This data sub-processing agreement (the ”DPA”) applies between Skolon AB, Reg. No. 556958-4120, a company with the registered address at Pirgatan 13, SE-374 35 Karlshamn (“Skolon”) and the counterparty (the “Partner” and/or “Supplier”) that has entered into a partner agreement, or a partner and reseller agreement, (the “Agreement”) offered by Skolon and accepted by the Partner either in writing or through an online acceptance process, or any other agreement document between the Parties where the Partner is ordering access to Skolon’s cloud based platform solution to make available application(s) to customers (the “Skolon Platform”). Supplier and Skolon are referred to alone as “Party“ or jointly as “Parties“.

1.1 This DPA is entered into between the Parties as a result of the Agreement between the Parties. Under the Agreement, the Partner may from time to time act as a Sub-processor to Skolon when certain Personal Data originating from customers (who are the Controllers) may be transferred to or accessed by the Partner through the Skolon Platform or use of the Partner’s application(s).

1.2 Under this DPA, the Supplier will Process Personal Data on behalf of Skolon in capacity of Skolon’s Processor (and a Sub-processor of the customers) and in connection with the Supplier’s provision of services under the Agreement or otherwise in relation to customers use of the Skolon Platform or the Partner’s applications.

”Controller” means a natural or legal person, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

”Data Protection Laws” means the laws and regulations, applicable from time to time, in respect of Processing of Personal Data, including but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”), as well as the Supervisory Authority’s binding decisions, regulations and recommendations and supplementary local adaptions and regulations in respect of data protection;

”Data Subject(s)” means the natural person to whom Personal Data relates to;

”Personal Data” means any information relating to an identified or identifiable natural person;

”Process/-ing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

”Processor” means a natural or legal person, agency or other body which Processes personal data on behalf of the Controller;

”Supervisory Authority” means the supervisory authority/supervisory authorities authorised to conduct supervision of processing of Personal Data or considered to be a supervisory authority concerned under the Data Protection Laws;

”Sub-processor” means a Processor engaged by another Processor for carrying out certain Processing activities on behalf of Controllers;

“Term” means as defined in Section 12.1;

“Third Country” means a country outside the European Economic Area.

Any other terms or concepts used in capitalized letters in this DPA shall, unless otherwise stated, have the meaning provided for under the Data Protection Laws and otherwise under the Agreement, unless otherwise obviously required from the circumstances.

3.1 The type(s) of Personal Data to be Processed under this DPA, the purpose and duration of the Processing and categories of Data Subjects are set out in Appendix 1 (Instructions regarding the Processing of Personal Data).

3.2 The Supplier shall only Process Personal Data on documented instructions from Skolon, originating from the Controller(s), as set out in Appendix 1, including (if applicable) with regards to transfers of Personal Data to a Third Country or an international organisation. Additional Processing may also be performed provided that Union or Member State law to which the Supplier or a Sub-processor is subject to requires such Processing. In such case of additional Processing, the Supplier shall inform Skolon of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. In addition to the specific instructions set out in Appendix 1, this DPA shall constitute the Controller’s documented instructions.

3.3 The Supplier undertakes to provide written instructions to persons acting under the authority of the Supplier, who have access to Personal Data, obliging such persons only to Process the Personal Data only according to documented instructions from Skolon, unless required to do so by Union or Member State law.

4.1 When processing, the Supplier shall take all measures necessary, including technical and organisational measures, in order to comply with applicable Data Protection Laws.

4.2 The Supplier shall take all measures required pursuant to article 32 of the GDPR. The measures shall at least lead to an appropriate level of security having regard to the state of the art, the particular risks that are presented by processing of Personal data and the degree of sensitivity of the Personal Data Processed.

4.3 The Supplier shall immediately assist and inform the Customer and the Processor about any accidental or unauthorised access to Personal Data, as well as any other personal data breach, however no later than 24 hours from gaining knowledge of such an incident. The notice shall at least:

a) describe the nature of the personal data breach, the categories and number of Data Subjects concerned,

b) communicate the name and contact details of the data protection officer or other contact points where more information can be obtained,

c) describe the likely consequences of the personal data breach, and

d) describe the measures taken or proposed to be taken by the Supplier to address the personal data breach, including measures to mitigate its possible adverse effects.

4.4 The Supplier shall, taking into account the nature of Processing and the information available to the Supplier, support Skolon in assisting the Controller, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.

5.1 The Supplier undertakes to keep the Personal Data confidential, except with respect to information that the Supervisory Authority communicates to the Supplier should be disclosed, or which is disclosed subject to the Data Protection Regulations or another legal binding obligation, including under the provisions of applicable public access to information acts.

5.2 The Supplier undertakes to ensure that persons authorised to Process Personal Data have undertaken confidentiality obligations or are subject to appropriate statutory obligation of confidentiality.

5.3 This confidentiality obligation shall remain in force after the termination of this DPA.

In the event the Supplier receives a request for information from a Data Subject, Supervisory Authority or other third party regarding the processing of Personal Data, the Supplier shall, without undue delay, forward such request to Skolon. The Supplier, the Supplier’s employees, or Sub-processors may not disclose Personal Data or any other information about the Processing of Personal Data without instructions from Skolon, unless such disclosure is required under the Data Protection Laws.

The Supplier shall, taking into account the nature of the Processing under this DPA, support Skolon in assisting the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.

The Supplier shall only be allowed to transfer Personal Data to a Third Country or an international organisation with Skolon’s written approval and in accordance with Data Protection Laws. The transfer of Personal Data to a Third Country or an international organisation may also take place provided that Union or Member State law to which the Supplier or Sub-processor is subject to requires such transfer. In such case of legal requirement for transfer to a Third Country, the Supplier shall inform Skolon of that legal requirement before transferring Personal Data to a Third Country, unless that law prohibits such information on important grounds of public interest. Nonetheless, a transfer of Personal Data to a Third Country or an international organisation must always meet current requirements in accordance with the Data Protection Laws.

9.1 The Supplier shall make available to Skolon (and the Controller, as instructed by Skolon) all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for, and contribute to audits, including inspections, conducted by an independent third party auditor mandated by Skolon or the Controller.

9.2 With regard to Section 9.1 above the Supplier shall immediately inform Skolon if, in Supplier’s opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

10.1 Skolon hereby grants the Supplier a general authorization to engage Sub-processors. The Supplier shall inform Skolon of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Skolon the opportunity to object to such changes if to the extent the conditions set forth in Section 10.2 are not fulfilled.

10.2 Subject to the Skolon’s prior specific or general written authorization, the Supplier may engage further Sub-processors, provided that the same data protection obligations as set out in this DPA as referred to in article 28.4 of the GDPR, are imposed on such Sub- processor by way of a written contract. The Supplier must ensure that only Sub- processors are engaged who provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws. Where such Sub-processor fails to fulfil its data protection obligations, the Supplier shall remain fully liable to Skolon for the performance of such other Sub-processor.

10.3 The Sub-processors listed by the Supplier at the settings page under the section Subprocessors in the Partnerportal are pre-approved by Skolon to be used as Sub- processors by the Supplier under this DPA.

11.1 This DPA enters into force on the day of signing by both Parties and remains in force for as long as the Supplier Processes Personal Data on behalf of Skolon under the Agreement (the “Term”). Skolon may however terminate this DPA at any time effective as of the date chosen by Skolon.

11.2 After the end of the Supplier’s provision of services relating to Processing under the Agreement, the Supplier shall, at the choice of Skolon and/or Controller, upon Skolon’s written request delete or return all the Personal Data to Skolon and/or Controller and delete existing copies unless Union or Member State Law requires storage of the Personal Data. If Skolon does not provide the Supplier with such written request, the Supplier shall permanently delete the Personal Data at the latest 180 days from the expiry of the Term and cause any Sub-processor to do the same.

Any compensation for the Supplier’s services is regulated under the Agreement. The Supplier is not entitled to compensation for Processing of Personal data under this DPA.

13.1 If the Supplier (including persons under the Supplier’s supervision or Sub-Processors engaged by the Supplier) Processes Personal Data in violation of this DPA, Skolon’s instructions or the Data Protection Laws, the Supplier shall pay damages to Skolon for any and all damage due to such Processing – including any administrative fines imposed upon the Controller or Skolon by the Supervisory Authority or any claim that a third party makes against the Controller or Skolon.

13.2 If a third party makes a claim against the Supplier, due to Skolon’s inaccurate or inadequate instructions, Skolon shall pay damages to the Supplier for damage attributable to Skolon’s inaccurate or inadequate instructions, if and to the extent that the Supplier immediately informs Skolon in writing of the claim made against the Supplier and if the Supplier allows Skolon to control the defense and, independently, make any decision on potential conciliation.

13.3 Notwithstanding the above, any and all limitations of liability under the Agreement shall apply correspondingly under this DPA.

14.1 If, during the Term, Data Protection Laws are changed, or new guidelines, rulings or regulations are published by the Supervisory Authority causing this DPA to be non- compliant with such law, guidelines, rulings or regulations, each of the Parties shall have the right to request appropriate amendments to this DPA to satisfy the new requirements.

14.2 Changes to this DPA shall, in order to be effective, be made in writing and signed by both Parties. Signatures may be made by electronic means and shall have the same force and effect as original signatures.

15.1 With regard to the Processing of Personal Data, the regulations in the DPA shall have priority over conflicting regulations in any other agreement between the Parties.

15.2 This DPA shall be governed by the substantive laws of Sweden.

15.3 Any dispute, controversy or claim arising out of or in connection with this DPA shall be settled in accordance with the dispute regulations laid down in the Agreement.

The following instructions apply for the Processing of Personal Data for which Skolon is responsible as Processor in respect of Personal Data originating from a Controller. In addition to what is already stated in this DPA, the Supplier shall adhere to the instructions below.

Processing