Data Processing Addendum

Last Updated: July 22, 2024

‍

1. For the purposes of this Data Processing Addendum, the following definitions shall apply:
   Applicable Laws: means (for so long as and to the extent that they apply to Proto Global Ltd.) the laws of Canada, and as may be applicable, the European Union;
   Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organizational measures: as defined in the applicable Data Protection Legislation; and,
   Data Protection Legislation: the legislation of Canada relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).

1. Proto and Client will comply with all applicable requirements of the Data Protection Legislation. This Data Processing Addendum is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
2. The parties acknowledge that for the purposes of the Data Protection Legislation, Client is the Controller and Proto is the Processor.
3. Without prejudice to the generality of paragraph 1, Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Proto for the duration and purposes of this Agreement.
4. Without prejudice to the generality of paragraph 1, Proto shall, in relation to any Personal Data processed in connection with the performance by Proto of its obligations under this Agreement:
   ‍
   (a)    process that Personal Data only on the documented written instructions of Client unless Proto is required by Applicable Laws to otherwise process that Personal Data. Where Proto is relying on Applicable Laws as the basis for processing Personal Data, Proto shall promptly notify Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Proto from so notifying Client;
   ‍
   (b)   ensure that it has in place appropriate technical and organizational measures, reviewed and approved by Client, to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, ensuring a level of security appropriate to the risk in accordance with Data Protection Legislation;
   ‍
   (c)  ensure that all Representatives who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
   ‍
   (d)  not transfer any Personal Data outside of the European Economic Area unless the prior written consent of Client has been obtained and the following conditions are fulfilled:
   ‍
      (i)   Client or Proto has provided appropriate safeguards in relation to the transfer;
   ‍
      (ii)  the data subject has enforceable rights and effective legal remedies;
   ‍
      (iii)   Proto complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
   ‍
      (iv)  Proto complies with reasonable instructions notified to it in advance by Client with respect to the processing of the Personal Data;
   ‍
      (e)   assist Client, at Client's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
   ‍
   (f)    notify Client without within 24 hours on becoming aware of a Personal Data Breach;
   ‍
   (g) at the written direction of Client, delete or return Personal Data and copies thereof to Client on termination of the Services unless required by Applicable Law to store the Personal Data; and
   ‍
   (h)    maintain complete and accurate records and information to demonstrate its compliance with applicable Data Protection Legislation and, at Client’s request but subject to the confidentiality obligations set out in this, make such records and information available to Client and allow for and contribute to audits by Client or an independent auditor of the Processing activities carried out under this Data Processing Addendum, provided that any such audits shall be carried out:
   •    at Client’s sole cost;
   •    on at least 30 days’ prior notice;
   •    not more than once per year, unless Proto has a Personal Data Breach;
   •    in accordance with the scope agreed with Proto in advance.
   
   Should the audit reveal that Proto is not in compliance with this Data Processing Addendum or Data Protection Legislation, the costs of the audit shall be borne by Proto, up to a maximum of $1,000 Canadian Dollars.
5. Client provides its prior, general authorization for Proto to appoint Sub-Processors to Process Personal Data on Proto’s behalf, provided that Proto:
   ‍
   (a)  shall ensure that the terms on which it appoints such Sub-Processors comply with all applicable Data Protection Legislation, and are consistent with the obligations imposed on Proto in this Data Processing Addendum;
   ‍
   (b)  shall remain responsible for the acts and omission of any such Sub-Processor as if they were the acts and omissions of Proto; and
   ‍
   (c)   shall inform Client of any intended changes concerning the addition or replacement of the Sub-Processors, thereby giving Client the opportunity to object to such changes provided that if Client objects to the changes and cannot demonstrate, to Proto’s reasonable satisfaction, that the objection is due to an actual or likely breach of Data Protection Legislation, Client shall indemnify Proto for any losses, damages, costs (including legal fees) and expenses suffered by Proto in accommodating the objection.
6. These terms shall be valid for as long as Proto holds any personal data that was passed on by the Client.

Appendix

Description of processing activities: