Processing Agreement

Parties:

1. the private limited liability company AppyBee LTD (hereinafter: “the Processor”),
2. the natural person/legal person with whom the processor has entered into a license agreement for the benefit of the AppyBee, (hereinafter: “the Controller'').

take into account that:

1. In the context of the implementation of the license agreement applicable between the parties with regard to the AppyBee, the Processor will process personal data on behalf of the Controller;
2. The parties wish to record the agreements on the processing of personal data by the Processor in this processing agreement;
   

1. Definitions
   

   1. GDPR: the General Data Protection Regulation (regulation (EU) 2016/679) including the implementing law of this regulation
   2. Data Subject: the person to whom the Personal Data relates, as referred to in Article 4(1) GDPR.
   3. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed as referred to in Article 4 paragraph 12 GDPR.
   4. Main Agreement: the main agreement(s) concluded between the Controller and the Processor, including appendices, to which this Processor Agreement relates.
   5. Employees: Persons who work at the Controller or at the Processor, either in employment or temporarily hired.
   6. Recipient: a natural or legal person, a government agency, a service or another body, whether or not a third party, to whom/to whom the Personal Data is disclosed.
   7. Parties: Controller and Processor.
   8. Personal Data: all information about an identified or identifiable natural person (the Data Subject) that is processed in the context of the Main Agreement as referred to in Article 4 paragraph 1 GDPR; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
   9. Sub-processor: another processor engaged by the Processor to Process Personal Data on behalf of a Controller.
   10. Processor: the natural or legal person, a government organization, a service or another body that processes Personal Data on behalf of the Controller as referred to in Article 4 paragraph 8 GDPR.
   11. Processing/Processing: an operation or a set of operations relating to Personal Data or a set of Personal Data, whether or not carried out by automated processes, such as collecting, recording, organizing, structuring, storing, updating or changing, retrieving, consulting, using , providing by means of forwarding, distributing or otherwise making available, aligning or combining, blocking, deleting or destroying data as referred to in Article 4 paragraph 2 GDPR.
   12. Controller: the natural or legal person, a government organization, a service or another body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data as referred to in Article 4 paragraph 7 GDPR.
   13. Processor Agreement: this Processor Agreement for recording the agreements as referred to in Article 28 paragraph 3 GDPR.

2. Applicability
   

   1. This Processor Agreement relates to the Processing of Personal Data by the Processor on behalf of the Controller in the context of the implementation of the Main Agreement.
   2. The nature and purpose of the Processing, the type of Personal Data, the categories of Personal Data, the Data Subjects and Recipients are described in Appendix 1.
   3. Processor guarantees to comply with the requirements of the applicable laws and regulations regarding the Processing of Personal Data.

3. Duration and Termination
   

   1. This Data Processing Agreement will enter into force at the time the Main Agreement commences, or at a time to be determined by the parties.
   2. The Processor Agreement ends when the Main Agreement ends.
   3. Neither Party can prematurely terminate this Processing Agreement separately from the Main Agreement.
   4. Obligations which, by their nature, are intended to continue after termination of this Processing Agreement, will continue to apply after termination of this Processing Agreement. These provisions include, for example, those resulting from the provisions on confidentiality, liability, dispute resolution and applicable law.

4. Processing
   

   1. Processor Processes the Personal Data exclusively on behalf of and on the basis of written instructions from the Controller, subject to deviating statutory regulations that apply to the Processor. Processor Processes the Personal Data no longer or more extensively than necessary for the implementation of the Main Agreement.
   2. If, in the opinion of the Processor, an instruction as referred to in the first paragraph of this article is in conflict with a legal regulation regarding data protection, it will inform the Processing Manager of this prior to the Processing, unless a legal regulation prohibits this notification.
   3. If the Processor is required to provide Personal Data on the basis of a statutory regulation, it will inform the Controller immediately, and if possible prior to the provision.
   4. The Processor ensures that only its Employees have access to the Personal Data. The exception to this is the engagement of Subprocessors in accordance with the provisions of Article 11 of this Processor Agreement. Processor limits access to Employees for whom access is necessary for their work, whereby access is limited to Personal Data that these Employees need for their work. The Processor also ensures that the Employees who have access to the Personal Data have received correct and complete instructions on how to handle Personal Data and that they are familiar with the responsibilities and legal obligations.
   5. The controller is legally obliged to comply with current laws and regulations in the field of privacy. In particular, the Controller must determine whether there is a lawful basis for Processing the Personal Data. The Processor ensures that it complies with the regulations applicable to it as a Processor in the field of the Processing of Personal Data and the agreements made in this Processor Agreement.
   6. The Processing takes place under the responsibility of the Controller. The Processor has no control over the purpose and means of the Processing and does not make decisions about matters such as the use of Personal Data, the retention period of the Personal Data processed for the Controller and the provision of Personal Data to third parties. The Controller must ensure that it has clearly established the purpose and means of the Processing of the Personal Data.

5. Security
   

   1. The Processor has taken the security measures referred to in Appendix 2 to this Processor Agreement. When taking the security measures, account has been taken of the risks to be mitigated, the state of the art and the costs of the security measures. These security measures include in any case:
      1. the ability to ensure on an ongoing basis the confidentiality, integrity, availability and resilience of the processing systems and services;
      ‍
      1. the ability to restore the availability of and access to the Personal Data in a timely manner in the event of a physical or technical incident;
      2. a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for the security of Processing.
   2. The Controller has informed itself well about the security measures taken by the Processor and is of the opinion that these measures have a security level that is appropriate to the nature of the Personal Data and the scope, context, purposes and risks of the Processing.
   3. The parties recognize that guaranteeing an appropriate level of security may constantly force additional security measures to be taken. Processor guarantees a security level tailored to the current risk. The Processor will inform the Controller if any of the security measures change substantially.
   4. The Processor offers appropriate guarantees for the application of the technical and organizational security measures with regard to the Processing to be performed. If the Controller wishes to have the manner in which the Processor complies with the security measures inspected, the Controller can submit a request to the Processor to this end. Processor and Controller will jointly make agreements about this. The costs of an inspection are borne by the Controller. The Controller will provide the Processor with a copy of the inspection report.
   5. The Processor will, unless it has obtained explicit prior written permission from the Controller, not Process any Personal Data or have it Processed by itself or by third parties in countries outside the European Union (“EU”).