytics.
• Categories of Data Subjects: The Personal Data processed will concern End Users of the Controller's websites and applications.
• Types of Personal Data: The types of Personal Data processed include session replay data (such as mouse movements, clicks, scrolls), technical information (such as IP address, browser, OS, device type), and other data as determined and configured by the Controller. The Controller explicitly agrees not to collect or process any Special Categories of Personal Data (as defined in GDPR Article 9) using the Service.

TraceFlows, as the Processor, agrees to:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain the appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in our security documentation.
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR.
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Controller provides a general written authorization for the Processor to engage sub-processors to support the provision of the Service. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Controller the opportunity to object to such changes. A list of current sub-processors is available upon request from the Controller. Where the Processor engages a sub-processor, it will do so by way of a written contract which imposes on the sub-processor the same data protection obligations as are imposed on the Processor in this DPA.

The Processor shall not transfer Personal Data to a third country or international organization outside the European Economic Area (EEA) without ensuring appropriate safeguards are in place, such as the Standard Contractual Clauses (SCCs) as approved by the European Commission. The Controller acknowledges that the Processor's primary data centers are located in the United States.

The Processor has implemented and will maintain appropriate technical and organizational security measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. In the event of a Personal Data Breach affecting the Controller's data, the Processor shall notify the Controller without undue delay after becoming aware of the breach.