Data Processing Agreement

1. Introduction

This Data Processing Agreement (the "DPA") is an annex to the service agreement entered into between SYNAPSALE, S.L. and the Client governing the contracting and use of the Platform. Execution of the service agreement implies acceptance of this DPA, which shall apply from the start of the contractual relationship and shall form an integral part of the General Terms and Conditions for Contracting and Use published at www.synapsale.com and www.synapsale.es. This Agreement shall also be binding when demonstrations or free trials are conducted.

SYNAPSALE, S.L. (hereinafter, SYNAPSALE) is a Spanish company with registered office at Calle Fuente San Isidro, 5-12 - 46184 - San Antonio de Benageber (Valencia), Spain, and owner of the Platform, acting as data processor. The Client is the entity that contracts the Platform and whose data are included in the service agreement, acting as data controller.

The Platform refers to the software developed by SYNAPSALE for the automated search of profiles based on predefined criteria, contact data enrichment, automated or semi-automated sending of connection requests, preconfigured initial messaging through different channels, and activity tracking reports, among other functionalities. Sub-processors are those data processors that SYNAPSALE may engage in accordance with Article 28(4) of the GDPR.

2. Capacity of Representation

The persons executing the service agreement declare, under their responsibility, that they have the necessary authority to enter into agreements on behalf of SYNAPSALE, as service provider and data processor, and on behalf of the Client, as recipient and user of the services.

3. Term of the Agreement

This DPA shall remain in force for the same duration as the service agreement and shall be automatically renewed annually unless the contractual relationship is terminated, including early termination. Upon termination of the agreement, SYNAPSALE shall delete or return to the Client, or to another processor designated by the Client, the personal data processed, and shall delete any copies thereof, unless Union or Member State law requires storage of the personal data in accordance with Article 28(g) of the GDPR.

4. Purpose of the Agreement

The purpose of this DPA is to authorize SYNAPSALE, as data processor, to process on behalf of the Client the personal data necessary for the provision of the contracted services, in particular those related to access to and use of the Platform, and always in accordance with the instructions set out in the service agreement and in this DPA.

Personal data processing may include the collection, structuring, storage, consultation, deletion and disclosure of the Client's personal data, solely in accordance with the documented instructions of the data controller.

5. Categories of Data Processed

For the performance of the services under this DPA, the Client makes available to SYNAPSALE the following information:

• Professional identification data (name, email address, telephone number, job title).
• Professional data relating to the Client's employees and staff.
• Data relating to transactions of goods and services.
• Economic and financial data related to payment for the services.
• Any additional data strictly necessary for the provision of the contracted services.

No sensitive personal data or special categories of data within the meaning of the GDPR shall be collected, stored or processed.

6. Obligations of SYNAPSALE

As data processor, SYNAPSALE undertakes to comply with the obligations established in Regulation (EU) 2016/679 and Organic Law 3/2018, and in particular to:

1. 6.1. Process the Client's personal data only for the purposes of the agreement and in accordance with the Client's instructions.
2. 6.2. Ensure that persons authorized to process personal data commit themselves in writing to confidentiality and are aware of applicable security measures.
3. 6.3. Implement the security measures provided for in Article 32 of the GDPR to ensure the confidentiality, integrity, availability and resilience of processing systems.
4. 6.4. Assist the Client in responding to requests for the exercise of data subject rights (access, rectification, erasure, objection, restriction, portability and opposition to automated decisions).
5. 6.5. Assist the Client in complying with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to SYNAPSALE.
6. 6.6. Process data in accordance with the Client's instructions and inform the Client if any instruction infringes the GDPR or other applicable law.
7. 6.7. Maintain a written record of processing activities carried out on behalf of the Client in accordance with Article 30(2) of the GDPR.
8. 6.8. Make available to the Client all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for reasonable audits or inspections, limited to once per year unless a personal data breach has occurred within the previous twelve months.
9. 6.9. Not disclose personal data to third parties without the Client's express authorization, except in legally permissible cases, informing the Client in advance when there is a legal obligation to transfer data to third countries or international organizations.
10. 6.10. Maintain confidentiality obligations with respect to personal data even after termination of the agreement and ensure appropriate training of authorized personnel.
11. 6.11. Notify the Client without undue delay, and in any event within a maximum of forty-eight (48) hours, of any personal data breach, providing the information necessary for documentation and notification to the supervisory authority and data subjects.
12. 6.12. Obtain the Client's authorization to engage sub-processors necessary for Platform operations, informing the Client in advance of any changes and ensuring that such sub-processors assume equivalent obligations.
13. 6.13. Return personal data to the Client and, where applicable, the related media upon termination of the services, deleting copies unless there is a legal obligation to retain them or pending liabilities.
14. 6.14. Ensure that international data transfers comply with Chapter V of the GDPR and remedy, within a reasonable period, any regulatory change that invalidates the transfer mechanism used.

7. Obligations of the Client

The Client shall provide SYNAPSALE with the necessary data, ensure that its use of the Platform complies with the GDPR, carry out any required data protection impact assessments and prior consultations, monitor SYNAPSALE's compliance with the GDPR, and supervise the processing carried out, including appropriate audits and inspections.

8. Liability of the Parties

The parties shall be liable for damages caused by negligent or willful conduct in the performance of their legal and contractual obligations. They shall not be liable for breaches caused by force majeure or fortuitous events recognized by applicable case law.

9. Data Protection

Personal data associated with the execution of this DPA shall be incorporated into the parties' files in order to manage the established relationship and to inform about the services and contractual obligations. The parties may exercise the rights recognized by applicable law and undertake to facilitate such exercise and to provide any additional information required regarding their data protection policies.

10. Final Provision

The Client acknowledges SYNAPSALE's right to use information related to the operation, use and technical support of the Platform for legitimate internal purposes related to product improvement and development, regulatory compliance, Platform security and fraud prevention. This DPA shall be governed by applicable law and subject to the jurisdiction of the competent courts and tribunals.