made pursuant to the provisions of Art. 28 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") and Section 34 (3) of Act No. 18/2018 Coll. on the Protection of Personal Data and on the amendment of certain laws as amended (the "Personal Data Protection Act")

(the "Agreement")

This Agreement has been made by and between ZUTOM s.r.o., a limited liability company, with its registered office at Záhradnícka 74, 821 08 Bratislava, Slovak Republic, Company ID no 35 740 019, registered in the Commercial Register of District Court Bratislava I, Section Sro, Insert No. 16672/B as a provider of cloud, hosting or managed services (the “Provider”) and a person who has ordered cloud, hosting or managed services from the Provider (the “Customer”) and with whom the Provider has entered into the Service Agreement (the "Main Agreement"), subject to fulfillment of the condition that during the provision of cloud, hosting or managed services, personal data shall be processed by the Provider on the Customer's behalf (Provider and Customer jointly as the "Parties"):

Article I

Introductory Provisions

1. The Customer is a natural or legal person who has ordered cloud, hosting or managed services from the Provider. The Customer's legal position is that of (a) a Controller under GDPR and under the Personal Data the Protection Act (i.e. a person who, alone or jointly with others defines the purpose and means of personal data processing and processes personal data in his own name) or (b) a Processor under GDPR and under the Personal Data Protection Act (i.e. a person who processes personal data on the Controller's behalf), if the cloud, hosting or managed services are provided for another natural or legal person acting in position of the Controller the  under GDPR and under the Personal Data Protection Act (the "Client").

2. The Provider is a legal entity duly established and doing business under the laws of the Slovak Republic. The Provider's legal position is that of (a) a Processor under GDPR and under the Personal Data Protection Act if the Customer is a Controller, or (b) the so-called Sub-processor if the Customer acts in the position of a Processor of personal data for the Client.

3. The Provider represents and confirms that he provides sufficient warranties to take appropriate technical and organizational measures so that the personal data processing meets the GDPR's and the Personal Data Protection Act's requirements and that the Data Subject's rights are protected.

4. With reference to the facts under para 3 of this Article hereof, the Parties have agreed to conclude this Agreement in accordance with the provisions of Art. 28 of GDPR in connection with Section 34 par (3) of the Personal Data Protection Act.

5. The Customer's obligations arising here from shall apply accordingly to the Client, provided that the Agreement implies that such obligations shall apply to the Controller under GDPR and under the Personal Data Protection Act and the Customer by the conclusion hereof represents that the Client meets all such obligations.

6. Cloud, hosting or managed services shall mean, in particular, data storage on the Provider's data repositories, data storage management, data backup, or other services, if any, on the basis of the Main Agreement (collectively as the "Services").

Article II

Subject-Matter of this Agreement

The subject-matter hereof shall be

a. regulation of the Parties' mutual rights and obligations with respect to the processing of personal data of Data Subjects by the Provider on the Customer's behalf, and

b. the Customer's authorization of the Provider to process personal data,

following from the fact that the Provider provides the Customer with the Services on the basis of the Main Agreement.

Article III

Authorization to Process Personal Data

1. The Customer hereby authorizes the Provider to process personal data of Data Subjects on the Customer's behalf as follows:

1.1. Subject of processing: The Provider performs the processing of personal data of Data Subjects (natural persons) while providing Services through automated means of processing.

1.1.1. Personal data shall mean data relating to an identified natural person or an identifiable natural person who can be identified directly or indirectly, in particular by a generally identifiable identifier, other identifier such as name, surname, identification number, location data or online identifier, or on the basis of one or more of the characteristics or traits that form its physical, physiological, genetic, psychological, mental, economic, cultural or social identity.

1.2. Processing period: From the effective date of this Agreement for the term and duration of the Main Agreement.

1.3. Nature of processing: Personal data is obtained and processed on the basis that the Provider provides the Services to the Customer on the basis of the Main Agreement.

1.4. Purpose of processing:

1.4.1.    The Provider shall process personal data that shall be stored by the Customer on the Provider's data repositories.

1.4.2. The Customer shall be responsible for defining the purpose of personal data processing, for the lawfulness of the transfer of personal data to the Provider and for the lawfulness of data processing. The Customer agrees to comply with all his obligations arising from GDPR and from the Personal Data Protection Act when processing personal data in connection with the Services. In this connection, the Customer shall primarily ensure the lawful processing of personal data, a sufficient definition of the purposes of the personal data processing and the administrative legal bases of the personal data processing and shall inform Data Subjects about the rights and obligations with respect to the personal data processing.

1.5. Categories of Data Subjects: are natural persons having a specific relationship with the Customer, e.g. his employees, customers, persons cooperating with the Customer, etc. The Customer shall keep records of the categories of Data Subjects and, if necessary, give the Provider all necessary information.

1.6. List/Scope of personal data subject to processing: all personal data stored by the Customer on the Provider's data repositories related to the defined purposes of processing according to para 1.4 of this Article hereof. The Customer declares that the subject-matter of personal data processing shall not include any special category of personal data. In case where the Customer is interested in storing on the Provider's data repositories any personal data that fall under a special category of personal data, the Customer shall be obliged to notify the Provider in writing in advance. The Provider and the Customer shall thereafter close a special agreement, the subject of which shall be the definition of a special category of personal data and the possible provision of special security terms and conditions for processing.

1.7. Customer's Rights and Obligations:

1.7.1. The Customer (i) shall define the purposes of personal data processing prior to the provision thereof to the Provider, (ii) keeps a list or scope of provided personal data and categories of Data Subjects, (iii) shall be responsible for the accuracy of personal data, (iv) shall be responsible for informing Data Subjects about the processing of personal data and the means of exercising their rights; and (v) shall be responsible for making notifications (including data breach notices) to data protection authorities, if necessary.

1.7.2. The Customer shall be entitled to request that the Provider proves his fulfillment of all obligations, including the implementation of all prescribed security measures for the protection of personal data.

1.7.3. The Customer shall be entitled to audit personal data protection at the Provider and the Provider shall be obliged to cooperate in said audit and inspection done by the Customer or with the auditor authorized by the Customer. The Customer shall make a Notice of Audit at least 5 (five) working days in advance.

1.7.4. Notice of Audit pursuant to para 1.7.3 of this Article must at least include: the audit's date, reason, focus and site/place, Customer's representatives' identification. The Customer's representatives in charge of audit at the Provider must comply with all Provider's  legal and internal policies that shall be explained to them by the Provider in advance. Each party involved in the audit shall bear its own audit-related costs. If the Customer requests the audit to be carried out at a site other than at the Provider's registered office, all related Provider's costs shall be borne by the Customer.

1.8. Provider's Rights and Obligations:

1.8.1. The Provider shall be obliged to process (and especially store) personal data only for specified purposes and to maintain as separate all personal data obtained for different purposes, in the form as stored by the Customer in the data repository.

1.8.2. The Provider shall be obliged to process (and especially store) only such personal data that correspond in scope and content to the specified purpose and that are necessary to achieve such purpose, to the extent as they are stored by the Customer in the data repository.

1.8.3. The Provider shall be entitled to perform exclusively the following data processing operations:

a. collection, storage, backup under this Agreement,

b. search, browsing, restriction, rectification/modification and deletion on the basis of the Controller's special requirements.

1.8.4. The Provider shall be obliged to process only correct, complete and up-to-date personal data in relation to the purpose of their processing and to handle any incorrect and incomplete data in accordance with GDPR and the Personal Data Protection Act.

1.8.5. The Provider shall be obliged to proceed with the processing of personal data in accordance with generally binding laws.

1.8.6. The Provider shall be obliged to process personal data only on the basis of the Controller's written instructions, especially with respect to the liquidation of personal data. For the avoidance of doubt, by storing personal data in the Provider's data repository, the Client instructs that such data shall be stored and backed up on the basis of the Main Agreement.

1.8.7. Transfers of personal data to a third country or international organization is prohibited.

1.8.8. The Provider shall keep an up-to-date list of his employees and staff who are authorized to process personal data within the scope of this Agreement (the "Authorized Persons"), together with confirmation that such Authorized Persons have been informed of their obligations, including the confidentiality obligation.

1.8.9. The Provider shall be obliged to take measures according to the provisions of Art. 32 of GDPR and Section 39 of the Personal Data Protection Act, i.e. take appropriate technical and organizational measures to ensure a level of security commensurate with the risks, taking into account the latest knowledge, the costs of implementing the measures, the nature, scope, context and purpose of personal data processing and risks of varying probabilities and severity for natural persons' rights.

1.8.10. By the conclusion hereof, the Customer grants his general written consent to the Provider with the possibility to authorize another Processor to process personal data. The Provider shall be obliged to inform the Customer in advance about such authorization and the Customer shall be entitled to object to the processing of personal data by another Processor. The current list of Processors is given in such list.

1.8.11. With respect to the performance of special processing activities on the Customer's behalf, if the Provider engages another Processor pursuant to para 1.8.10, such other Processor shall be contractually or legally otherwise bound to have the same obligations regarding personal data protection as set out in this Agreement, in particular providing sufficient guarantees to accept adequate technical and organizational measures so that the processing of personal data meets the GDPR's and the Personal Data Protection Act's  requirements. The Provider shall be held liable for the other Processor's failure to fulfill his obligations regarding the protection of personal data.

1.8.12. The Provider shall be obliged, after taking into account the nature of personal data processing, provide the co-operation to the Customer to the greatest extent possible by appropriate technical and organizational measures in fulfilling the Customer's obligation to take measures with respect to the Data Subject requests.

1.8.13. The Provider shall be obliged to provide co-operation to the Client in ensuring the fulfillment of obligations pursuant to the provisions of Art. 32 et seq. of GDPR and under Section 39 to 43 of the Personal Data Protection Act, taking into account the nature of personal data processing and information available to the Provider.

1.8.14. The Provider shall be obliged to delete personal data or return personal data to the Customer after the expiration/termination of the respective data processing services based on the Customer's decision and delete existing copies containing personal data, if a special regulation or international agreement by which the Slovak Republic is bound does not require retention of such personal data.

1.8.15. The Provider shall be obliged to give the Customer all information necessary to prove the fulfillment of obligations and to provide co-operation with respect to the audit of personal data protection and inspection carried out by the Customer or by the auditor appointed by the Customer.

1.8.16. The Provider shall be obliged to keep personal data obtained for different purposes separately and to secure personal data against theft, loss, damage, destruction, unauthorized access, alteration and dissemination, and for such purpose the Provider shall take appropriate technical, organizational and personnel measures corresponding to the processing of personal data.

1.8.17. The Provider shall be obliged to immediately inform the Customer if the Provider considers the Customer's instruction to be in violation of GDPR, the Personal Data Protection Act, a data protection-related special regulation or an international agreement by which the Slovak Republic is bound.

1.8.18. The Provider shall be obliged to immediately notify the Client of any breach of personal data protection as soon as the Provider has learned of it.

Article IV

Term of this Agreement

1. This Agreement is concluded for a definite period of time, for the term and duration of the Main Agreement.

2. This Agreement shall expire or terminate in the following cases:

a. a written agreement of the Parties,

b. termination of any Party without a legal successor,

c. termination of the Main Agreement.

3. Termination hereof by any means and any manner shall not affect those arrangements, which by their nature are set to survive the termination hereof, in particular claims for compensation of damages, payment of contractual penalties, the obligation to protect confidential information, and others under this Agreement.

Article V

Protection of Confidential Information

1. The Parties agree to take all measures to ensure the confidentiality of any information in connection with this Agreement, mutual correspondence and information related hereto in accordance with the provisions of Section 271 of the Commercial Code.

2. The Parties agree to maintain the confidentiality of any information that one of the Parties expressly designates as confidential and that one of the Parties has disclosed to the other Party in connection with this Agreement.

2.1. Confidential information shall be:

a. information that is not publicly available;

b. information that is not commonly available in the respective business circles;

c. information which one of the Parties expressly designates as confidential;

d. any information relating to the subject matter and content of this Agreement, including its annexes.

2.2. Confidential information shall not be:

a. information that was publicly available on the date of signing this Agreement;

b. information that was commonly available in the respective business circles on the date of signing this Agreement;

c. information the nature of which indicates that the other Party has no interest in keeping it confidential, unless the other Party has expressly designated it as confidential.

2.3. The Parties' confidentiality obligation with respect to confidential information shall not apply in the following cases:

a. if the Party has disclosed or otherwise disclosed or used Confidential Information with the prior written consent of the other Party;

b. if the Party has notified or otherwise disclosed confidential information to the court of law

in connection with legal proceedings or another public authority, or the Party's professional adviser and consultant, and the Party's representatives, and is obliged to ensure their confidentiality obligation to the extent at least under this Agreement.

c. if disclosure is necessary or obligatory in accordance with generally binding laws.

3. The confidentiality obligation of all confidential information shall remain in effect for the term and duration of this Agreement and shall survive the expiration or termination hereof for indefinitely.

Article VI

Final Provisions

1. This Agreement constitutes the Parties' final and entire agreement with respect to its subject-matter and shall replace all its related correspondence, memoranda, conversations and other communications or documents.

2. No amendments, supplements, deletions or replacements hereof or here from or no terms and conditions shall become effective unless made in writing and signed by or on behalf of each Party, except as expressly provided in this Agreement.

3. As agreed, upon by the Parties, this Agreement is drawn up in the English language. If this Agreement is made in a language other than English, only the wording drawn up in English shall be used as the decisive language version and only this wording shall be legally binding for the Parties. Any wording drawn up in any other language shall not be legally binding for the Parties and shall only be considered as an informative translation of the content of this Agreement made in English.

4. Any Party's failure or delay in pursuit of any right, remedy, power o privilege under this Agreement and any course of negotiations between the Parties shall not be construed or constitute a waiver or pursuit of one right, or the partial pursuit of any right, remedy, power or privilege shall not preclude other or further pursuit of any right, remedy, power or privilege. Any waiver of breach or default hereunder shall not be construed as a waiver of any subsequent breach or default and shall in no way affect the other terms hereof.

5. The invalidity or ineffectiveness of any provisions hereof shall not result in the invalidity and ineffectiveness of the other provisions of the Agreement, except where invalid or ineffective provisions could not be separated from the other provisions of the Agreement without (i) invalidating the entire Agreement and/or (ii) causing a default/frustration of the purpose hereof, which is the definitive settlement of the Parties'  mutual claims  in relation to the claims that are the subject of a settlement under this Agreement. In such a case, the Parties shall take all necessary steps to replace the erroneous provision with a valid and effective provision so that its purpose and content correspond as much as possible to the original provision and purpose of this Agreement.

6. The Parties confirm that all circumstances beyond their control and reach, such as war, insurrection, fire, explosions, natural force, as well as other circumstances, shall constitute force majeure which excuses the Parties from performing their duties and obligations under this Agreement, where the performance thereof may be possible only at excessively high costs, as well as from obligations to pay compensation. Following the end of such circumstance, the excused Party shall immediately resume all its fulfillment and performance which was interrupted by such circumstance. Should this circumstance last for more than 2 (two) months, the Parties may agree to terminate this Agreement. For the purposes hereof, force majeure shall not be deemed to be any direct or indirect interference made by public authorities.

7. This Agreement shall enter into force and effect on the day of its acceptance by the Customer.

8. The Parties declare that they have read and understood the content of this Agreement and declare to have concluded the Agreement voluntarily, under no duress, and in their free will.

9. The Provider reserves the right to amend this Agreement at any time during its existence, especially to ensure compliance with GDPR and the Personal Data Protection Act, and shall be obliged to always publish and apply the current valid wording of the Agreement. The Provider is obliged to notify the Client of any amendments/change to the Agreement in advance by e-mail sent to the Customer's e-mail address specified in the purchase order, within 30 (thirty) days before the effective date of the new Agreement. The amendment shall become effective upon expiry of the period under the preceding sentence. Upon the effective date of the new Agreement, the original wording shall cease to be valid and effective.

10. Customer‘s disagreement with the amendment/change hereof shall cause him to notify the Provider thereof in writing no later than the effective date of the new Agreement. In case the amendment/change hereof is not accepted by the Customer, the Provider shall no longer be able to provide the Services and the Parties shall proceed in accordance with Article III, para 1.8.14 hereof. Customer's failure of delivery of his disagreement with the change/amendment hereof to the Provider within the period according to this para hereof shall be deemed as Customer's agreement with said change/amendment, and the mutual relations between the Provider and Customer shall be regulated by the changed/amended Agreement as of the effective date thereof.