Data Processing Agreement

Concluded between:

Harmony Inc. with its registered office in the United States, Delaware, 8 The Green, Ste. R., in the City of Dover County of Kent, zip code 19901, represented by Grzegorz Kazulak

hereinafter referred to as the "Processor"

and

Company, any customer of Harmony, Inc.

hereinafter referred to as the "Controller"

also referred to collectively as the "Parties".

§1. Definitions

The terms used in this Agreement have the following meanings:

1. Harmony – a platform that allows you to transcribe conversations (from audio and video formats) and unify and analyze conversations across different communication platforms, available at: Harmony

2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU.L No. 119, p. 1);

3. Agreement – the present data processing agreement;

4. Master Agreement – an agreement between the Controller, who is a user of Harmony, and the Processor;

5. Sensitive Personal Data - shall have the meaning assigned to the terms "sensitive data", "sensitive information", "special categories of personal data", or similar terms under applicable data protection law(s) and, shall include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

§2. Subject matter of the Agreement

Pursuant to the Agreement, the Controller entrusts the Processor, pursuant to Article 28(3) of the GDPR, with the processing of personal data to the extent specified in §3.

§3. Scope of entrustment

1. The subject matter of entrustment under the Agreement is any personal data that the Processor will process on behalf of the Controller in connection with the performance of the Master Agreement, the Administrator being the controller or the processor thereof within the meaning of the GDPR.

2. The data referred to in paragraph 1 include, in particular, data that are ordinary data – i.e., personal data of employees, associates, of the Controller and persons authorized by the Controller to use Harmony and end customers – any individuals who contact or are contacted by the Controller using the services, or whose personal data is otherwise processed by the Controller through the services, under the Master Agreement, such as:

a) Identity Data: includes name, surname, middle name or patronymic, salutation;

b) Contact Data: includes email address, phone number;

c) Financial Data: includes information about financial transactions, such as bank account details, credit card information, and payment history;

d) Biometric Data: includes voice recordings;

e) Technical Data: includes information collected through automated means, such as IP addresses, device information, browsing history, and cookies;

f) Employment Data: includes job title and employer information;

g) Health Data: includes personal data about an individual's physical or mental health – including the use of healthcare services – revealing information about their health;

h) Personal Preferences: includes personal preferences, interests, and characteristics, such as language preferences and marketing preferences;

i) and other data resulting from the specifics of the services provided by the Processor, which the Controller uses under the Master Agreement.

3. Processor will process all categories of personal data that the Controller provides to Harmony. Since the accumulation of personal data on our servers occurs automatically during your use of the service, Processor does not have real-time control over how the Controller categorizes such personal information.

4. The Controller shall not submit Sensitive Personal Data to the Processor without prior written consent from Processor or on the basis of the Master Agreement.

§4. Determination of the purpose, nature and duration of the entrustment of data processing

1. The processing of personal data under the Agreement is entrusted with the consent and documented instructions of the Controller (as referred to in Article 28(3)(a) of the GDPR and Article 29 of the GDPR), for the purpose of the Controller using the services of the Processor under the Master Agreement, in particular: using Harmony, handling requests and complaints related to the use of Harmony.

2. The conclusion of the Master Agreement and the Agreement, as well as the Controller's selection of the Processor's services under the Master Agreement, shall be considered by the Parties as the documented order referred to in paragraph 1.

3. The Data entrusted by the Controller will be processed by the Processor during the term of the Master Agreement on a permanent or occasional basis, depending on the nature of the particular activity or service performed under the Master Agreement.

4. Within three months from the date of termination of the Agreement or receipt of a documented request for deletion of personal data from the Controller, the Processor shall:

a) delete the data entrusted to it, from all storage media, programs, and applications, including any copies thereof, or

b) irreversibly anonymize the data covered by the deletion request,

unless the obligation to further process them arises from the law.

§5. Rights and obligations of the Parties

1. The Controller undertakes that any personal data entrusted to the Processor under the Agreement shall be processed by the Controller:

a) on one of the relevant legal grounds set forth in Article 6(1) of the GDPR, or

b) on behalf of another controller, and the Controller then assures the Processor that:

1) the data will be processed by their controller on one of the relevant legal bases specified in Article 6(1) of the GDPR;

2) is authorized to sub-contract (further entrust) the processing of such personal data.

2. The Processor undertakes:

a) pursuant to Article 28(3)(e) of the GDPR, to cooperate with the Controller, to the extent possible, through appropriate technical and organizational measures, in responding to the requests of the personal data subject in exercising his or her rights set forth in Chapter III of the GDPR, in particular regarding information and transparent communication, access to data, information obligation, the right to rectification, erasure, restriction of processing, data portability, and the right to object; the Processor shall be entitled to additional compensation in the event of such cooperation with the Controller;

b) in accordance with Article 28(3)(f) of the GDPR, assist the Controller in complying with the obligations set forth in Articles 32-36 of the GDPR, in particular the obligation to ensure the security of processing, to report a personal data breach to the supervisory authority, to notify the data subject of a personal data breach, to conduct a personal data protection impact assessment;

c) pursuant to Article 28(3)(g) of the GDPR, upon termination of the processing services depending on the Controller's decision, to delete or return to the Controller all personal data and delete all existing copies thereof, unless mandatory provisions of law require the storage of personal data, in which case §4(4) of the Agreement shall apply;

d) in accordance with Article 28(3)(h) of the GDPR, to make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and to enable the Controller or an auditor authorized by the Controller to conduct and contribute to audits, including inspections;

e) to immediately inform the Controller if, in the opinion of the Processor, the order issued to them constitutes a violation of the GDPR or other national or EU regulations;

f) to ensure that all processors to be used by the Processor are required to comply with the same data protection obligations as the Processor under the Agreement.

3. The right to audits referred to in paragraph 2.4 may be exercised during the Processor's business hours, i.e., Monday through Friday, from 9 a.m. to 5 p.m., excluding public holidays, and with a minimum of two weeks' notice and must not interfere with the Processor's work. During the audit, the Processor shall provide the Controller with the information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR. Audits shall not be conducted more often than once per calendar year and shall not take more than 3 business days. All costs associated with conducting these audits will be borne by the Controller.

4. If deficiencies are found during audits, the Processor agrees to correct them within the timeframe agreed upon by the Parties.

5. The Processor is authorized to process and entrust the processing of personal data covered by the Agreement for sub-processing to external entities, outside the European Economic Area (EEA):

a) the Controller will give consent via e-mail for entrusting data to other entities for processing outside the EEA;

b) in the event that the Processor is obliged to transfer personal data under generally applicable laws, the Processor shall inform the Controller of such obligation prior to the transfer, unless the law expressly prohibits the Processor from doing so due to an important public interest.

6. As the Processor transfers personal data outside the EEA, the Processor shall comply with the specific requirements set forth in Chapter V of the Regulation "Transfers of Personal Data to Third Countries or International Organizations", and, in particular, shall ensure that the transfer of personal data takes place on the basis of appropriate legal mechanisms, in particular, Commission Implementing Decisions, standard contractual clauses or other similar legal instruments provided for in the GDPR. The list of standard clauses used is attached as Appendix 1 to the Agreement.

7. The Controller undertakes, pursuant to Article 13(1)(f) of the GDPR or Article 14(1)(f) of the GDPR, to inform persons whose data it will entrust to the Processor of its intention to transfer their personal data outside the EEA.

8. In accordance with Article 27(1) of the GDPR, the Controller has appointed a representative in the EEA: Agnieszka Pilarska ([email protected], Reja 12/26, 31-216, Cracow) The Representative is authorized by the Processor to be contacted – in addition to or instead of the Processor – in particular by supervisory authorities and data subjects, in particular, regarding all matters related to processing, for the purpose of ensuring compliance with the GDPR.

§6. Reporting incidents

1. The Processor undertakes, upon discovery of a personal data protection breach, to report it to the Controller without undue delay.

2. The information provided to the Controller shall include at least:

a) a description of the nature of the breach and, if possible, an indication of the category and approximate number of persons whose data were breached as well as the amount/type of data affected;

b) a description of the possible consequences of the breach;

c) a description of the measures applied or proposed to be applied by the Processor to remedy the breach, including minimizing its negative effects.

§7. Use of sub-processors

1. The Controller consents, i.e. gives its general consent referred to in Article 28(2) of the GDPR, to the Processor's use of other processors (i.e. sub-processors).

2. The Processor undertakes to inform the Controller of any intended changes regarding the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes. The Processor shall provide information about the change by means of a message sent to the Administrator using electronic mail (e-mail).

3. The Controller undertakes to express the objections referred to in paragraph 2, under pain of invalidity, in writing or in documentary form within 7 days from the date of receipt of information about the aforementioned changes and providing reasons for them. The parties agree that the lack of objection within this period will be considered as the Controller's consent to the change of the sub-processor. The Controller undertakes not to object to the above changes without valid reasons.

4. If the Controller objects to a change involving the addition or substitution of sub-processors in accordance with paragraphs 2 and 3 above, it may not be possible to process the data for the purposes for which the data were entrusted to the Processor. In such a situation, the Processor shall be entitled to terminate the Agreement without notice, and any liability of the Processor for non-performance or improper performance of the Agreement or the Master Agreement caused by the inability to process the data for the purposes for which the data were entrusted to the Processor is excluded by the Parties.

§8. Declared technical and organizational measures

1. Pursuant to Article 28(3)(b) of the GDPR, the Processor undertakes that any person executing the Agreement on its behalf will be required to ensure the confidentiality of the processed personal data to which it will have access, and in particular that it will not transfer, disclose or share such data with unauthorized persons.

2. Pursuant to Article 28(3)(c) of the GDPR, the Processor undertakes to apply the technical and organizational measures required under Article 32 of the GDPR, i.e., in particular, adequate to the identified risk of violation of the rights or freedoms of the entrusted personal data.

§9. Data breach procedure. Mutual exchange of information

1. The Parties agree to immediately notify each other of potential data protection breaches. In the situation of a suspected data breach, the Parties agree to cooperate, in accordance with the provisions of the GDPR.

2. The Parties agree that they will consult on the necessity and content of data breach notifications to the supervisory authority.

3. Whenever the Parties provide each other with information and statements regarding the data processed under the Agreement, such information and statements shall be provided to the e-mail addresses indicated below:

a) for the Controller: [e-mail address, phone number];

b) for the Processor: [email protected].

§10. Liability

The Processor's total liability for non-performance or improper performance of the Agreement in any case is limited to half of the sum of the net fees paid by the Controller based on the Master Agreement within the last 12 months, preceding the event giving rise to the claim in question and only to the value of the actual damage, i.e. excluding lost profits (lucrum cessans). The limits of the Processor's liability indicated in the Agreement and the Master Agreement do not add up. In the event that the Processor is required to incur liability under the Agreement, the claim in question shall reduce the limit of liability indicated in the Master Agreement.

§11. Final provisions. Termination of the Agreement

1. The Agreement is concluded for the duration of the Master Agreement, i.e., the Agreement is terminated without the need for additional statements, as a result of the termination or expiration of the Master Agreement.

2. The Agreement enters into force upon the execution of the Master Agreement.

3. Amendment to, supplement or termination of the Agreement under the pain of nullity shall be in writing / document form.

4. In a situation where:

a) The Processor, despite being required to remedy the deficiencies identified during the audit, fails to remedy them within the timeframe agreed upon by the Parties, or processes personal data in a manner inconsistent with the Master Agreement, or

b) The Processor processes the entrusted personal data in violation of the Agreement or applicable laws (including the GDPR),

The Controller may terminate the Agreement with immediate effect without notice upon the ineffective expiration of an additional period of time for cessation of violations, set by the Controller, and not less than fourteen days from the date of receipt of the notice.

5. The Processor may terminate the Agreement with immediate effect, without notice, if it is determined that the Controller processes the data entrusted to the Processor in a manner that violates §5(1) of the Agreement, in particular, by processing the data entrusted to the Processor without the legal basis specified in Article 6(1) of the GDPR.

6. Appendix 1 to the Agreement – standard contractual clauses, is an integral part of the Agreement.

7. The Agreement was saved on an electronic medium stored on the Processor's servers and sent to the e-mail address provided by the Controller in PDF form / The Agreement was signed in two counterparts – one for each Party.