Data Processing Contract

In this Data Processing Contract, the following terms shall have the following meanings:

"Data Protection Law": Refers to (i) the General Data Protection Regulation and its replacing laws; (ii) applicable Swedish data protection law; and (iii) the above-mentioned regulations and guidelines issued by the Supervisory Authority and applicable to the Party's operations.

"Supervisory Authority": The data protection authority in the respective country and, where applicable, any other competent supervisory authority exercising supervision over the Party's operations under the law.

2.1. Appendix 1 to this Contract specifies the personal data being processed, categories of data subjects, and the purpose of processing. Sub-processors that are approved and have access to the Customer's personal data are listed on an ongoing basis at www.tagd.ai.

3.1. The Supplier, in its capacity as data processor, undertakes to process personal data in accordance with Data Protection Legislation, this Data Processing Contract, the Contract, and the Customer's documented instructions at any given time. Any processing of personal data that is not necessary to fulfil the Supplier's obligations under the Contract, including any processing by the Supplier for its own purposes, is not permitted.

3.2. The Customer has the right to continuously provide the Supplier with written instructions regarding the Supplier's processing of personal data processed under this contract.

3.3. The data processor shall inform the data controller if the data processor becomes aware that personal data has been processed in violation of the data controller's instructions, this Data Processing Contract, or applicable law.

4.1. Through this Data Processing Contract, the Supplier guarantees that technical and organisational security measures meeting the requirements of applicable Data Protection Legislation, in particular Article 32 of the GDPR, have been implemented, thereby ensuring that the rights of data subjects are protected. Such measures include, among other things, the Supplier protecting personal data against accidental or unlawful destruction, loss or alteration, as well as against unauthorised disclosure and unauthorised access. The Customer has the right to be informed of measures taken upon request.

4.2. The Supplier shall facilitate any inspections that the Supervisory Authority may require to ensure that personal data is processed in accordance with applicable law and this Contract. The Supplier shall comply with the Supervisory Authority's decisions on measures to meet security requirements in accordance with applicable Data Protection Legislation.

4.3. The Supplier further guarantees that it has the competence and resources to implement the technical and organisational measures that meet the requirements of Data Protection Legislation.

5.1. The Supplier may not, without the Customer's written consent, transfer personal data covered by this contract outside the EU/EEA area. This means, among other things, that the Supplier may not process personal data using equipment or resources located outside the EU/EEA area. If the Parties agree that personal data shall be transferred to a location outside the EU/EEA area, the Parties shall ensure that the transfer is permitted under Data Protection Legislation and, where necessary, sign the required standard contractual clauses or take other necessary measures.

6.1. The Supplier undertakes to inform the Customer in writing without delay of any personal data incident from the time it is discovered by the Supplier. The information shall contain all necessary information required for the Customer, where applicable, to fulfil its reporting and/or information obligations towards the Supervisory Authority and/or the data subjects.

6.2. The Supplier shall otherwise assist the Customer upon request to ensure that the Customer can fulfil its obligations under Data Protection Legislation. This may, for example, mean that the Supplier assists the Customer; (i) in fulfilling its reporting/information obligations to the Supervisory Authority and/or data subjects; (ii) by providing the Customer with all information reasonably required to certify that the Supplier's obligations as a data processor under Data Protection Legislation are fulfilled; (iii) in fulfilling the Customer's obligations regarding data subjects' rights; (iv) in carrying out risk analyses and data protection impact assessments; and (v) in prior consultation with the Supervisory Authority.

7.1. In the event that a data subject, Supervisory Authority, or other third party requests information from the Supplier regarding the processing of personal data processed under this Contract, the Supplier shall immediately refer such request to the Customer and await the Customer's instructions.

7.2. The Supplier shall without delay inform the Customer of all contact with data subjects, supervisory authorities, or other third parties relating to the Supplier's processing of the personal data. The Supplier is not entitled to represent the Customer or otherwise act on behalf of the Customer in relation to data subjects, supervisory authorities, or other third parties.

8.1. The Customer hereby approves the use of the sub-processors that the Supplier has already engaged and informed the Customer about on its website www.tagd.ai.

8.2. The Supplier undertakes to inform the Customer of any plans to engage new sub-processors and/or replace existing sub-processors at least thirty (30) days before such plans are implemented, with the right for the Customer to terminate the Contract including this Data Processing Contract if the Customer has reasonable grounds not to accept the Supplier's engagement of a new sub-processor. If the Customer does not respond to the Supplier within thirty (30) days, the Customer is deemed to have approved the Supplier's plan to engage/replace the sub-processors that the Supplier has informed about.

8.3. The Customer's approval under clauses 9.1 and 9.2 above shall be considered a specific authorisation for the Supplier to enter into a data processing contract on behalf of the Customer with sub-processors that will process personal data. Such a data processing contract between the Supplier and a sub-processor must be a written contract imposing the same obligations on the sub-processor as this Data Processing Contract imposes on the Supplier. Such a data processing contract between the Supplier and a sub-processor must be a written contract imposing the same obligations on the sub-processor as this Data Processing Contract imposes on the Supplier.

8.4. The Supplier is responsible for ensuring that applicable rules in Data Protection Legislation are observed when engaging sub-processors. The Supplier shall take all necessary measures to ensure that the sub-processor processes personal data in accordance with the Data Processing Contract and to ensure that they provide sufficient guarantees to implement appropriate technical and organisational measures.

9.1. The Supplier shall, at the Customer's request, to ensure that processing is carried out in accordance with this Contract, enable and to a reasonable extent contribute to audits, including inspections and access to the Supplier's premises, carried out by the Customer or by another third party on behalf of the Customer.

9.2. If the Customer engages a third party to carry out an audit of the Supplier's processing of personal data on behalf of the Customer, the Customer shall ensure that such third party signs an appropriate confidentiality contract to not disclose information to third parties before any inspection.

9.3. Transparency for audits, disclosure of information, and similar shall take place at the time requested by the Customer or Supervisory Authority, which as far as possible shall be scheduled at times and in a manner that causes the least possible impact on the Parties' respective ordinary operations. The Supplier's audit shall be carried out in accordance with the security measures established by the Supplier, provided that such measures do not prevent or cause significant difficulties in the conduct of the audit. Unless otherwise prescribed in a separate written contract, each Party shall bear its own costs in connection with such audit and for the provision of information.

10.1. In addition to the confidentiality obligations arising from the Contract, the Supplier undertakes not to disclose personal data or other information about the processing of personal data to third parties without express instructions from the Customer. The Supplier shall ensure that each person granted access to the processing of personal data has committed to observing confidentiality or is subject to an appropriate statutory duty of confidentiality in accordance with the requirements of Data Protection Legislation. This duty of confidentiality does not apply to sub-processors with whom a sub-processing contract exists. However, such a sub-processing contract must contain a corresponding duty of confidentiality for the sub-processor.

11.1 Unless otherwise stated herein, the Supplier is not entitled to any compensation for the processing of personal data or for otherwise fulfilling its obligations under the Data Processing Contract.

11.2 In the event of changed instructions, the Customer shall compensate the Supplier for reasonable and documented increased costs resulting from the changed instructions, provided that (i) the changed instructions are specific to the Customer and do not result from general requirements for the services provided by the Supplier under the Contract, such as changes in legislation or market practice, and (ii) the Supplier notifies the Customer in writing of the cost increases no later than three months after the Customer has issued the changed instructions.

12.1. In the case of compensation for damage in connection with processing that, through a final judgment or settlement, is to be paid to the data subject due to a breach of a provision in the Data Processing Contract and/or the applicable provision in Data Protection Legislation, Article 82 of the GDPR shall apply.

12.2. Administrative fines under Article 83 of the GDPR or Chapter 6, Section 2 of the Swedish Act (2018:218) with supplementary provisions to the EU General Data Protection Regulation shall be borne by the party on which such a fine has been imposed.

12.3. If either Party becomes aware of a circumstance that may lead to damage to the other party, the party shall immediately inform the other party of the circumstance and actively cooperate with the other party to prevent and minimise such damage. Furthermore, each Party shall be liable to the data subjects for any damage it causes by violating its obligations under Data Protection Legislation or this Data Processing Contract. A Party that is subject to a claim for damages from data subjects and where it is likely that such damage was caused by the other Party shall, in order to be entitled to transfer any part of the damage to the other Party, without undue delay notify the other Party in writing of the claim and allow the other Party to participate at its own expense in the defence against the claim.

12.4. It is specifically agreed that any limitations of liability otherwise agreed between the Customer and the Supplier shall also apply to this Data Processing Contract.

Upon termination of the Supplier's processing of personal data, regardless of the reason, the Supplier shall, in accordance with the Customer's instructions, either (i) transfer all personal data to the Customer in the manner, on the medium, and in the format consistent with the Customer's reasonable instructions; or (ii) permanently delete and destroy the personal data and remove existing copies. In the case of transfer or deletion under this clause, the Supplier shall ensure that the data cannot be recovered.

This Data Processing Contract is valid from its signing and for as long as the Supplier processes personal data.

No party has the right to assign any obligations or rights under this Data Processing Contract to a third party, whether in whole or in part.

This Data Processing Contract and all processing of personal data under the contract is governed by Swedish law, with the exception of applicable choice of law rules. Any dispute regarding the interpretation or application of this Data Processing Contract shall be resolved in accordance with the Contract's dispute resolution provisions.