Data Processor Agreement

This is an agreement (“Agreement”) between You (“Customer”) and Cryptolens AB (“Vendor”). each a “Party” and together the “Parties”.

Whereas the Parties have agreed that Vendor will provide services to Customer in the field of software licensing, payments and analytics.

This Agreement takes effect once you have created an account at app.crypotlens.io (“Service”).

IT IS AGREED

1. INTRODUCTION

1.1 The Parties have previously concluded - or in connection with this Agreement - an agreement regarding the usage of the Service Cryptolens, (“Main Agreement”).

1.2 Within the obligations arising from the Main Agreement, Vendor may process personal data and other information on behalf of the Customer.

1.3 As a result, the Parties hereby agree this Agreement to regulate the conditions for Vendors´s processing of - and access to - personal data belonging to the Customer. The agreement applies as long as Vendor processes personal information on behalf of the Customer

1.4 The agreement aims to ensure that Vendor carries out a processing of personal data on behalf of the Customer in accordance with the requirements of Regulation (EU) 2016/679 (“GDPR”).

2 DEFINITIONS AND INTERPRETATION

Unless circumstances clearly show otherwise, the definitions used in the Agreement shall have the corresponding definition as set out in Article 4 GDPR.

3 PERSONAL DATA PROCESSING

3.1 The Customer is the Controller (“Data controller”) of the personal data processed under the Main Agreement.

3.2 Vendor is to be considered as a personal data counsel (“Data processor”) for the Customer. As a personal data processor, Vendor may only process the personal data for the Customer in accordance with the purposes of the Main Agreement, the provisions of the Agreement and in accordance with the written instructions provided by the Customer from time to time regarding personal data processing. Vendor may not process the data for its own purposes.

3.3 Vendor shall be entitled to compensation for additional costs incurred by Vendor due to Customer’s amended instructions.

4 COOPERATION

4.1 Vendor shall, as far as possible, assist the Customer in fulfilling its obligation to inform the registrant under Chapter III GDPR (eg in the production of registries and corrections and deletion of data). Vendor shall be entitled to compensation from the Customer for the additional costs that this entails.

4.2 Vendor shall, with due consideration of the type of treatment and information available to Vendor, assist the Customer in ensuring that the safety of the treatment is adequate, eg in the case of pseudonymization and encryption, system resilience, etc., see more about security below.

5 SECURITY

5.1 Vendor shall take adequate technical and organizational measures to protect the personal data processed by Vendor under the Agreement.

5.2 The measures should be adapted to a level appropriate to the sensitivity of personal data, the particular risks, existing technical capabilities and implementation costs.

5.3 Accession to such an approved code of conduct as referred to in Article 40 GDPR or an approved certification mechanism referred to in Article 42 GDPR may be used by Vendor to demonstrate that Vendor meets the above-mentioned security requirements.

5.4 Vendor shall ensure the eligibility of employees handling the Customer’s personal data and that the processing is performed only in accordance with the Customer’s instructions and in accordance with this Agreement, see also section 10.1.

5.5 At the Customer’s request, Vendor shall provide a security policy that describes in more detail the security measures taken by Vendor to protect personal data. The policy includes information about Vendor’s routines for logging, authorization assignment and management of security incidents, see also section 6.1.

6 SECURITY INCIDENT

6.1 In case of a security incident, data violation or in case Vendor otherwise loses control of the data processed (personal data incident), Vendor shall notify Customer in writing without undue delay after Vendor has been informed of the personal data incident.

7 SUBCONTRACTORS

7.1 Through the agreement, Vendor has obtained a general prior authorization from the Customer to hire subcontractors. If Vendor intends to hire a new subcontractor, Vendor shall inform Customer about this so that the Customer may make any objections to this. 7.2 If Vendor commits a subcontract in accordance with clause 7.1, Vendor shall sign an agreement that makes the subcontractor subject to the same obligations as Vendor has in relation to the Customer under the Agreement.

8 LIABILLITY

8.1 Vendor will only be liable to Customer for damages if: Vendor has not fulfilled such obligations specifically directed at Data processors according to GDPR and when liability can be claimed from a Data processor in accordance with this regulatory framework.

and / or

Vendor acts in violation of the Agreement and, after written request from the Customer, have not remedied such violation.

and / or

Vendor acts in violation of the Customer’s written and lawful instructions.

8.2 Vendor cannot in any case be liable for damages other than can be enforced through GDPR.

9 TERMINATION OF THE AGREEMENT

9.1 When Vendor discontinues processing of personal data on behalf of the Customer, Vendor shall either return all personal information to the Customer in the manner notified by the Customer or delete any information relating to the Agreement.

9.2 If the data processing ceases as a result of the termination of the Main Agreement, the Customer must reclaim the personal data within 14 days from the date of termination of the Agreement. The personal data will be deleted if the Customer has not made such claim within the above-specified time.

10 CONFIDENTIALITY

10.1 Vendor shall ensure that Vendor employees, with the right to process personal data on behalf of the Customer, comply with the confidentiality of the data.

10.2 The Parties undertake not to provide information about the Agreement’s content and other information that the Parties have received in connection with the Agreement during the term of the agreement and subsequently not to third parties, whether written or oral and independent of format (“Confidential Information”). The Parties undertake to use Confidential Information solely for the purpose of fulfilling their obligations under the Agreement and not for any other purpose. The receiving Party undertakes to take the necessary steps to prevent any employee, subcontractor or other intermediary from using or disclosing Confidential Information for third parties. 10.3 The above does not apply to such information which

a) at the time of disclosure, or later becomes available to the public in any other way than by violation of the Agreement; or b) was already available to the receiving Party or which it has developed on its own before the conclusion of the Agreement and which has not been obtained directly or indirectly by violation of the Agreement.

10.4 This confidentiality clause does not prevent a Party from disclosing such information that Party is required to disclose by law, judgment or authority decision or agreement with a stock exchange or other marketplace.

10.5 If a Party becomes aware that it will be required, or is likely to be required, to disclose Confidential Information in order to comply with applicable laws, judgment or authority decision or agreement with a stock exchange or other marketplace, it shall, to the extent it is lawfully able to do so, prior to any such disclosure notify the disclosing Party. The Parties shall do their utmost to ensure that information provided in accordance with this paragraph, as far as possible, is treated confidentially by the recipient of the information.

11 ASSIGNMENT OF AGREEMENT

No Party is entitled to transfer all or part of its rights and / or obligations under the Agreement without the prior written consent of the other Party.

12 SETTLEMENT OF DISPUTES

12.1 This Agreement shall be construed in accordance with and governed by the laws of Sweden.

12.2 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Arbitration Institute of the Stockholm Chamber of Commerce.

12.3 The seat of arbitration shall be Stockholm.

12.4 The language to be used in the arbitral proceedings shall be Swedish.

12.5 Arbitration with reference to this arbitration clause is subject to confidentiality. The confidentiality includes all information that emerges during the proceedings as well as any decision or arbitration given in connection with the procedure. Information subject to confidentiality may in no way be forwarded to third parties without the consent of the other Party