Lenzo Data Processing Agreement

Effective Date: January 1, 2024
Last Updated: December 20, 2025

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service ("Terms") between Genio Group, Inc. ("Company," "we," "us") and Customer ("you," "your") governing your use of the Lenzo trade compliance monitoring platform and related services ("Services").

IMPORTANT NOTICE:
The Services provide informational tools and data aggregation only. The Services do not constitute legal, regulatory, or compliance advice. Customer assumes full and exclusive responsibility for all compliance decisions, regulatory interpretations, and business actions taken based on information provided through the Services. Company expressly disclaims all liability for Customer's compliance outcomes, regulatory penalties, or enforcement actions.

1. DEFINITIONS

1.1 Capitalized terms not defined herein have the meanings set forth in the Terms. For purposes of this DPA:

(a) "Applicable Data Protection Law"means all applicable laws relating to privacy, data protection, and data security, including GDPR, UK GDPR, CCPA, PIPEDA, and Australian Privacy Act 1988.

(b) "Controller"means the entity determining the purposes and means of Processing Personal Data. Customer is the Controller.

(c) "Data Subject"means an identified or identifiable individual whose Personal Data is Processed.

(d) "GDPR"means Regulation (EU) 2016/679.

(e) "Personal Data"means any information relating to an identified or identifiable individual that Company Processes on Customer's behalf, including user credentials, transaction data, partner information, and screening records.

(f) "Processing"means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

(g) "Processor"means an entity Processing Personal Data on behalf of Controller. Company is the Processor.

(h) "Security Incident"means unauthorized or unlawful breach of security leading to destruction, loss, alteration, disclosure of, or access to Personal Data.

(i) "Standard Contractual Clauses" or "SCCs"means standard contractual clauses for international data transfers approved by the European Commission under GDPR Article 46.

(j) "Sub-processor"means third-party service providers engaged by Company to Process Personal Data.

(k) "Compliance Data"means sanctions lists, restricted party information, export control classifications, and other regulatory data aggregated and displayed through the Services.

1.2 In case of conflict between this DPA and the Terms, this DPA prevails solely with respect to Processing of Personal Data.

2. SCOPE AND INSTRUCTIONS

2.1 Processing Details

Company shall Process Personal Data to provide the Services, including:

• (a) Subject Matter: Trade compliance monitoring, sanctions screening, partner risk assessment, export control classification assistance, and regulatory alert services as described at www.lenzo.ai.
• (b) Duration: For the term of the Terms and thereafter as necessary to fulfill Section 9.
• (c) Nature and Purpose: Automated and manual Processing to enable Customer to screen business partners, monitor sanctions lists, classify products for export controls, receive regulatory alerts, and generate compliance reports.
• (d) Data Categories: Identification data (names, emails, job titles), business partner data (company names, addresses, identification numbers), transaction data (product descriptions, destinations, values), technical data (IP addresses, login data), and screening results.
• (e) Data Subject Categories: Customer's employees, contractors, authorized users, business partners, and individuals appearing in screening or transaction records.

2.2 Processing Instructions

Company shall Process Personal Data only according to Customer's documented instructions consisting of: (i) performance of Services under the Terms, (ii) Customer's configuration of features and integrations, and (iii) additional written instructions sent to support@lenzo.ai and acknowledged by Company. Company shall promptly notify Customer at support@lenzo.ai if any instruction appears to violate Applicable Data Protection Law.

3. CONTROLLER OBLIGATIONS AND CUSTOMER RESPONSIBILITIES

3.1 Data Protection Representations

Customer represents and warrants that it has: (a) a lawful basis for Processing Personal Data under Applicable Data Protection Law, (b) provided required notices to Data Subjects regarding Company's Processing, (c) obtained necessary consents and authorizations, and (d) the right to transfer Personal Data to Company for Processing under this DPA.

3.2 Sole Compliance Responsibility

Customer acknowledges and agrees that: (a) Customer is solely responsible for the accuracy, quality, and legality of Personal Data and compliance with all laws applicable to Customer's business operations; (b) the Services provide informational tools only and do not constitute legal, regulatory, or compliance advice; (c) Customer bears exclusive responsibility for all compliance decisions, including but not limited to sanctions screening determinations, export control classifications, licensing decisions, and due diligence conclusions; (d) Customer must independently verify all Compliance Data and screening results before relying upon them for any business or regulatory purpose; (e) Company makes no representations or warranties regarding the completeness, accuracy, or timeliness of any Compliance Data; and (f) Customer's use of the Services does not transfer any compliance obligations or liability to Company.

3.3 Regulatory Compliance

Customer shall: (a) maintain its own compliance programs independent of the Services; (b) employ qualified compliance personnel or advisors; (c) conduct independent due diligence on all business partners and transactions; (d) obtain all required licenses, permits, and authorizations; and (e) not rely solely on the Services for any compliance determination that could result in regulatory liability.

4. PROCESSOR OBLIGATIONS

4.1 Compliance with Instructions

Company shall: (a) Process Personal Data only on Customer's documented instructions per Section 2.2, except where required by law (in which case Company shall notify Customer at support@lenzo.ai unless prohibited by law), (b) not use Personal Data for any other purpose, and (c) maintain records of Processing activities.

4.2 Confidentiality

Company shall ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations and have access only as necessary to perform Company's obligations.

4.3 Use Restrictions

Company shall not: (a) sell, rent, or disclose Personal Data to third parties except as authorized herein, (b) retain or use Personal Data except to provide Services, (c) combine Personal Data with data from other sources for purposes unrelated to Services, or (d) use Personal Data for marketing without Customer's written consent.

5. SECURITY MEASURES

5.1 Security Program

Company maintains reasonable technical and organizational measures designed to protect Personal Data against Security Incidents, including:

• (a) Encryption of data in transit and at rest;
• (b) Access controls limiting personnel access to Personal Data;
• (c) Regular security monitoring and logging;
• (d) Backup and recovery capabilities;
• (e) Incident response procedures.

Additional details are described in Annex 2.

5.2 Security Updates

Company may modify security measures to maintain or improve protection levels. Company shall notify Customer of changes that materially reduce security protections.

5.3 No Guarantee

Customer acknowledges that no security measures are impenetrable. Company does not guarantee that Personal Data will not be accessed, disclosed, altered, or destroyed by breach of any security measures. Customer assumes all risk associated with transmission of data to and from the Services.

6. SUB-PROCESSORS

6.1 Authorization

Customer authorizes Company to engage Sub-processors listed in Annex 3. Company shall: (a) impose data protection obligations on Sub-processors no less protective than this DPA, and (b) remain responsible for Sub-processor compliance with data protection obligations only, not for any compliance-related functions or outcomes.

6.2 Changes to Sub-processors

Company shall provide at least thirty (30) days' advance notice of new or replacement Sub-processors by updating Annex 3 and sending email notification. Customer may object on reasonable data protection grounds by notifying support@lenzo.ai within fifteen (15) days. If parties cannot resolve objection within thirty (30) days, Customer may terminate affected Services without penalty.

7. DATA SUBJECT RIGHTS

7.1 Assistance

Company shall reasonably assist Customer in responding to Data Subject requests to exercise rights under Applicable Data Protection Law, considering the nature of Processing and information available to Company.

7.2 Request Procedures

• (a) Company shall promptly redirect Data Subject requests received directly to Customer, unless legally required to respond.
• (b) Customer may submit assistance requests via support@lenzo.ai. Company shall respond within reasonable timeframes based on request complexity.

7.3 Deletion

Upon Customer's instruction, Company shall delete Personal Data within a reasonable timeframe not exceeding thirty (30) days, except where retention is required by law.

8. INTERNATIONAL TRANSFERS

8.1 Processing Locations

Personal Data may be Processed in the United States and other jurisdictions where Company or Sub-processors operate.

8.2 Transfer Safeguards

For transfers from the European Economic Area, United Kingdom, or Switzerland to countries without adequacy decisions, the parties incorporate the Standard Contractual Clauses in Annex 4, supplemented by security measures in Annex 2.

8.3 Additional Mechanisms

Customer may request information about alternative transfer mechanisms or processing locations by contacting support@lenzo.ai.

9. DATA RETENTION AND DELETION

9.1 Retention — Company retains Personal Data while Customer's account is active and for thirty (30) days thereafter, except as required by law or longer retention requested by Customer.

9.2 Post-Termination — Upon termination, Company shall, at Customer's written election: (a) return Personal Data in standard format, or (b) securely delete Personal Data, except where legally required to retain. Customer must provide election to support@lenzo.ai before or within thirty (30) days after termination. If Customer does not respond, Company shall delete Personal Data.

9.3 Legal Holds — Company may retain Personal Data as required by applicable law, provided such data is isolated from active Processing.

10. SECURITY INCIDENTS

10.1 Notification — Company shall notify Customer without undue delay after becoming aware of a Security Incident by sending notice to Customer's account email. Notification includes available information about: (a) nature of incident, (b) affected data categories, (c) likely consequences, and (d) remedial measures.

10.2 Investigation — Company shall investigate Security Incidents and reasonably cooperate with Customer to mitigate harm and prevent recurrence. Company may delay notification if reasonably necessary for law enforcement investigation.

10.3 Limitations — Notification does not constitute acknowledgment of fault or liability. Company's obligations are limited to information reasonably available at time of notification. Customer is solely responsible for its own notification obligations to regulators and Data Subjects.

11. AUDIT RIGHTS

11.1 Information Requests — Company shall provide information reasonably necessary to demonstrate DPA compliance, including responses to written questionnaires (maximum once per year) and summaries of relevant security assessments.

11.2 Third-Party Reports — Company may satisfy audit obligations by providing third-party security audit reports or certifications, subject to confidentiality restrictions.

11.3 On-Site Audits — If information under Sections 11.1-11.2 is insufficient, Customer may conduct on-site audit with: (a) forty-five (45) days' written notice to support@lenzo.ai, (b) execution of Company's audit agreement, (c) conduct during business hours with minimal disruption, and (d) frequency limited to once per year except following material Security Incidents affecting Customer. Customer bears all audit costs including Company's reasonable facilitation fees.

12. COOPERATION

Company shall reasonably cooperate with Customer regarding Data Protection Impact Assessments and consultations with supervisory authorities where Customer's use of Services requires such activities under Applicable Data Protection Law.

13. CCPA PROVISIONS

13.1 Applicability

Where Customer is a Business and Company is a Service Provider under CCPA, the following applies:

• (a) Company Processes California Personal Information only for Business Purposes specified in Section 2.1 and as necessary to provide Services.
• (b) Company shall not: (i) Sell or Share California Personal Information, (ii) retain, use, or disclose California Personal Information outside the business relationship, or (iii) combine California Personal Information with information from other sources except as permitted.
• (c) Company certifies it understands and will comply with restrictions in CCPA Section 1798.140(w)(2).

13.2 Definitions

"Business," "Business Purpose," "California Personal Information," "Sell," "Service Provider," and "Share" have meanings in CCPA.

14. DISCLAIMERS, LIABILITY, AND INDEMNIFICATION

14.1 Disclaimer of Warranties

THE SERVICES, INCLUDING ALL COMPLIANCE DATA, SCREENING RESULTS, CLASSIFICATION ASSISTANCE, AND REGULATORY ALERTS, ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND. COMPANY EXPRESSLY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, TIMELINESS, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. COMPANY DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

14.2 Compliance Data Disclaimer

COMPANY MAKES NO REPRESENTATIONS OR WARRANTIES REGARDING: (A) THE ACCURACY, COMPLETENESS, OR CURRENCY OF ANY SANCTIONS LISTS, RESTRICTED PARTY DATABASES, OR OTHER COMPLIANCE DATA; (B) THE CORRECTNESS OF ANY PRODUCT CLASSIFICATIONS OR EXPORT CONTROL DETERMINATIONS; (C) THE TIMELINESS OR COMPLETENESS OF REGULATORY ALERTS; OR (D) THE SUITABILITY OF THE SERVICES FOR MEETING CUSTOMER'S SPECIFIC COMPLIANCE OBLIGATIONS. COMPLIANCE DATA IS AGGREGATED FROM THIRD-PARTY SOURCES AND MAY CONTAIN ERRORS, OMISSIONS, OR OUTDATED INFORMATION.

14.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW: (A) IN NO EVENT SHALL COMPANY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, BUSINESS OPPORTUNITIES, REGULATORY PENALTIES, FINES, SANCTIONS, ENFORCEMENT ACTIONS, OR OTHER INTANGIBLE LOSSES, EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES; (B) COMPANY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS DPA OR THE SERVICES SHALL NOT EXCEED THE AMOUNTS PAID BY CUSTOMER TO COMPANY IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM; (C) COMPANY SHALL HAVE NO LIABILITY FOR ANY DAMAGES ARISING FROM CUSTOMER'S COMPLIANCE DECISIONS, REGULATORY VIOLATIONS, OR ENFORCEMENT ACTIONS REGARDLESS OF WHETHER CUSTOMER RELIED ON THE SERVICES.

14.4 Exclusion of Compliance Liability

CUSTOMER EXPRESSLY ACKNOWLEDGES AND AGREES THAT COMPANY SHALL HAVE NO LIABILITY WHATSOEVER FOR: (A) ANY REGULATORY PENALTIES, FINES, OR ENFORCEMENT ACTIONS IMPOSED ON CUSTOMER; (B) ANY BUSINESS LOSSES RESULTING FROM DENIED EXPORT LICENSES OR BLOCKED TRANSACTIONS; (C) ANY DAMAGES ARISING FROM CUSTOMER'S RELIANCE ON SCREENING RESULTS, CLASSIFICATION ASSISTANCE, OR REGULATORY ALERTS; (D) ANY CONSEQUENCES OF FALSE POSITIVES OR FALSE NEGATIVES IN SCREENING RESULTS; (E) ANY DELAYS OR FAILURES IN REGULATORY ALERT DELIVERY; (F) ANY THIRD-PARTY CLAIMS ARISING FROM CUSTOMER'S COMPLIANCE ACTIVITIES; OR (G) ANY DAMAGES ARISING FROM ERRORS OR OMISSIONS IN COMPLIANCE DATA, REGARDLESS OF SOURCE. THIS EXCLUSION APPLIES REGARDLESS OF THE THEORY OF LIABILITY AND REGARDLESS OF WHETHER COMPANY WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

14.5 Customer Indemnification

Customer shall defend, indemnify, and hold harmless Company and its officers, directors, employees, agents, successors, and assigns from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) Customer's breach of this DPA or the Terms; (b) Customer's breach of Section 3; (c) instructions violating Applicable Data Protection Law after Company notifies Customer per Section 2.2; (d) misrepresentations regarding lawful basis for Processing; (e) Customer's compliance decisions and activities; (f) any regulatory penalties, fines, or enforcement actions relating to Customer's business operations; (g) any third-party claims arising from Customer's use of the Services or reliance on Compliance Data; (h) Customer's failure to maintain adequate independent compliance programs; and (i) any claims that Customer's data or use of the Services infringes any third-party rights.

14.6 Essential Basis

Customer acknowledges that the disclaimers, limitations, and exclusions in this Section 14 are an essential basis of the bargain between the parties, reflect a fair allocation of risk, and would not be available at the stated price absent such limitations.

15. TERM AND TERMINATION

15.1 Term — This DPA is effective for the term of the Terms and continues until all Personal Data is deleted or returned per Section 9.

15.2 Survival — Sections 3.2, 3.3, 4.2, 9, 11, 14, 16, and 17 survive termination.

16. GOVERNING LAW

16.1 Applicable Law — This DPA is governed by Delaware law without regard to conflict of laws principles. Disputes are subject to exclusive jurisdiction of Delaware state and federal courts. Customer waives any objections to venue in such courts.

16.2 Regulatory Rights — Nothing limits Data Subject rights or supervisory authority powers under Applicable Data Protection Law.

17. GENERAL

17.1 Amendments — Company may amend this DPA by providing thirty (30) days' notice via email and posting updates at www.lenzo.ai/dpa/. Continued use after effective date constitutes acceptance. Company may implement amendments immediately if required by law or to address security concerns.

17.2 Notices — Notices to Company: support@lenzo.ai. Notices to Customer: account email address. Notices effective upon delivery.

17.3 Severability — Invalid provisions are modified to minimum extent necessary for validity without affecting remaining provisions. If any limitation of liability is found unenforceable, the parties agree that the limitation shall be enforced to the maximum extent permitted by law.

17.4 Assignment — Customer may not assign this DPA without Company's prior written consent. Company may assign to successor in connection with merger, acquisition, or asset sale upon notice to Customer.

17.5 Entire Agreement — This DPA with Terms and Annexes constitutes entire agreement on Personal Data Processing and supersedes all prior agreements on this subject.

17.6 Counterparts — This DPA may be executed electronically and in counterparts.

17.7 No Third-Party Beneficiaries — This DPA does not create any third-party beneficiary rights except as expressly provided.

17.8 Waiver — No waiver of any provision shall constitute waiver of any other provision. Failure to enforce any provision shall not constitute waiver of Company's right to enforce such provision.

ANNEX 1: DETAILS OF PROCESSING

Processing Overview

• Subject Matter: Provision of trade compliance monitoring platform.
• Duration: Term of Terms plus retention period under Section 9 of DPA.
• Nature: Automated collection, storage, analysis, screening, and presentation of data through cloud platform.
• Purpose: Enable Customer to screen business partners against sanctions lists, monitor regulatory changes, assist with product classifications, receive compliance alerts, and generate reports.

Categories of Personal Data

Personal Data Processed may include, depending on Customer's configuration and use of Services:

• Identity and contact information (names, email addresses, usernames)
• Professional information (job titles, departments, roles)
• Authentication credentials (hashed passwords, authentication tokens)
• Business partner data (company names, addresses, identification numbers)
• Transaction data (product descriptions, destinations, values, dates)
• Screening results and compliance records
• Technical data (IP addresses, device identifiers, session data)

Categories of Data Subjects

Data Subjects may include:

• Customer's employees and contractors with access to Services
• Personnel with compliance or trade management roles
• Business partners and their representatives
• Individuals whose information appears in screening or transaction records

Note: This Annex describes typical Processing activities. Actual Processing depends on Customer's configuration, integrations, and instructions. Customer remains solely responsible for determining what Personal Data is Processed through use of Services and for ensuring lawful Processing.

ANNEX 2: TECHNICAL AND ORGANIZATIONAL MEASURES

Company implements security measures designed to protect Personal Data, including:

1. Access and Authentication Controls
   • Role-based access restrictions limiting personnel access to Personal Data
   • Multi-factor authentication for administrative systems
   • Automatic session termination after inactivity
   • Immediate access revocation upon personnel departure
2. Encryption and Data Protection
   • Industry-standard encryption for data transmission over networks
   • Encryption of stored Personal Data
   • Secure key management with periodic rotation
3. Infrastructure Security
   • Hosting on reputable cloud infrastructure with physical security controls
   • Network firewalls and intrusion detection
   • Geographic redundancy for data resilience
   • Regular automated backups
4. Monitoring and Logging
   • Access logging for accountability
   • Security event monitoring and alerting
   • Log retention for security investigation purposes
5. Organizational Controls
   • Confidentiality obligations for all personnel
   • Security awareness training
   • Background verification where legally permitted and appropriate
   • Documented security policies and procedures
6. Vendor Security
   • Security requirements in Sub-processor agreements
   • Due diligence review of Sub-processor security practices
7. Security Program Management
   • Periodic security risk assessments
   • Vulnerability identification and remediation processes
   • Third-party security testing
   • Incident response procedures including detection, containment, and remediation
8. Data Lifecycle Management
   • Data minimization practices
   • Secure deletion procedures
   • Documented retention schedules
9. Supplementary Transfer Safeguards
   • Strong encryption protecting data during transmission and storage
   • Technical access restrictions
   • Transparency regarding legal access requests
   • Ongoing assessment of legal environment in processing locations

Updates: Company reviews and updates security measures in response to evolving risks and technology. Specific implementations may change provided overall protection level is maintained or enhanced.

Limitations: Company does not currently hold third-party security certifications (such as SOC 2 or ISO 27001). Security measures described reflect current practices and capabilities. Customer should evaluate these measures against its own security requirements and assumes all risk associated with adequacy of these measures for Customer's specific needs.

ANNEX 3: SUB-PROCESSORS

Current Sub-processors

Company engages the following categories of Sub-processors:

• Cloud Infrastructure: Hosting, computing, storage, and platform services (United States; EU and UK regions available for certain services)
• Compliance Data Providers: Sanctions list aggregation; regulatory database services; export control classification data
• Communication Services: Transactional email delivery; customer support communications; alert notifications
• Payment Processing: Subscription billing and payment processing
• Operational Services: System monitoring and logging; analytics and performance tracking

Notification

Company provides email notification per Section 6.2 of DPA. Customers may subscribe to notifications by contacting support@lenzo.ai.

Emergency Sub-processors

In urgent situations requiring immediate Sub-processor engagement to maintain Services, Company may engage Sub-processor with notice to Customer as soon as reasonably practicable. Customer's objection rights under Section 6.2 apply.

Compliance Data Disclaimer: Company aggregates Compliance Data from third-party Sub-processors. Company makes no representations or warranties regarding the accuracy, completeness, or timeliness of data provided by Sub-processors. Customer assumes all risk associated with reliance on such data.

Last Updated: December 20, 2025

ANNEX 4: STANDARD CONTRACTUAL CLAUSES

EU/EEA Transfers

For Personal Data transfers from the European Economic Area to Company, the parties agree to Standard Contractual Clauses adopted by European Commission Implementing Decision (EU) 2021/914 ("EU SCCs"), Module Two (Controller-to-Processor).

EU SCC Specifications:

• Clause 7 (Docking): Not used.
• Clause 9 (Sub-processors): Option 2 (general authorization) applies per Section 6 of DPA.
• Clause 11 (Redress): Optional clause not selected.
• Clause 17 (Governing Law): Laws of Republic of Ireland.
• Clause 18 (Jurisdiction): Courts of Republic of Ireland.

Annexes to EU SCCs:

• Annex I.A (Parties): Data exporter is Customer; data importer is Genio Group, Inc. (contact: support@lenzo.ai)
• Annex I.B (Description): As set forth in Annex 1 to this DPA
• Annex I.C (Supervisory Authority): Authority in data exporter's EU Member State, or Irish Data Protection Commission if exporter not in EU
• Annex II (Technical Measures): As set forth in Annex 2 to this DPA
• Annex III (Sub-processors): As set forth in Annex 3 to this DPA

UK Transfers

For transfers subject to UK Data Protection Law, the UK International Data Transfer Addendum (Version B1.0) to EU SCCs applies:

• Table 1: Parties as specified above
• Table 2: EU SCCs Module Two with specifications above
• Table 3: Annexes as specified above
• Table 4: Neither party may terminate Addendum independently

Swiss Transfers

For transfers subject to Swiss Federal Act on Data Protection, EU SCCs apply with modifications:

• References to GDPR include Swiss data protection law
• References to EU/Member States include Switzerland
• Competent authority is Swiss Federal Data Protection and Information Commissioner
• Governing law is Swiss law; jurisdiction is Swiss courts

Alternative Mechanisms

If EU SCCs or related transfer mechanisms become invalid or unavailable, parties shall cooperate in good faith to implement alternative lawful transfer mechanisms, including:

• Updated standard contractual clauses or approved transfer tools
• Reliance on adequacy decisions
• Other mechanisms permitted under applicable law

If no lawful mechanism is available within sixty (60) days, Customer may terminate affected Services without penalty.

Interpretation

In case of conflict between main DPA and EU SCCs regarding data protection obligations, EU SCCs prevail solely to extent required for GDPR compliance. For non-GDPR matters, main DPA provisions govern.

‍

‍

FINAL ACKNOWLEDGMENT: BY USING THE SERVICES, CUSTOMER ACKNOWLEDGES THAT IT HAS READ, UNDERSTOOD, AND AGREES TO BE BOUND BY THIS DPA, INCLUDING ALL DISCLAIMERS, LIMITATIONS OF LIABILITY, AND INDEMNIFICATION OBLIGATIONS. CUSTOMER CONFIRMS THAT IT ASSUMES FULL AND EXCLUSIVE RESPONSIBILITY FOR ALL COMPLIANCE DECISIONS AND REGULATORY OUTCOMES.