This Data Processing Agreement ("DPA") forms an integral part of, and is subject to the Terms of Service referencing this DPA ("Terms") that has been entered into by and between the Customer (as defined in the Terms) ("Customer") and ViTAs Labs Ltd. ("ViTAs").

Whereas, in connection with its provision of ViTAs's solution (as defined in the Terms); and 

Whereas, the parties wish to set forth the mutual obligations with respect to the Processing of Customer Personal Data by ViTAs; 

Now therefore, intending to be legally bound, the parties hereby agree as follows:

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:

1. "Applicable Law" means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) ("GDPR"), laws implementing or supplementing the GDPR.

2. "Customer Personal Data" means any Personal Data Processed by ViTAs on behalf of Customer pursuant to or in connection with the Terms.

3. "Data Protection Laws" means Applicable Law and, to the extent applicable, the data protection or privacy laws of any other applicable country where the Services are delivered or as agreed in writing between the parties.

4. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of Personal Data to data importers established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out in Commission Implementing Decision (EU) 2021/914 and available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&qid=1640528660139&from=EN;

5. "Sub-processor" means any person (excluding an employee of ViTAs) appointed by or on behalf of ViTAs to Process Customer Personal Data on behalf of the Customer in connection with the Terms.

6. The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processor", "Processing" and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.

1. ViTAs shall Process Customer Personal Data on Customer's behalf and at Customer's instructions as specified in the Terms and in this DPA, including without limitation with regard to transfers of Customer Personal Data to a third country or international organization. Any other Processing shall be permitted only in the event that such Processing is required by any Data Protection Laws to which ViTAs is subject. In such event, ViTAs shall, unless prohibited by such Data Protection Laws on important grounds of public interest, inform Customer of that requirement before engaging in such Processing.

2. Customer instructs ViTAs (and authorizes ViTAs to instruct each Sub-processor) (i) to Process Customer Personal Data for the provision of the services through the solution, as detailed in the Terms ("Services") and as otherwise set forth in the Terms and in this DPA, and/or as otherwise directed by Customer; and (ii) to transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Applicable Law. ViTAs may also use aggregate and anonymized data derived from Customer Personal Data (but which does not constitute Personal Data) in order to improve its own Services.

3. Customer sets forth the details of the Processing of Customer Personal Data, as required by Article 28(3) of the GDPR in Schedule 1 (Details of Processing of Customer Personal Data), attached hereto.

4. To the extent that ViTAs Processes Personal Data in countries outside of the European Economic Area that do not provide an adequate level of data protection, as determined by the European Commission or other adequate authority as determined by the EU, the Standard Contractual Clauses shall apply and shall be incorporated herein upon execution of this DPA by the parties. Annexes 1 and 2, attached hereto, shall apply as Annexes 1 and 2 of the Standard Contractual Clauses. The Standard Contractual Clauses are modular, containing numerous sections that each pertain to a specific type of entity or transfer. For the purposes of this DPA and any transfers of data to third countries pursuant hereto, only the modular sections pertaining to module two (Customer to ViTAs) of the Standard Contractual Clauses shall apply, in addition to all general sections therein.

Customer represents and warrants that it has and shall maintain throughout the term of the Terms and this DPA, all necessary rights to provide the Customer Personal Data to ViTAs for the Processing to be performed in relation to the Services and in accordance with the Terms and this DPA. To the extent required by Data Protection Laws, Customer is responsible for obtaining any necessary Data Subject consents to the Processing, and for ensuring that a record of such consents is maintained throughout the term of the Terms and this DPA and/or as otherwise required under Data Protection Laws.

ViTAs shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know and/or access basis and that all ViTAs employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access to and use of Customer Personal Data.

ViTAs shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Customer Personal Data as set forth in the Binding Security Document attached hereto as Schedule 2. In assessing the appropriate level of security, ViTAs shall take into account the risks that are presented by the nature of the Processing and the information available to ViTAs.

1. ViTAs shall notify Customer without undue delay and, where feasible, not later than within 48 (forty eight) hours upon ViTAs becoming aware of a Personal Data Breach affecting Customer Personal Data. In such event, ViTAs shall provide Customer with reasonable and available information to assist Customer in meeting any obligations to inform Data Subjects or Supervisory Authorities of the Personal Data Breach as required under Applicable Law.

2. At the written request of the Customer, ViTAs shall reasonably cooperate with Customer and take such commercially reasonable steps as are agreed by the parties or required under Applicable Law to assist in the investigation, mitigation and remediation of any Personal Data Breach.

1. Customer authorizes ViTAs to appoint (and permits each Sub-processor appointed in accordance with this Section 7 to appoint) Sub-processors in accordance with this Section 7.

2. ViTAs may continue to use those Sub-processors already engaged by ViTAs as identified to Customer as of the date of this DPA.

3. ViTAs may appoint new Sub-processors and shall give notice of any such appointment to Customer. If, within seven (7) days of such notice, Customer notifies ViTAs in writing of any reasonable objections to the proposed appointment, ViTAs shall not appoint the proposed Sub-processor for the Processing of Customer Personal Data until reasonable steps have been taken to address the objections raised by Customer and Customer has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Customer's reasonable objections, the Terms may be terminated to the extent that they relate to the Services requiring the use of the proposed Sub-processor. In such event, no liability shall be borne for such termination.

4. With respect to each new Sub-processor, ViTAs shall

   1. ​Prior to the Processing of Customer Personal Data by Sub-processor, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that Sub-processor is committed and able to provide the level of protection for Customer Personal Data required by this DPA; and

   2. ensure that the arrangement between ViTAs and the Sub-processor is governed by a written contract, including terms that offer a materially similar level of protection for Customer Personal Data as those set out in this DPA and meet the requirements of Applicable Law.

5. ViTAs shall remain fully liable to the Customer for the performance of any Sub-processor's obligations.

    

    

1. Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Customer Personal Data, etc.). ViTAs shall, at Customer's sole expense, use commercially reasonable efforts to assist Customer in fulfilling Customer's obligations with respect to such Data Subject requests, as required under Data Protection Laws.

2. Upon receipt of a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data, ViTAs shall promptly notify Customer of such request and shall not respond to such request except on the documented instructions of Customer or as required by Data Protection Laws to which ViTAs is subject, in which case ViTAs shall, to the extent permitted by Data Protection Laws, inform Customer of such legal requirement prior to responding to the request.

At Customer's written request and expense, ViTAs and each Sub-processor shall provide reasonable assistance to Customer with respect to any Customer Personal Data Processed by ViTAs and/or a Sub-processor, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Data Protection Laws.

ViTAs shall promptly and in any event within 60 (sixty) days of the date of cessation of provision of the Services to Customer involving the Processing of Customer Personal Data, delete, return, or anonymize all copies of such Customer Personal Data, provided however that ViTAs may retain Customer Personal Data, as permitted by applicable law.

1. Subject to Sections 11.2 and ‎11.3, ViTAs shall make available to an auditor mandated by Customer in coordination with ViTAs, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections, by such reputable auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by ViTAs, provided that such third-party auditor shall be subject to confidentiality obligations.

2. Any audit or inspection shall be at Customer's sole expense and shall be subject to the terms of the Terms, and subject to ViTAs's reasonable security policies and obligations to third parties, including with respect to confidentiality. The results of any audit or inspection shall be considered the confidential information of ViTAs and subject to the confidentiality provisions under the Terms.

3. ​Customer and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to ViTAs' premises, equipment, employees and business and shall not interfere with ViTAs's day-to-day business. Customer and ViTAs shall mutually agree upon the scope, timing and duration of the audit or inspection and the reimbursement rate, for which Customer shall be responsible. ViTAs need not give access to its premises for the purposes of such an audit or inspection:

   1. ​to any individual, unless he or she produces reasonable evidence of identity and authority;

   2. if ViTAs was not given a prior written notice of such audit or inspection;

   3. outside of normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or

   4. for the purposes of more than one (1) audit or inspection in any calendar year, except for any additional audits or inspections which:

      1. ​Customer reasonably considers necessary because of genuine concern as to ViTAs's compliance with this DPA; or

      2. Customer is required to carry out by Applicable Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Law in any country or territory where Customer has identified its concerns or the relevant requirement or request in its prior written notice to ViTAs of the audit or inspection.

   5. ​ViTAs shall immediately inform Customer if, in its opinion, an instruction received under this DPA infringes the GDPR or other applicable Data Protection Laws.

​Customer shall indemnify and hold ViTAs harmless against all claims, actions, third party claims, losses, damages and expenses incurred by ViTAs and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Data Protection Laws by Customer. Each party's liability toward the other party shall be subject to the limitations on liability under the Terms.

1. Governing Law and Jurisdiction. The parties to this DPA hereby agree that the competent courts in Ireland shall have exclusive jurisdiction regarding all disputes hereunder, and the parties expressly consent to such jurisdiction. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of Ireland. To the extent that the Standard Contractual Clauses apply, the abovementioned jurisdiction shall be deemed the jurisdiction specified in Clause 17 of the Standard Contractual Clauses, provided that such law allows for third-party beneficiary rights.

2. Order of Precedence

   1. ​Nothing in this DPA reduces ViTAs's obligations under the Terms in relation to the protection of Customer Personal Data or permits ViTAs to Process (or permit the Processing of) Customer Personal Data in a manner that is prohibited by the Terms. 

   2. This DPA is not intended to, and does not in any way limit or derogate from Customer's obligations and liabilities towards ViTAs under the Terms and/or pursuant to Data Protection Laws or any law applicable to Customer in connection with the collection, handling and use of Customer Personal Data by Customer or other ViTAss or their Sub-processors, including with respect to the transfer or provision of Customer Personal Data to ViTAs and/or providing ViTAs with access thereto.

   3. Subject to this Section 13.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Terms and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. In the event of inconsistencies between the provisions of this DPA and the Standard Contractual Clauses (to the extent they apply), the Standard Contractual Clauses shall prevail.

3. ​Changes in Data Protection Laws

   1. ​Customer may, by at least 45 (forty five) calendar days' prior written notice to ViTAs, request in writing any variations to this DPA if they are required as a result of any change in or decision of a competent authority under any Data Protection Laws in order to allow Customer Personal Data to be Processed (or continue to be Processed) without breach of that Data Protection Laws.

   2. If Customer gives notice with respect to its request to modify this DPA under Section ‎13.3.1, (i) ViTAs shall make commercially reasonable efforts to accommodate such modification request and (ii) Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by ViTAs to protect ViTAs against additional risks, or to indemnify and compensate ViTAs for any further steps and costs associated with the variations made herein.

   3. Severance. Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.