Data Processing Agreement

Effective date: December 22, 2024

Introduction

This Data Processing Addendum (the "Addendum") is an integral part of the VELZI.AI Terms of Use (and any related or supplementary documentation), as updated or amended from time to time (the "Agreement"), between you, the Customer (as defined below), and VELZI.AI Limited ("VELZI.AI"). Any capitalised terms not defined in this Addendum shall have the meanings set out in the Agreement.

This Addendum applies solely to the extent that VELZI.AI processes personal data on behalf of a Customer that qualifies as a data controller with respect to such personal data under Applicable Data Protection Law, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA 2018), as amended from time to time (together, the "Data Protection Laws"). If the Customer had entered into earlier data processing terms with VELZI.AI, those terms are hereby superseded and replaced by this Addendum.

This Addendum aims to ensure compliance with the obligations of the data controller and data processor under the Data Protection Laws, including the lawful processing, handling, and transfer of personal data. The purpose of processing shall include, but is not limited to, the provision of services as described in the Agreement, fulfilling contractual obligations, and ensuring adherence to UK data protection and GDPR requirements.

1. Data Protection

1.1 Definitions

In this Addendum, the following terms shall have the meanings set out below:

a) "Controller," "Processor," "Data Subject," "Personal Data," "Processing" (and "Process"), and "Special Categories of Personal Data" shall have the meanings assigned to them under the Applicable Data Protection Law.

b) "Applicable Data Protection Law" refers to the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR) and/or the UK General Data Protection Regulation (the UK GDPR), as well as any applicable laws of the EU Member States and/or the UK that are made under or in accordance with the GDPR and/or the UK GDPR, in each case as may be amended or replaced from time to time.

c) "Customer" refers to "you" as defined in the VELZI.AI Terms of Use.

d) "Adequate Country" means a country or territory that is recognized under Applicable Data Protection Law as providing adequate protection for Personal Data, which, as of the Effective Date, includes: (i) for data transfers from the United Kingdom, member states of the European Economic Area (EEA), Switzerland, and any other country or territory deemed adequate by the United Kingdom in regulations made under section 17A of the Data Protection Act 2018; (ii) for data transfers from the EEA, any country or territory deemed adequate by the European Commission under the EU GDPR.

1.2 Relationship of the Parties

The Customer, acting as the data controller, appoints VELZI.AI as the data processor to process the personal data outlined in Annex B (the "Data") solely in accordance with the documented instructions of the controller (and as specified in the terms of this Addendum). This processing shall be for the purposes set out in the Agreement or as otherwise mutually agreed in writing by both parties (the "Permitted Purpose"). Each party agrees to comply with the obligations applicable to it under the Applicable Data Protection Law.

1.3 Prohibited Data

The Customer shall not disclose, nor permit any data subject to disclose, any special categories of personal data to VELZI.AI for processing, unless explicitly requested by VELZI.AI to do so.

1.4 International Transfers

VELZI.AI will not transfer the Data outside the European Economic Area (EEA) or the United Kingdom (UK) unless it has implemented necessary measures to ensure compliance with Applicable Data Protection Law. These measures may include, but are not limited to, transferring the Data to a recipient in a country deemed by the European Commission and/or the UK Secretary of State (as applicable) to provide adequate protection for personal data or to a recipient who has entered into standard contractual clauses approved by the European Commission, UK Secretary of State, or UK Information Commissioner (as applicable). In this regard, you authorise VELZI.AI to enter into standard contractual clauses on your behalf and as your agent with any recipient of Data located outside an Adequate Country, where necessary for compliance with Applicable Data Protection Law.

1.5 Confidentiality of Processing

VELZI.AI will ensure that any individual it authorises to process the Data (an "Authorised Person") safeguards the Data in line with VELZI.AI's confidentiality obligations under the Agreement.

1.6 Security

VELZI.AI will implement technical and organisational measures, as detailed in Annex A, which may be updated periodically, to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure, or access (collectively referred to as a "Security Incident").

1.7 Sub-processing

The Customer agrees to VELZI.AI engaging third-party sub-processors to process the Data for the Permitted Purpose, subject to the following conditions:

(i) VELZI.AI will maintain an up-to-date list of its sub-processors, which will be accessible on its website at the [VELZI.AI Sub-processors Page - You will need to create this page on your website]. VELZI.AI will update this list with details of any changes to its sub-processors at least 30 days prior to the change. (ii) VELZI.AI will impose data protection terms on any sub-processor it engages, ensuring they are required to protect the Data in accordance with the standards set out in Applicable Data Protection Law, including but not limited to the UK GDPR and the EU GDPR. (iii) VELZI.AI will remain liable for any breach of this Addendum caused by any act, error, or omission of its sub-processor.

The Customer may object to VELZI.AI’s appointment or replacement of a sub-processor, provided such objection is based on reasonable grounds related to data protection. If such an objection is raised, VELZI.AI will either refrain from appointing or replacing the sub-processor, or, if it determines at its sole discretion that this is not reasonably feasible, the Customer may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by the Customer up to and including the date of suspension or termination).

1.8 Cooperation and Data Subjects’ Rights

VELZI.AI will provide reasonable and timely assistance to the Customer (at the Customer’s expense) to enable the Customer to respond to:

(i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to VELZI.AI, VELZI.AI will promptly inform the Customer, providing full details.

1.9 Data Protection Impact Assessment

If VELZI.AI determines or becomes aware that its processing of the Data could result in a high risk to the data protection rights and freedoms of data subjects, it will promptly notify the Customer and offer reasonable assistance in relation to any data protection impact assessment that may be required under Applicable Data Protection Law.

1.10 Security Incidents

If VELZI.AI becomes aware of a confirmed Security Incident, it will notify the Customer without undue delay and, where feasible, provide all necessary information and assistance to enable the Customer to comply with its data breach reporting obligations under Applicable Data Protection Law, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. This notification will be made within the timelines required by the applicable law. VELZI.AI will also take all reasonable measures to address or mitigate the effects of the Security Incident and will keep the Customer updated on any significant developments relating to the incident.

1.11 Deletion or Return of Data

VELZI.AI will retain the Data for a period of 7 years following the termination of the subscription, in case the Customer requires access to it. Upon the expiration of this period or at the Customer’s earlier request, VELZI.AI will either delete or return the Data in a manner and format determined by VELZI.AI, acting reasonably. This obligation will not apply where VELZI.AI is required by applicable law to retain some or all of the Data, nor to Data that has been archived on back-up systems. In such cases, VELZI.AI will securely isolate and protect the Data from any further processing in accordance with Applicable Data Protection Law.

1.12 Audit

The Customer acknowledges that VELZI.AI undergoes regular audits against SOC 2 standards by an independent third-party auditor. Upon the Customer’s request, and subject to the confidentiality obligations outlined in the Agreement, VELZI.AI will provide the Customer (or their independent third-party auditor, provided they are not a competitor of VELZI.AI) with a copy of VELZI.AI’s SOC 2 report, in the same manner and format that VELZI.AI generally makes it available to its customers.

2. Changes to this Addendum

VELZI.AI may change this Addendum from time to time by posting an updated version on its website, which will become effective on the date of posting. VELZI.AI will provide the Customer with at least thirty (30) days' prior written notice of any material changes to this Addendum. If the Customer does not agree to any change to this Addendum, then the Customer may terminate the Agreement in accordance with the relevant provisions therein.

3. Governing Law and Jurisdiction

This Addendum and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or1 claims) shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction2 to settle any dispute or claim3 arising out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).

Annex A - Security Measures

Information regarding the technical and organisational measures VELZI.AI has in place to protect Data in accordance with clause 1.6 of this Addendum is available in VELZI.AI’s SOC 2 report, which can be requested through contacting dev@velzi.ai, and on VELZI.AI’s security pages and Secure Data Protection.

In addition, VELZI.AI is certified as compliant with ISO/IEC 27001:2013 which is globally recognised as the premier standard for information security management system (ISMS).

Annex B - Data Processing Schedule

1. Subject Matter and Duration of Processing of Personal Data

The subject matter of personal data to be processed is that of the contacts of the Customer entered by or at the election of the Customer into the VELZI.AI platform.

The duration of processing personal data shall be for as long as we have a business relationship with the Customer, and at the end of that relationship, we will act in accordance with clause 1.11 regarding deletion or return of such personal data.

2. Nature and Purpose of Processing Personal Data

The nature and purpose of processing personal data is to enable the functionality of the VELZI.AI Platform as set out in the Agreement and related documentation.

3. Types of Personal Data Processed

The types of personal data processed include:

a) Names b) Addresses c) Contact details (e.g., email addresses, phone numbers) d) Identification details (for example, tax registration numbers) e) Other personal data types for use on the VELZI.AI platform as inputted by the customer or its users.

4. Categories of Data Subjects

The categories of data subjects include:

a) Suppliers / service providers of Customer b) Customers / clients of Customer c) Employees / contractors of Customer d) Other contacts of the Customer