Data Processing Agreement

This Data Processing Agreement (“DPA”) shall be effective if the Client is not resident of the United Kingdom or European Economic Area.

This DPA is part of Qela App's Terms of Service for organization representative entering into force by the day of accepting said Terms of Service. DPA is made by and between and on the following conditions:

1. Information about the Parties

Data Controller: Client (organization - owner of the account in Qela App, client’s information is indicated in the Qela App account of respective organization), acting like controller, on the one hand, and

Data Processor: Qela Inc., acting like processor, on the other hand,

jointly hereinafter referred to as the “Parties” and individually a “Party”, have concluded this DPA as follows.

The Parties seek to implement the DPA that complies with the requirements of the Delaware Personal Data Privacy Act and General Data Protection Regulation (EU) 2016/679 (“GDPR”).

2. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:

“Data Protection Laws” means Delaware Personal Data Privacy Act, GDPR and, to the extent applicable, the data protection or privacy laws of any other country;

“Data Transfer” means:

• a transfer from the Data Controller to a sub-processor; or
• an onward transfer of personal data from a Data Processor to a sub-processor or between two establishments of a sub-processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

“Services” means the services under the Agreement the Data Processor provides.

“Sub-processor” means any person appointed by or on behalf of the Data Processor to process personal data on behalf of the Data Controller in connection with the Agreement.

The terms, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the Delaware Personal Data Privacy Act, GDPR, and their cognate terms shall be construed accordingly.

3. Description of the Processing

The Data Controller has accepted the Terms of Service of the Data Processor following the link - Qela App's Terms of Service for organization representative (“Agreement”), under which the Data Processor shall provide the services (functionality of Qela App) to the Data Controller.

The Parties guarantee that the processing of the Personal Data will be made based on the legal basis, acceptable by both §12D-110(f) of Title 6 of the Delaware Code and Article 6 of the GDPR.

4. Data Subjects

The Data Processor, within the scope of providing services under the Agreement, may process personal data of:

• Member/follower/community member (Qela App user from Data Controller’s side), Team member (Qela App administrator from Data Controller’s side) (“User”).

5. Personal Data

The Data Processor, within the scope of providing services under the Agreement, may process the following personal data (“Users’ Data”):

• Member’s/follower’s/community member’s data (name and surname, email, phone number, photo, geolocation), Team member’s data (name and surname, email, phone number).

6. Storage Term

The Data Processor shall store the Users’ Data received from the Data Controller until it is necessary for the processing, but no longer the term of the Agreement, unless internal documents of the Data Processor or applicable legislation state otherwise (“Standard Period”).

7. Details of Processing

8. Sensitive Data

In case of gathering sensitive information by Data Controller via Qela App functionality it will be available to and processed by Data Processor with strict purpose limitation (only for proper Qela App functioning for Data Controller).

9. Nature of the Processing

The Data Controller shall provide the Data Processor functionality of Qela App. Such services require, in particular, Users’ Data processing. Users’ Data will be processed continuously.

10. Limitation of the Processing

The Data Processor shall:

• comply with all applicable Data Protection Laws in the Users’ Data processing and
• not process Users’ Data other than on the relevant Data Controller’s instructions.

The Users’ Data shall only be processed as necessary according to the purposes and to fulfill the obligations set out in the Agreement. The Data Processor does not use Users’ Data outside direct contractual relations.

11. Data Processor Personnel

The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Users’ Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Users’ Data, as strictly necessary for the Agreement.

12. Data Subject Rights

Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller’s obligations, as reasonably understood by the Data Controller, to respond to requests to exercise data subject rights under the Data Protection Laws.

The Data Processor shall, without undue delay upon, but not later than 72 hours from knowledge, notify the Data Controller of any authorities’ request to access the Users’ Data received. The Data Processor shall fulfill such a request if authorized by the Data Controller or with a corresponding legal obligation.

According to §12D-104 of Title 6 of the Delaware Code and Article 12 of the GDPR, the controller must respond to a subjectʼs request from the EU data subjects within 45 days or one month accordingly.

The Parties shall deal with any inquiries and requests they receive from the data subjects relating to the processing of the Personal Data and the exercise of their rights without undue delay and, at the latest, within one month of the receipt of the inquiry or request.

13. Personal Data Breach

The Data Processor shall notify the Data Controller without undue delay upon, but not later than 72 hours from knowledge, the Data Processor becoming aware of a personal data breach affecting Users’ Data, providing the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform data subjects of the personal data breach under the Data Protection Laws.

The Data Processor shall cooperate with the Data Controller and take reasonable commercial steps as directed by the Data Controller to assist in investigating, mitigating, and remediation of each such personal data breach.

14. Data Protection Measures

Taking into account state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall concern the Data Controller Users’ Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

In particular, to protect Users’ Data, the Data Processor shall implement the following measures:

Technical Measures:

• encryption technologies;
• backup data.

Organizational Measures:

• compliance with the Data Controller’s security and privacy policies;
• implementation of systematic training programs focused on cybersecurity awareness and best practices, equipping employees with the knowledge and skills to recognize and mitigate security threats;
• establishment of comprehensive guidelines and protocols governing internal operations, outlining procedures and best practices to facilitate efficient and compliant workflows.
• compliance with a non-disclosure agreement (conditions) between the Data Processor and the Data Controller.

The Data Processor assures to keep data protection measures up-to-date. The Data Processor shall inform the Data Controller of any changes unless the same level of security is provided.

15. Sub-processors and Transfers

The Data Controller gives the Data Processor general consent for transferring the Users’ Data to third parties independently, providing the necessary safeguards solely for sub-processing Users’ Data. In this case, the sub-processor will need to sign another data processing agreement.

The Data Processor shall inform the Data Controller of any new or changes of existing sub-processors and grant the Data Controller a right to object to such change. The Data Controller can object to the change within 72 hours from the notification if such a subprocessor cannot provide the same level of data protection as provided for in this DPA.

16. Recipients

The Users’ Data may only be disclosed to the following recipients or categories of recipients and only if appropriate safeguards (including confidentiality obligations) are in place:

• advisers, consultants, and other professional experts;
• partners;
• team members;
• third parties.

The Data Processor will notify the Data Controller with undue delay if they become aware of inaccuracies in Users’ Data.

17. Deletion or Return of Data

The Data Processor deletes or returns all the Users’ Data to the Data Controller in 4 weeks after the end of the Agreement and deletes existing copies unless applicable legislation requires further storage of the Users’ Data.

The Data Processor is permitted to store the Users’ Data in archive and backup systems until the next regular deletion.

18. Making Information Available

The Data Processor makes available to the Data Controller all information necessary to demonstrate compliance with the obligations under applicable legislation and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

19. Competent Supervisory Authority

The competent supervisory authority is the Delaware department of Justice.

20. Governing Law and Jurisdiction

The DPA is governed by the laws of the State of Delaware, the United States of America.

Any dispute arising in connection with the DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the State of Delaware, the United States of America.