APPENDIX I - DATA PROTECTION AGREEMENT (DPA) 

This Data Processing Addendum (“DPA”) forms part of and is subject to the Master Services Agreement or other  written agreement (the “Agreement”) entered into between Customer and Deltia (collectively referred to in this DPA  as the “Parties” and each a “Party”). Capitalized terms not otherwise defined in this DPA have the meaning given to  them in the Agreement.  

1. Definitions 

1.1. “Affiliates” has the same meaning set forth in the Agreement. 

1.2. “CCPA” means the California Consumer Privacy Act of 2018, as may be amended, supplemented or  replaced from time to time, including the California Privacy Rights Act of 2020. 

1.3. “Customer Data” has the same meaning set forth in the Agreement. 

1.4. “Customer Personal Data” means the Personal Data contained within Customer Data. 1.5. “Data Breach” means a breach of a Party’s security leading to the accidental or unlawful destruction,  loss, alteration, unauthorized disclosure of or access to Personal Data. 

1.6. “Data Protection Laws” means all data protection and privacy laws applicable to the respective Party in  its role in the Processing of Personal Data under the Agreement, including without limitation, European  Data Protection Laws and US Data Protection Laws. 

1.7. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates. 1.8. “European Data Protection Laws” means, to the extent applicable to the respective Party in its role in  the Processing of Personal Data under the Agreement, (i) Regulation 2016/679 of the European  Parliament and of the Council on the protection of natural persons with regard to the Processing of  Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”);  (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union  (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018; (iii) the Swiss Federal Act on Data  Protection of 25 September 2020 and the Swiss Ordinance of 31 August 2022 on Data Protection and;  (iv) any implementing, supplementing, or successor legislation to those laws and regulations identified in  subsections (i)-(iii) of this paragraph. 

1.9. “Personal Data” means any information relating to an identified or identifiable natural person and  includes similarly defined terms in Data Protection Laws, including “Personal Data” under GDPR and  “personal information” under the CCPA. 

1.10. “Standard Contractual Clauses” or “SCCs” means the standard data protection clauses adopted by the  European Commission (or, where applicable, by the UK Government or Swiss Government) under Article  46(2)(c) or (d) GDPR (or equivalent UK GDPR or Swiss Data Protection Laws), for the transfer of Personal  Data to third countries that do not ensure an adequate level of protection, as amended, updated, or  replaced from time to time. 

1.11. “Sub-processor” means any Processors engaged by a Party hereunder to Process Personal Data. 1.12. “Supervisory Authority” means an independent public authority established under Article 51 GDPR. 1.13. “Technical and Organizational Measures (TOMs)” means the security measures required under Article 32  GDPR to ensure an appropriate level of protection of Personal Data.  

1.14. “US Data Protection Laws” means, to the extent applicable to the respective Party in its role in the  Processing of Personal Data under the Agreement, federal and state laws relating to data protection,  privacy and/or the Processing of Personal Data in force from time to time in the United States. 

1.15. The terms “Controller”, “Processor”, and “Processing” (including Process, Processed, and Processes)  shall have the respective meanings ascribed to them in Data Protection Laws. If and to the extent that  Data Protection Laws do not define such terms, then the definitions given in European Data Protection  Laws will apply. 

2. Scope of Application 

2.1. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. This DPA  shall replace and supersede any existing data processing addendum, attachment, exhibit or standard  contractual clauses that Deltia and Customer may have previously entered into in connection with the  Services.

2.2. This DPA becomes effective from the Effective Date of the Agreement and remains in effect for as long  as either Party Processes Personal Data pursuant to the Agreement. 

2.3. This DPA shall govern the rights and responsibilities of the Parties during (i) the Training Phase, where  the Parties shall act as joint controllers with respect to the Processing of Personal Data, and (ii) the  Production Phase, where Deltia shall act as a Processor of Personal Data on behalf of Customer, as  Controller of Personal Data, in each case as further set forth herein. 

2.4. During the Training Phase, Personal Data in the form of real-time video of Customer’s employees from  bird’s-eye and station-mounted cameras in Customer’s production facilities and workstations is initially  collected via optical sensors and transmitted to Deltia's systems to train the ML. If the ML needs to be  retrained, e.g., due to changes in the workflow, the Processing of Personal Data switches back to the  Training Phase. During the Training Phase, the Parties acknowledge that they are joint controllers within  the meaning of Article 26 GDPR for the Processing of Personal Data in connection with the collection and  transmission of Personal Data. Section 4 of this DPA sets forth the rights and obligations of the Parties  during the Training Phase in connection with the collection and processing of Personal Data as joint  controllers. 

2.5. During the Production Phase, (i) Personal Data in the form of real-time video of Customer’s employees  from bird’s-eye and station-mounted cameras in Customer’s production facilities and workstations is  collected via optical sensors and transmitted to and analyzed by the Deltia Platform and Customer is  provided with individual evaluation of the applicable production processes and workstations and (ii)  Customer can access and view Service Output via the Deltia Platform. During the Production Phase, the  Parties acknowledge that Deltia acts as a Processor on behalf of Customer who acts as a Controller.  Section 5 of this DPA sets forth the rights and obligations of the Parties during the Production Phase in  connection with the collection and processing of Personal Data by Deltia as a Processor on behalf of the  Customer as a Controller. 

2.6. Annexes 1 to 4 are incorporated into and form part of this DPA. 

3. General obligations of the Parties

(applicable to both the Training Phase and the Production Phase)

3.1. DPO. To the extent required under Article 37 of the GDPR, the Parties shall appoint a competent and  reliable data protection officer in accordance with Art. 37 GDPR. 

3.2. Confidentiality Obligations. Each Party shall ensure that any person under their control who is  authorized by such Party to Process Personal Data shall be under an appropriate obligation of  confidentiality (whether a contractual or statutory duty). Each Party’s personnel will not access Personal  Data Processed under this DPA except as reasonably necessary to provide the Services pursuant to the  Agreement or to comply with Data Protection Laws. 

3.3. Point of Contact. The Parties shall each appoint one person as a contact person (“DP Privacy Contact”)  with respect to their obligations under this DPA. The DP Privacy Contact for Customer shall be the email  address set forth in the Service Order. The DP Privacy Contact for Deltia is set forth in Annex 3 hereto.  The Parties shall promptly inform the other Party in writing (which may be by email to the DP Privacy  Contact forth in this Section) in the event that such Party’s DP Privacy Contact details change. 

3.4. Supervisory Authority. If a Supervisory Authority contacts one of the Parties in connection with this  DPA, the Party so contacted shall inform the other Party of this fact without delay. The Parties agree that  they will generally comply with the requests of competent Supervisory Authorities, in particular with  regard to inquiries and the provision of information. Before such a request is complied with, the Parties  shall consult and cooperate with each other on how to proceed.  

3.5. Cooperation Obligations. If either Party is required to provide information to a Supervisory Authority or  to otherwise cooperate with a public authority relating to Processing of Personal Data in such Party’s  control, such Party will inform the other Party of such obligation without delay. The Parties agree that  the will each support the other Party with such requests by providing such information reasonably  available to it or otherwise reasonably cooperating with the other Party, including providing information  that relates to TOMs taken in line with Article 32 GDPR. Before complying with request of competent  Supervisory Authorities, the Parties shall consult and cooperate with each other on how to proceed. 

3.6. Transfer of Personal Data. In principle, all Processing shall take place within the European Economic  Area (EEA), or, where applicable, the United Kingdom (UK) or Switzerland. The Parties shall not transfer Personal Data to a country outside the European Economic Area (“EEA”) or, where applicable, the United  Kingdom, or Switzerland unless such transfer complies with Chapter V of the GDPR (Articles 44–50). 

3.7. Governing Law. This DPA is subject to the governing law and jurisdiction provisions in the Agreement  unless and to the extent required otherwise by applicable Data Protection Laws. 

3.8. Compliance. Each Party will comply with its respective obligations under Data Protection Laws. 3.9. Liability. Each Party and each of its Affiliates’ liability, taken in the aggregate, arising out of or related to  this DPA (including the SCCs where applicable), whether in contract, tort or under any other theory of  liability, are subject to the limitations and exclusions of liability set out in the Agreement. 

3.10. Return and Deletion of Customer Personal Data. Upon termination of the Agreement, Processor shall  either delete (such that it cannot be recovered or reconstructed) all Customer Personal Data, unless  there is an obligation to retain such Customer Personal Data under applicable Data Protection Law. The  Parties shall continue to ensure compliance with this DPA until such Customer Personal Data is deleted  or returned. 

4. Processing of Personal Data during the Training Phase 

4.1. Scope. This Section 4 sets forth the rights and obligations of the Parties during the Training Phase in  connection with the collection and Processing of Personal Data as joint controllers. 

4.2. Parties and Purpose. The Parties acknowledge that they are joint controllers within the meaning of  Article 26 GDPR during any Training Phase for the Processing of Personal Data in connection with  training of the Deltia ML as more particularly described in Annex 1. 

4.3. Allocation of Responsibilities. The Parties agree to allocate responsibilities as set forth in this Section 4. 4.4. Transparency. The Parties agree that Customer shall make the essence of this arrangement, the  information required under Articles 13 and 14 GDPR and the information regarding access for Data  Subjects required under Articles 15 available to Data Subjects through its privacy notices. Deltia shall  provide the Customer with the information reasonably necessary to fulfill this obligation. The Parties  will reasonably cooperate with and provide feedback to the other Party with regard to the content and  wording of any such information.  

4.5. Data Subject Requests. The Parties designate the Customer DP Privacy Contact as the primary contact  point for Data Subjects. If a Data Subject contacts Customer to exercise their Data Subject rights, in  particular for information or correction and deletion of their Personal Data, the Customer shall forward  this request to Deltia at the Deltia DP Privacy Contact. Deltia shall promptly provide Customer with  information and copies of Personal Data necessary to respond to a Data Subject request within the  statutory timeframes Notwithstanding the above, the Parties agree that Data Subjects may contact  either Party to exercise their Data Subject rights and the Parties shall cooperate to ensure that responses  are complete, consistent, and provided within the statutory timeframes. 

4.6. Sub-processors. Deltia may commission Sub-processors with regard to the processing activities carried  out under joint responsibility in compliance with the requirements of Art. 28 GDPR and in accordance  with Section 5.6 (Use of Sub-processors) of this DPA. Customer shall not commission Sub-processors. 

4.7. Safety of Processing. Each Party shall take appropriate TOMs to ensure an adequate level of protection  for Personal Data corresponding to the risk of the respective Processing. Such measures are in  consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims  of the Processing as well as the varying likelihood and severity of risk to the rights and freedoms of Data  Subjects. Deltia will implement the TOMs specified in Annex 3 to this DPA and/or in the Agreement and  Deltia will maintain those (or effectively similar) measures during the term of the Agreement. Upon  request, Customer shall provide Deltia with an overview of the TOMs implemented by Customer. 4.8. Data Breaches 

4.8.1. Primary Responsibility. The Parties agree that Deltia shall have primary responsibility for  detecting, investigating, containing, and mitigating Personal Data Breaches affecting the  

jointly Processed Personal Data, to the extent caused by Deltia. Notwithstanding the  

foregoing allocation, if either Party becomes aware of a Data Breach it shall implement  

appropriate technical and organizational measures to contain, mitigate, and remediate  

the Personal Data Breach, including steps to prevent a recurrence.

4.8.2. Notification Responsibilities. Deltia shall be responsible for assessing whether a Personal  Data Breach is notifiable under Articles 33 and 34 GDPR and, where required, for making  

notifications to the competent Supervisory Authority and/or affected Data Subjects.  

Customer shall provide reasonable assistance and timely cooperation to Deltia to enable  

compliance with these obligations. 

4.8.3. Cooperation and Information Sharing. Each Party shall notify the other without undue  delay upon becoming aware of a suspected or actual Personal Data Breach. Deltia shall  

keep Customer informed of the status of the investigation, likely consequences, and 

remedial measures taken. 

4.8.4. Documentation. Deltia shall maintain the breach record required under Article 33(5)  GDPR. Customer shall provide information reasonably necessary for Deltia to meet this  

obligation. 

4.8.5. Regulatory Cooperation. Deltia shall act as the lead contact point for Supervisory  

Authorities in connection with any Personal Data Breach, with Customer providing  

cooperation and assistance as reasonably requested. 

4.9. Liability. The Parties acknowledge that they may be held jointly and severally liable under the GDPR for  damages as joint controllers. As between the Parties, liability shall be allocated in proportion to each  Party’s responsibility for the breach giving rise to the damages. 

5. Processing of Personal Data during the Production Phase 

5.1. Scope. This Section 5 sets forth the rights and obligations of the Parties during the Production Phase in  connection with the collection and Processing of Customer Personal Data by Deltia as a Processor on  behalf of the Customer as a Controller. 

5.2. Parties and Purposes.  

5.2.1. For the purposes of GDPR, Deltia acts as a Processor on behalf of Customer who acts as a  Controller. 

5.2.2. For the purposes of US Data Protection Laws, Deltia will act as a “service provider” or  “processor” (as defined under US Data Protection Laws), as applicable, in its performance  

of its obligations pursuant to the Agreement and this DPA. 

5.2.3. As between the Parties, Customer is and remains the owner of Customer Personal Data  and the holder of all rights relating to Customer Personal Data. 

5.3. Processing of Customer Personal Data Pursuant to Customer’s Instructions  

5.3.1. Each Party will comply with its respective obligations under Data Protection Laws. Deltia  shall Process Customer Personal Data solely on behalf of Customer and on Customer’s  

written instructions which are set forth in the Agreement and this DPA. Any additional  

requested instructions require the prior written agreement of the Parties. Deltia shall  

promptly notify Customer if Deltia determines that such instructions conflict with  

European Data Protection Laws.  

5.3.2. Without limiting the foregoing, Deltia is prohibited from: (i) selling Customer Personal  Data or otherwise making Customer Personal Data available to any third party for  

monetary or other valuable consideration; (ii) sharing Customer Personal Data with any 

third party for cross-context behavioral advertising; (iii) retaining, using, or disclosing  

Customer Personal Data for any purpose other than for the business purposes specified in  

the Agreement or as otherwise permitted by Data Protection Laws; and (iv) combining  

Customer Personal Data with other Personal Data that Deltia receives from or on behalf  

of another person or persons, or collects from its own interaction with the Data Subject. 

5.3.3. Deltia will notify Customer without delay if Deltia determines that it can no longer meet  its obligations under US Data Protection Laws. Upon such notice, Customer may direct  

Deltia to take reasonable and appropriate steps to stop and remediate unauthorized use  

of Customer Personal Data by suspending the relevant Processing operations and/or  

deleting all or the relevant portion of Customer Personal Data; or by such other means as  

agreed to by the Parties.

5.4. Details of Processing. The details of the Processing of Customer Personal Data under the Agreement  and this DPA (e.g., subject matter, nature, duration and purpose of the Processing, categories of  Personal Data and Data Subjects) are set forth in the Agreement and/or Annex 2 to this DPA. 

5.5. Data Subject Requests 

5.5.1. If a Data Subject contacts Deltia to exercise the Data Subject’s rights regarding Customer  Personal Data as permitted under Data Protection Laws, Deltia will not respond to such  

request but will instead forward such request to Customer without undue delay. Taking  

into account the nature of the Processing, Deltia shall provide reasonable assistance upon  

Customer’s written request to assist the Customer in fulfilling its obligation to respond to  

Data Subject requests under Data Protection Laws. 

5.5.2. If a Data Subject has a right to data portability with respect to Customer Personal Data,  Deltia will ensure that Customer can obtain such data in a structured, common and  

machine-readable format. 

5.6. Use of Sub-processors 

5.6.1. Customer hereby authorizes Deltia to appoint Sub-processors in accordance with this  section. 

5.6.2. Deltia can continue using those Sub-processors already engaged by Deltia as of the  Effective Date and that are listed on Annex 4 (“Sub-processor List”), subject to Deltia  

meeting the obligations set out in this section. 

5.6.3. Deltia shall inform the Customer in writing (which may be by email) at least 21 days’ in  advance of any intended changes to the Sub-processor List, thereby giving the Customer  

sufficient time to object to these changes before the relevant Sub-processor(s) is/are  

commissioned. Customer is entitled to object to any change notified by Deltia within 21  

days and for reasonable reasons relating to the new Sub-processor’s proposed Processing  

of Customer Personal Data. If Customer fails to object to such change within this time,  

Customer is deemed to have consented to such change. Where a reasonable basis for  

such objection exists and an amicable resolution fails, Customer, as its sole remedy, may  

provide written notice to Deltia terminating the Service Order with respect to those  

aspects of the Services which cannot be provided by Deltia without the use of the new  

Sub-processor and Deltia will refund Customer any prepaid unused fees of such Service  

Order pro-rata as of the effective date of termination. 

5.6.4. Deltia (i) remains liable under this DPA for the acts and omissions of Sub-processors and  (ii) will enter into written agreements with such Sub-processors containing data  

protection obligations not less protective than those in this DPA, and including SCCs, to  

the extent applicable to the nature of the services provided by such Sub-processors. 

5.6.5. The Customer agrees that in cases where Deltia uses a Sub-processor to carry out  Processing activities (on behalf of the Customer) and these Processing activities involve a  

transfer of Personal Data within the meaning of Chapter V of the GDPR, Deltia and the  

Sub-processor may ensure compliance with Chapter V of the GDPR by using SCCs,  

provided that the conditions for the application of the SCCs are met. 

5.7. Safety of Processing. Deltia shall take appropriate TOMs to ensure an adequate level of protection for  Personal Data corresponding to the risk of the respective Processing. Such measures are in consideration  of the state of the art, implementation costs and the type, scope, circumstances, and aims of the  Processing as well as the varying likelihood and severity of risk to the rights and freedoms of Data  Subjects. Deltia will implement the TOMs specified in Annex 3 to this DPA and/or in the Agreement and  Deltia will maintain those (or effectively similar) measures during the term of the Agreement. 5.8. Data Breach. 

5.8.1. In the event of a Personal Data Breach concerning Customer Personal Data Processed by  Deltia as Processor, Deltia shall notify Customer at the Customer DS Privacy Contact  

without undue delay after Deltia becomes aware of the breach. Such notification shall,  

where possible, be made within 48 hours of confirmation of the breach. Such notification  

shall contain, at least: (i) a description of the nature of the breach (including, where 

possible, the categories and approximate number of Data Subjects and data records  

concerned); and (ii) its likely consequences and the measures taken or proposed to be  

taken to address the breach, including mitigating its possible adverse effects. 

5.8.2. Where it is not possible to provide all this information at the same time, the initial  notification shall contain the information then available and further information shall, as  

it becomes available, subsequently be provided without undue delay. 

5.8.3. Deltia will, without undue delay, take all necessary and reasonable measures to mitigate  or contain the Personal Data Breach. Deltia will inform Customer as soon as reasonably  

possible about such measures and keep Customer informed as reasonably practicable. 

5.8.4. Deltia shall cooperate with and assist the Customer to enable it to comply with Articles 33  and 34 GDPR. 

5.8.5. The Processor shall document all Personal Data Breaches and make such records available  to the Controller upon request. 

5.8.6. Deltia shall not notify Supervisory Authorities or Data Subjects of any Personal Data  Breach without the Controller’s prior written instructions, unless required by Data  

Protection Laws. 

5.9. Cooperation Obligations 

5.9.1. If Customer is required to provide information to a Supervisory Authority or to otherwise  cooperate with a public authority relating to Processing of Customer Personal Data, Deltia  

will support Customer by providing such information reasonably available to it or  

otherwise reasonably cooperating with Customer, including as such information relates to  

TOMs taken in line with Article 32 GDPR. 

5.9.2. Deltia will support Customer by providing reasonably requested information regarding  the Services to enable Customer to carry out data protection impact assessments, taking  

into account the nature of Processing and information available to the Processor.  

5.10. Documentation and Compliance 

5.10.1. To the extent that the Agreement does not otherwise give the information and audit  rights pertaining to the Processing of Customer Personal Data and meeting the relevant  

requirements of Data Protection Laws (including, where applicable, GDPR Article  

28(3)(h)), Deltia will upon reasonable request make available to Customer all information  

reasonably necessary to demonstrate compliance with this DPA, and will allow for and  

contribute to audits, including inspections, by Customer or an auditor designated by  

Customer and agreed to by Deltia, which consent will not be unreasonably withheld. The  

audit and any information arising therefrom shall be considered Deltia’s Confidential  

Information and may only be shared with a third-party with Deltia’s prior written  

agreement. Customer will not carry out more than one audit per year of the Agreement  

term unless: (i) Customer reasonably considers it necessary because of good faith  

concerns as to Deltia’s compliance with this DPA or Data Protection Laws; or (ii) Customer  

is required to carry out an audit by Data Protection Laws, a Supervisory Authority or any  

similar regulatory authority responsible for enforcement of such laws; or (iii) if an earlier  

audit has identified non-conformity with this DPA or Data Protection Laws. 

5.10.2. Nothing herein limits any rights mandated by law, such as supervisory authority and Data  Subject rights, including in accordance with any SCCs. 

5.11. Customer Obligations 

5.11.1. Customer is responsible for obtaining all necessary consents, permissions and rights, and  for providing appropriate notices, regarding the collection and Processing of Customer  

Personal Data required under Data Protection Laws for Deltia to lawfully Process  

Customer Personal Data to provide the Services. 

5.11.2. Customer shall not instruct Deltia to Process Customer Personal Data in violation of Data  Protection Laws. 

5.11.3. Deltia shall have no obligation to assess the contents or accuracy of Customer Personal  Data.

Annex 1: Description of the Processing (Training Phase)  

General Description of the Processing. The technical infrastructure for collecting the video recordings and  transmitting them to Deltia's Platform is provided to the Customer by Deltia and integrated into the Customer's  production line. Cameras integrated into the production line record the manual production processes as optical  sensors. The cameras are connected to a PC with a network cable (Ethernet) via a "switch". The PC is installed on site  at the production line ("line PC"). The video recordings are read out by the line PC and data is sent to a Data Center  to train the Deltia ML and Platform.

Annex 2 - Description of Processing (Production Phase) 

For purposes of the SCCs, if applicable this Annex 2 serves as Annex I, Part B. 

General description of the Processing 

The Deltia Platform uses computer vision to digitize manufacturing processes including manual and/or automated  processes. Shop-floor processes in production (e.g., assembly, packaging, set-up) are recorded using optical sensors  and automatically analyzed using Deltia’s trained ML and Platform in order to identify cycles, work steps and routes.  Evaluations of the production processes are made available to the Customer through Service Output from the Deltia  Platform. The Customer can access and view these evaluations via a web application (the Deltia Dashboard).  Individual edited video recordings in which the person depicted has been made unrecognizable are also displayed to  the Customer via the Deltia Dashboard.

Annex 3 - Technical and organizational measures 

DPO of Deltia GmbH: Herting Oberbeck Datenschutz GmbH, Mr. Sebastian Herting, Hallerstr. 76, 20146 Hamburg,  phone 040-228691140, datenschutzbeauftragter@deltia.ai. 

I. Overview of the technical components 

The Deltia Platform uses computer vision to digitize manufacturing processes including manual and/or automated  processes. Manual processes in production (e.g., assembly, packaging, set-up) are captured with cameras and  automatically analyzed with artificial intelligence to identify cycles, work steps and routes. 

The technical architecture of the Deltia platform is a mixture of on-premise and cloud components, as follows: 

On-premise: cameras record the shop-floor production processes as optical sensors. The cameras are connected to  a PC with a network cable (Ethernet) via a "switch". The PC is installed on site at the production line ("line PC"). The  Deltia ML is installed on the PC and Processed exclusively on the PC. The line PC is also connected to the "switch".  The switch is connected to a router that enables a connection to the Internet via a satellite solution. 

Cloud: further Processing of the Customer data takes place at cloud level. The data generated by the Deltia ML is  sent to a data center currently operated by the Sub-processor identified on the Sub-processor List as the Cloud  Service Provider. The backend and frontend services of the Deltia Platform are executed via the Cloud Service  Provider and other Cloud Service Provider services are used for data storage and the management and monitoring of  data Processing. 

The Customer can access the content and data displayed in the front end via a web application (the Deltia  Dashboard). Deltia has developer access for the line PC and the cloud level. 

Data Processing at the cloud level takes place on systems operated by the GDPR compliant Cloud Service Provider. II Technical and organizational measures 

1. Confidentiality (Art. 32(1)(b) GDPR) and encryption (Art. 32(1)(a) GDPR) 

Access control 

Measures to prevent unauthorized persons from gaining access to the data Processing systems: 

Access control/encryption

Measures to prevent unauthorized persons from using the data Processing systems and procedures: 

Access control 

Measures that ensure that the persons authorized to use the data Processing procedures can only access the  Personal Data subject to their access authorization.

2. Integrity (Art. 32 para. 1 letter b GDPR) 

Transfer control 

Measures to ensure that Personal Data cannot be read, copied, altered or removed by unauthorized persons during  electronic transmission or during their transport or storage on data carriers and that it is possible to verify and  establish to which bodies Personal Data are intended to be transmitted by data transmission equipment: 

Input control 

Measures that ensure that it is possible to subsequently check whether and by whom Personal Data can be entered,  changed, or removed in data Processing systems.

3. Availability and resilience (Article 32(1)(b) GDPR), recoverability (Article 32(1)(c) GDPR) 

Availability control 

Measures to ensure that Personal Data is protected against accidental destruction or loss: 

4. Procedures for regular review, assessment, and evaluation (Art. 32(1)(d) GDPR, Art. 25(1) GDPR) 

5. Pseudonymization (Art. 32 para. 1 letter a GDPR)

Measures to ensure that Customer Personal Data is Processed in such a way that the data can no longer be  attributed to a specific Data Subject without the use of additional information:

Annex 4 - Sub-processor List