DATA PROCESSING AGREEMENT

1.1 The Parties have entered into an agreement regarding Processor’s provision of services (the "Main Agreement"). The services rendered under the Main Agreement will include processing of personal data by Processor on behalf of Controller.

1.2 This Data Processing Agreement (“DPA”) governs the Customer’s (“Controller”) rights and obligations as a data controller and Welloop’s (“Processor”) rights and obligations as a data processor when Processor processes personal data on behalf of Controller.

1.3 This DPA forms an integral part of the Main Agreement. In the event of inconsistencies between the provisions of the Main Agreement and this DPA, this DPA shall prevail and take precedence.

2.2 Unless otherwise stated, terms and expressions in this DPA shall be interpreted in accordance with applicable data protection legislation.

2.3 Terms and expressions used in this DPA, but not defined herein, shall be defined in accordance with the Main Agreement.

Specification of the processing of personal data Schedule 1

List of pre-approved sub-processors Schedule 2

4.1 Processor undertakes to process personal data only in accordance with documented instructions from Controller, unless otherwise provided by applicable data protection legislation. Controller’s instructions to Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, are exhaustively set out in this DPA and Schedule 1.

4.2 Controller confirms that Processor's obligations set out in this DPA, including Schedule 1, constitute the complete instructions to Processor.

4.3 Any amendments to Controller's instructions shall be documented in writing and signed by both Parties in order to be valid. Any such amendments shall also include provisions in respect of changes (if any) of Processor’s remuneration. Controller may not, without such written agreement, instruct Processor to process personal data regarding other categories of personal data or regarding other categories of data subjects than those specified in Schedule 1.

4.4 Processor shall without undue delay inform Controller if, in its opinion, an instruction from Controller regarding the processing of personal data infringes data protection legislation.

4.5 Processor shall, to the extent required by applicable data protection legislation and in accordance with Controller's written instructions, where applicable, assist Controller in fulfilling its obligations under applicable data protection legislation.

5.1 Controller authorises Processor to engage sub-processors within and outside the EU / EEA. Processor shall ensure that sub-processors are bound by written agreements which impose on them the same data protection obligations as set out in this DPA. Schedule 2 contains a list of sub-processors that from the execution date of this DPA have been pre-approved.

5.2 If Processor intends to engage a new sub-processor or replace an existing sub-processor to process personal data covered by this DPA, Processor shall inform Controller of any intended changes concerning the addition or replacement of sub-processors and give Controller the opportunity to object to such changes. Any objections by Controller shall be made in writing within 30 days from receipt of the information from Processor. Processor shall provide Controller with the information that Controller may reasonably request to assess whether compliance with the obligations under this DPA and applicable data protection legislation is possible if the proposed sub-processor is engaged. If, in Controller’s justifiable opinion, such compliance is not possible if the proposed sub-processor is engaged, and Processor despite Controller’s justified objection engages the proposed sub-processor, Controller is entitled to terminate this DPA at no extra cost. If Controller’s objection is not justified, Controller is not entitled to terminate this DPA.

5.3 Processor may transfer personal data outside the EU / EEA. If personal data is transferred to or made available outside the EU / EEA, Processor shall ensure that there is a legal basis for the transfer and that the transfer is subject to an appropriate safeguard under applicable data protection legislation, such as standard data protection clauses adopted by the Commission. Controller authorises Processor to enter into such standard data protection clauses with sub-processors on behalf of Controller.

6.1 Processor is obliged to fulfill its legal obligations regarding data protection under applicable data protection legislation and shall in all cases take appropriate technical and organisational measures to protect the personal data being processed.

6.2 Processor shall ensure that only such persons who need access to personal data in order to fulfill Processor's obligations under the Main Agreement and this DPA have access to such data. Processor shall ensure that such persons are subject to appropriate means of confidentiality.

7.1 Processor may not, without the prior written consent of Controller, disclose or otherwise make available personal data processed under this DPA to third parties, unless otherwise provided by Swedish or European law or pursuant to a decision by a competent court or authority.

7.2 If a data subject requests information from Processor regarding the processing of personal data covered by this DPA, Processor shall without undue delay refer such request to Controller.

7.3 If a competent authority requests information from Processor regarding the processing of personal data covered by this DPA, Processor shall without undue delay notify Controller thereof, unless otherwise provided by applicable law or pursuant to a decision by a competent court or authority. Processor may not act on behalf of Controller or as its agent and may not, without the prior consent of Controller, transfer or otherwise make available personal data governed by this DPA or other information relating to the processing of such personal data to any third party, unless otherwise required by Swedish or European law or pursuant to a non-appealable decision by a competent court or authority. Processor may however provide confirmation that a request has been received by Processor and forwarded to Controller.

7.4 If Processor, in accordance with applicable Swedish or European law, is requested to disclose personal data covered by this DPA, Processor shall without undue delay notify Controller thereof, unless otherwise provided by applicable law or pursuant to a decision by a competent court or authority.

8.1 Processor shall notify Controller without undue delay after having become aware of a personal data breach.

8.2 Processor shall assist Controller with the information reasonably required to fulfill Controller’s obligation to report personal data breaches.

9.1 In its capacity as controller, Controller shall be entitled to take the necessary measures to verify that Processor is able to comply with its obligations under this DPA and that Processor has in fact taken the necessary measures to ensure such compliance.

9.2 Processor undertakes to provide Controller with all information necessary to demonstrate compliance with its obligations under this DPA, and to enable and participate in audits, including on-site inspections, carried out by Controller or other auditor appointed by Controller, provided that the person(s) performing the audit have entered into customary confidentiality agreements.

Processor shall be entitled to reasonable remuneration on a time and material basis for work performed or assistance provided pursuant to its obligations in sections 4.4, 7, 8.2, 9 and 13 of this DPA.

11.1 Processor’s liability under this DPA shall in no event exceed the lower of (i) SEK 100,000 and (ii) the limitations of liability set out in the Main Agreement.

11.2 For the avoidance of doubt, the limitations of liability set out in the Main Agreement shall apply to the Processor’s liability under this DPA as if set out herein and any reference in the Main Agreement to the aggregate liability of a Party means the aggregate liability of that Party under the Main Agreement and DPA together.

11.3 The Parties agree that any administrative fines imposed under applicable data protection legislation, shall be paid by the Party that the administrative fine was imposed upon, as decided by the relevant supervisory authority or competent court authorized to impose such fines, and in no event shall a Party be liable for the other Party’s administrative fines, including under any indemnification obligations.

11.4 Since Processor shall only process personal data in accordance with Controller’s instructions, Processor is not liable where Processor has acted in accordance with Controller’s instructions.

The provisions of this DPA shall apply as long as Processor processes personal data for which Controller is the controller.

13.1 Upon termination of this DPA, Processor shall, either delete, anonymize or return all personal data processed under this DPA without undue delay, and at the latest within thirty (30) days of receiving such notice from Controller, unless Swedish or European Union law requires storage of the personal data.

13.2 Notwithstanding Section 13.1, Processor shall be permitted to retain anonymized personal data, unless (i) otherwise set out in the Main Agreement, or (ii) prohibited under applicable law.

13.3 At the request of Controller, Processor shall without undue delay provide Controller a written notice of the measures taken regarding the personal data, even if the Main Agreement or this DPA have been terminated.

Any changes or additions to this DPA shall be made in writing and signed by both Parties in order to be valid.

15.1 This DPA shall be governed by Swedish law.

15.2 Any dispute arising out of or in connection with this DPA shall be finally settled in accordance with the provisions regarding dispute resolution in the Main Agreement. If the Main Agreement does not contain provisions regarding dispute resolution, any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall instead be finally settled by arbitration in accordance with the Arbitration Rules of the SCC Arbitration Institute. The arbitral tribunal shall be composed of one arbitrator, appointed by the Institute. The arbitration proceedings shall be held in Uppsala, Sweden and conducted in English unless the Parties agree otherwise.