DATA PROCESSING AGREEMENT

Version: 2026.1.2

Document Reference: DPA-UNIHELPER-2025

Last Updated: Jan 13, 2026

ISO 27001 Aligned

PREAMBLE

This Data Processing Agreement (hereinafter referred to as the "DPA" or "Agreement") is entered into as of ___________________ (the "DPA Effective Date") and forms an integral and inseparable part of the Software Access Agreement, License Agreement, Terms of Service, or other written or electronic agreement (the "Principal Agreement") for the provision of services between:

THE DATA CONTROLLER:

Institution/Organization Name: _________________________________

Legal Form:  _________________________________

Registration Number: _________________________________

VAT/Tax ID: _________________________________

Registered Address: _________________________________

Country of Establishment: _________________________________

Representative Name: _________________________________

Representative Title: _________________________________

Representative Email: _________________________________

Data Protection Officer (if appointed): _________________________________

(hereinafter referred to as the "Controller", "Customer", "Institution", or "Educational Institution")

THE DATA PROCESSOR:

Company Name:  UniHelper ApS

Legal Form:  Anpartsselskab (Private Limited Company)

Company Registration Number: CVR 39750007

VAT Number:  DK39750007

Registered Office:  Slotsgade 17B, 6200 Aabenraa, Denmark

Country of Establishment: Denmark

Representative: [Name of Authorized Signatory]

Title: [Title]

Data Protection Officer: Available at contact@unihelper.io

(hereinafter referred to as the "Processor", "UniHelper", "Service Provider", or "Company")

The Controller and Processor may be referred to individually as a "Party" and collectively as the "Parties".

RECITALS

WHEREAS, the Controller has determined that it requires specialized software services for the optimization and automation of student group formation within its educational programs, and has selected the Processor based on its expertise, technical capabilities, and commitment to data protection;

WHEREAS, the Processor has developed and operates a proprietary cloud-based software-as-a-service platform known as the UniHelper system (the "Services" or "Platform"), which utilizes advanced algorithms and data processing techniques to facilitate optimal group composition based on multiple compatibility factors;

WHEREAS, the performance of the Services necessarily requires the Processor to undertake certain processing operations on personal data relating to students, faculty, and administrative personnel of the Controller, such processing being integral to the delivery of the contracted Services;

WHEREAS, the Parties acknowledge that such processing of personal data must be conducted in strict compliance with applicable data protection legislation, including but not limited to:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or "GDPR")

• Directive (EU) 2016/680 (Law Enforcement Directive)

• Regulation (EU) 2018/1807 (Free Flow of Non-Personal Data)

• National implementing legislation in EU Member States

• The UK General Data Protection Regulation and Data Protection Act 2018

• Applicable international data protection frameworks and standards

WHEREAS, the Parties recognize their respective obligations under Article 28 of the GDPR and equivalent provisions in other applicable data protection laws, which require that processing by a processor be governed by a contract that is binding on the processor with regard to the controller;

WHEREAS, the Parties wish to set forth their rights, responsibilities, and obligations with respect to the processing of personal data in a manner that ensures compliance with all applicable legal requirements while facilitating the effective delivery of the Services;

WHEREAS, the Parties acknowledge the fundamental rights and freedoms of data subjects and commit to implementing appropriate technical and organizational measures to ensure the protection of personal data;

NOW, THEREFORE, in consideration of the mutual covenants, terms, conditions, and agreements contained herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:

ARTICLE 1: DEFINITIONS AND INTERPRETATION

1.1 Definitions

For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below:

1.1.1 "Applicable Data Protection Law" means all laws, regulations, regulatory requirements, regulatory guidance, codes of practice, and industry standards applicable to the processing of personal data under this Agreement, including without limitation:

• The GDPR and any successor EU legislation

• EU Member State laws supplementing or implementing the GDPR

• The UK GDPR and UK Data Protection Act 2018

• The Federal Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, where applicable

• The Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501-6506, where applicable

• The California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA)

• Other U.S. state privacy laws including but not limited to those of Colorado, Connecticut, Utah, and Virginia

• Sector-specific regulations applicable to educational institutions

• Any binding decisions, opinions, or guidance issued by competent supervisory authorities

1.1.2 "Personal Data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.1.3 "Special Categories of Personal Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

1.1.4 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.1.5 "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates, including but not limited to students, prospective students, alumni, faculty members, administrative staff, and other individuals whose Personal Data is processed under this Agreement.

1.1.6 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, regardless of whether such breach results in risk to the rights and freedoms of natural persons.

1.1.7 "Sub-processor" means any natural or legal person, public authority, agency, or other body engaged by the Processor or its affiliates to process Personal Data on behalf of the Controller in connection with this Agreement. Sub-processors are included in Annex II.

1.1.8 "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR or equivalent authority in other jurisdictions.

1.1.9 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries as adopted by the European Commission or equivalent mechanisms.

1.1.10 "Services" means the UniHelper cloud-based software-as-a-service platform for student group optimization and collaboration, including all associated features, functionalities, algorithms, interfaces, and technical infrastructure as more particularly described in the Principal Agreement and its annexes.

1.1.11 "Data Protection Impact Assessment" or "DPIA" means an assessment of the impact of envisaged processing operations on the protection of personal data as required under Article 35 of the GDPR.

1.1.12 "Technical and Organizational Measures" or "TOMs" means the measures aimed at protecting Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

1.2 Interpretation

1.2.1 References to statutory provisions shall be construed as references to those provisions as amended, consolidated, re-enacted, or replaced from time to time.

1.2.2 Headings are inserted for convenience only and shall not affect the construction or interpretation of this Agreement.

1.2.3 Words importing the singular include the plural and vice versa.

1.2.4 Any reference to "including" or "includes" means "including without limitation" or "includes without limitation."

1.2.5 Terms defined in the GDPR but not explicitly defined herein shall have the meanings given to them in the GDPR.

ARTICLE 2: RELATIONSHIP AND ROLES OF THE PARTIES

2.1 Designation of Roles

2.1.1 The Parties expressly acknowledge and agree that with respect to the Processing of Personal Data pursuant to this Agreement:

• The Customer acts as the Data Controller, determining the purposes and means of the Processing

• UniHelper acts as the Data Processor, processing Personal Data solely on behalf of and under the instructions of the Controller

2.1.2 This designation of roles reflects the factual allocation of responsibilities between the Parties and is binding for all purposes under Applicable Data Protection Law.

2.2 Purpose Limitation

2.2.1 The Processor acknowledges that it has no rights to process Personal Data for any purpose other than:

• The provision of the Services as specified in the Principal Agreement

• Compliance with the documented instructions of the Controller

• Compliance with legal obligations to which the Processor is directly subject

2.2.2 The Processor shall not process Personal Data for its own commercial purposes, including but not limited to marketing, product development (except as anonymized data), or sale to third parties.

2.3 Controller's Regulatory Compliance

2.3.1 The Controller represents and warrants that:

• It has all necessary rights, permissions, and lawful bases to provide Personal Data to the Processor

• Its instructions comply with Applicable Data Protection Law

• It has provided or will provide all necessary privacy notices to Data Subjects

• It has obtained or will obtain all necessary consents where required

• It has conducted or will conduct any required DPIAs

2.3.2 The Controller acknowledges sole responsibility for:

• The accuracy, integrity, and legality of Personal Data

• The means by which the Personal Data was acquired

• Determining the legal basis for Processing

• Responding to Data Subject requests (with Processor assistance as specified herein)

2.4 Independence of the Parties

2.4.1 Nothing in this Agreement shall be construed as creating a partnership, joint venture, agency, or employment relationship between the Parties.

2.4.2 Neither Party shall have authority to bind the other Party except as expressly provided in this Agreement.

ARTICLE 3: SCOPE AND DETAILS OF PROCESSING

3.1 Subject Matter of Processing

The subject matter of the Processing under this Agreement consists of the processing operations necessary for the Processor to provide the Services, specifically:

• Implementation and operation of the group formation platform

• Collection and analysis of student preference, availability, demographic, skills, and other relevant group formation data the educational institution requests, and in accordance with the educational institution’s privacy policies.

• Algorithmic optimization of group compositions

• Facilitation of communication regarding group assignments

• Evaluate group working process and performance from a student perspective and collect student peer evaluations and feedback

• Generation of analytics and reports (in anonymized form)

• Technical support and system maintenance

3.2 Duration of Processing

3.2.1 Commencement: Processing shall commence upon the later of:

• The DPA Effective Date

• The first upload or transmission of Personal Data to the Services

• The activation of Customer's account on the Platform

3.2.2 Active Processing Period: Processing shall continue throughout the term of the Principal Agreement, including any renewal periods.

3.2.3 Post-Termination Processing: Limited processing may continue after termination solely for:

• Data return or deletion obligations (maximum 30 days)

• Compliance with legal retention requirements

• Defense of legal claims

3.3 Nature and Purpose of Processing

3.3.1 Nature of Processing Operations:

• Collection: Via secure web questionnaires and API integrations

• Recording: In cloud-based databases with encryption

• Organization: According to institutional structures and courses

• Structuring: For algorithmic analysis and optimization

• Storage: In EU-based data centers (primary) with secure backups, and in the US (sub-processing via Typeform) with AWS’ GDPR compliant services

• Retrieval: Through authenticated access portals

• Consultation: For support and quality assurance purposes

• Use: For group formation algorithms and service delivery

• Disclosure: Only to authorized users within the Controller's organization

• Deletion: According to retention schedules and instructions

3.3.2 Purposes of Processing: The sole purposes are to enable the Controller to:

• Automate and optimize student group formation

• Improve educational outcomes through compatible group composition

• Reduce administrative burden on faculty and staff

• Provide data-driven insights into group dynamics

• Facilitate communication among group members

3.4 Categories of Personal Data

Details of Personal Data categories are set forth in Annex I, which forms an integral part of this Agreement.

3.5 Categories of Data Subjects

Details of Data Subject categories are set forth in Annex I, which forms an integral part of this Agreement.

ARTICLE 4: PROCESSOR'S OBLIGATIONS

4.1 Processing According to Instructions

4.1.1 The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.1.2 The Processor confirms that the Controller's instructions as set out in this Agreement, including its Annexes, constitute the complete and final documented instructions. Any additional or alternate instructions must be agreed upon in writing.

4.1.3 The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions. The Processor shall be entitled to suspend execution of the relevant instruction until the Controller confirms or modifies it.

4.1.4 The Processor shall maintain comprehensive records of all processing activities carried out on behalf of the Controller, containing at minimum the information required under Article 30 of the GDPR.

4.2 Confidentiality

4.2.1 The Processor shall ensure that all persons authorized to process Personal Data:

• Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

• Receive appropriate training on data protection requirements

• Are aware of the sensitive nature of Personal Data

• Understand the consequences of unauthorized disclosure

4.2.2 The confidentiality obligations shall survive termination of this Agreement indefinitely or for the maximum period permitted by applicable law.

4.2.3 The Processor shall implement and maintain policies and procedures to ensure ongoing compliance with confidentiality requirements, including but not limited to:

• Confidentiality agreements with all employees and contractors

• Regular training and awareness programs

• Disciplinary measures for breaches of confidentiality

• Access controls and monitoring systems

4.3 Security of Processing

4.3.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

4.3.2 The specific technical and organizational measures implemented by the Processor are detailed in Annex II. The Processor shall maintain and update these measures as necessary to address evolving threats and vulnerabilities.

4.3.3 The Processor shall regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing, including but not limited to:

• Annual penetration testing

• Quarterly vulnerability assessments

• Continuous security monitoring

• Security reviews (quarterly, annual)

4.4 Use of Sub-processors

4.4.1 General Authorization with Right to Object: The Controller hereby provides general authorization for the Processor to engage Sub-processors listed in Annex II, subject to the following conditions:

• The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors

• Such notification shall be provided at least thirty (30) calendar days in advance

• The Controller may object to such changes on reasonable grounds relating to data protection

• If the Parties cannot resolve the objection, either Party may terminate the affected Services

4.4.2 Sub-processor Obligations: The Processor shall:

• Enter into written agreements with Sub-processors imposing data protection obligations no less protective than those in this Agreement

• Remain fully liable for any Sub-processor's acts or omissions

• Conduct due diligence on all Sub-processors before engagement

• Monitor Sub-processor compliance through regular audits and assessments

• Ensure Sub-processors implement appropriate technical and organizational measures

4.4.3 Information Requirements: For each Sub-processor, the Processor shall maintain and provide:

• Full legal name and registration details

• Contact information including data protection contacts

• Description of processing activities performed

• Locations of processing and data storage

• Applicable safeguards for international transfers

• Copies of data processing agreements upon reasonable request

4.5 International Data Transfers

4.5.1 The Processor shall not transfer Personal Data outside the European Economic Area ("EEA") without:

• Prior written authorization from the Controller

• Implementation of appropriate safeguards under Chapter V of the GDPR

• Compliance with any supplementary measures required following the Schrems II judgment

4.5.2 Where transfers are authorized, the Processor shall:

• Execute Standard Contractual Clauses or rely on other valid transfer mechanisms

• Conduct transfer impact assessments

• Implement supplementary technical measures where necessary

• Maintain documentation of all transfers and safeguards

• Notify the Controller of any developments affecting transfer legality

4.6 Data Subject Rights

4.6.1 The Processor shall, insofar as possible taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organizational measures for the fulfillment of the Controller's obligations to respond to requests for exercising Data Subject rights under Chapter III of the GDPR.

4.6.2 The Processor shall:

• Forward any Data Subject request received directly to the Controller without undue delay

• Not respond to Data Subjects directly unless authorized by the Controller

• Maintain capabilities to support all Data Subject rights including: 

  • Right of access (Article 15 GDPR)

  • Right to rectification (Article 16 GDPR)

  • Right to erasure/right to be forgotten (Article 17 GDPR)

  • Right to restriction of processing (Article 18 GDPR)

  • Right to data portability (Article 20 GDPR)

  • Right to object (Article 21 GDPR)

  • Rights related to automated decision-making (Article 22 GDPR)

4.6.3 Detailed procedures for assisting with Data Subject rights are set forth in Annex III.

4.7 Personal Data Breach Management

4.7.1 The Processor shall notify the Controller without undue delay and in any event within twenty-four (24) hours after becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement.

4.7.2 Such notification shall include, at minimum:

• Nature of the Personal Data Breach including categories and approximate numbers of Data Subjects and Personal Data records concerned

• Name and contact details of the data protection officer or other contact point

• Likely consequences of the Personal Data Breach

• Measures taken or proposed to address the breach and mitigate its possible adverse effects

4.7.3 The Processor shall:

• Cooperate fully with the Controller in investigating and remediating the breach

• Document all breaches regardless of risk level

• Implement measures to prevent recurrence

• Provide regular updates on breach resolution

• Preserve evidence for potential regulatory investigations

4.8 Data Protection Impact Assessments and Prior Consultation

4.8.1 The Processor shall provide reasonable assistance to the Controller with:

• Data protection impact assessments under Article 35 GDPR

• Prior consultation with supervisory authorities under Article 36 GDPR

4.8.2 Such assistance may include:

• Providing information about technical and organizational measures

• Participating in risk assessments

• Suggesting mitigation measures

• Reviewing DPIA documentation

4.9 Deletion and Return of Personal Data

4.9.1 Upon termination of the Services or upon the Controller's written request, the Processor shall, at the choice of the Controller:

• Delete all Personal Data and existing copies within thirty (30) days

• Return all Personal Data in a structured, commonly used, and machine-readable format

4.9.2 The Processor shall:

• Provide written certification of deletion signed by an authorized representative

• Ensure deletion from all systems including backups (where technically feasible)

• Retain Personal Data only to the extent required by applicable law

• Ensure Sub-processors also delete or return Personal Data

4.10 Audit and Compliance

4.10.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4.10.2 The Processor shall:

• Respond to reasonable audit questionnaires within thirty (30) days

• Provide, if available, third-party audit reports (e.g., ISAE 3000, SOC 2)

• Permit remote, document only, audits with sixty (60) days advance notice

• Bear its own costs for standard audits (Controller bears costs for additional audits)

4.10.3 The Processor may object to an auditor if:

• The auditor is a competitor of the Processor

• The auditor is not bound by confidentiality obligations

• The audit would violate applicable law or professional standards

ARTICLE 5: CONTROLLER'S OBLIGATIONS

5.1 Lawfulness of Processing

The Controller represents, warrants, and undertakes that:

5.1.1 It has established and will maintain appropriate legal bases for all Processing under Article 6 GDPR (and Article 9 where applicable).

5.1.2 All instructions issued to the Processor comply with Applicable Data Protection Law.

5.1.3 It has fulfilled and will continue to fulfill all transparency obligations under Articles 13 and 14 GDPR.

5.1.4 Where consent is relied upon as a legal basis:

• Such consent meets all requirements of Articles 4(11) and 7 GDPR

• Appropriate mechanisms exist to record and manage consent

• Procedures are in place to honor consent withdrawal

5.2 Data Quality and Accuracy

The Controller shall ensure that:

5.2.1 All Personal Data provided is accurate, current, and complete.

5.2.2 Personal Data is adequate, relevant, and limited to what is necessary for the purposes (data minimization).

5.2.3 Appropriate processes exist to maintain data accuracy throughout the processing lifecycle.

5.2.4 No Special Categories of Personal Data are provided unless specifically agreed in writing.

5.3 Cooperation and Information

The Controller shall:

5.3.1 Provide timely responses to Processor requests for clarification or guidance.

5.3.2 Maintain current contact information for all compliance-related communications.

5.3.3 Promptly notify the Processor of any changes affecting processing obligations.

5.3.4 Cooperate in good faith to resolve any data protection issues that arise.

ARTICLE 6: LIABILITY AND INDEMNIFICATION

6.1 Statutory Liability

6.1.1 Each Party's liability for damages under the GDPR shall be determined in accordance with Article 82 GDPR.

6.1.2 The Processor shall be liable for damages caused by processing only where it has:

• Not complied with obligations of the GDPR specifically directed to processors

• Acted outside or contrary to lawful instructions of the Controller

6.2 Contractual Liability

6.2.1 Subject to Section 6.1, each Party's total aggregate liability arising out of or related to this Agreement shall be subject to the limitations and exclusions set forth in the Principal Agreement.

6.2.2 Nothing in this Agreement shall limit either Party's liability for:

• Death or personal injury caused by negligence

• Fraud or fraudulent misrepresentation

• Any liability that cannot be excluded or limited under applicable law

6.3 Indemnification

6.3.1 Controller Indemnification: The Controller shall defend, indemnify, and hold harmless the Processor from and against all claims, damages, losses, and expenses (including reasonable attorneys' fees) arising from:

• The Controller's breach of Applicable Data Protection Law

• The Controller's breach of this Agreement

• Claims that the Controller lacked necessary rights or permissions for the Processing

• The Controller's unlawful instructions

6.3.2 Processor Indemnification: The Processor shall defend, indemnify, and hold harmless the Controller from and against all claims, damages, losses, and expenses (including reasonable attorneys' fees) arising from:

• The Processor's breach of this Agreement

• The Processor's processing outside or contrary to lawful instructions

• The Processor's breach of Applicable Data Protection Law specifically directed to processors

6.3.3 Indemnification Procedures:

• The indemnified Party shall promptly notify the indemnifying Party of any claim

• The indemnifying Party shall have the right to control the defense

• The indemnified Party shall provide reasonable cooperation

• No settlement shall be made without the indemnified Party's consent (not to be unreasonably withheld)

ARTICLE 7: TERM AND TERMINATION

7.1 Term

This Agreement shall:

• Commence on the DPA Effective Date

• Continue for the duration of the Principal Agreement

• Automatically renew with any renewal of the Principal Agreement

• Terminate automatically upon termination of the Principal Agreement

7.2 Termination for Cause

Either Party may terminate this Agreement immediately upon written notice if:

• The other Party materially breaches this Agreement and fails to cure within thirty (30) days of written notice

• The other Party breaches Applicable Data Protection Law in a manner that cannot be cured

• Continued performance would violate Applicable Data Protection Law

7.3 Effects of Termination

Upon termination:

• The Processor shall cease all Processing except as required for compliance with legal obligations

• The provisions of Section 4.9 (Deletion and Return) shall apply

• All rights and licenses granted hereunder shall immediately terminate

• Provisions that by their nature should survive shall remain in effect

ARTICLE 8: GENERAL PROVISIONS

8.1 Governing Law and Jurisdiction

8.1.1 This Agreement shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of law provisions.

8.1.2 Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Copenhagen, Denmark.

8.1.3 Notwithstanding the foregoing, either Party may seek injunctive or other equitable relief in any court of competent jurisdiction.

8.2 Amendment and Modification

8.2.1 This Agreement may only be amended or modified by written agreement executed by authorized representatives of both Parties.

8.2.2 The Processor may update Annexes to reflect:

• Changes in Sub-processors (subject to objection rights)

• Improvements to technical and organizational measures

• Updates required by changes in Applicable Data Protection Law

8.3 Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable:

• The validity, legality, and enforceability of the remaining provisions shall not be affected

• The Parties shall negotiate in good faith to replace the invalid provision with a valid provision that achieves the original intent

8.4 Entire Agreement

8.4.1 This Agreement, including all Annexes, constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous agreements, understandings, and communications.

8.4.2 In the event of any conflict:

• Between this Agreement and the Principal Agreement regarding data protection matters, this Agreement shall prevail

• Between the body of this Agreement and the Annexes, the body shall prevail unless explicitly stated otherwise

• Between different language versions, the English version shall prevail

8.5 Notices

8.5.1 All notices under this Agreement shall be:

• In writing

• Delivered to the addresses specified in the preamble (or as subsequently updated)

• Sent via email with confirmation of receipt, registered mail, or internationally recognized courier

8.5.2 Notices shall be deemed received:

• Email: upon confirmation of receipt

• Registered mail: five (5) business days after posting

• Courier: upon signed receipt

8.6 Force Majeure

Neither Party shall be liable for any failure or delay in performance caused by circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, pandemics, strikes, or shortages of transportation, facilities, fuel, energy, labor, or materials.

8.7 Assignment

Neither Party may assign, transfer, or delegate any rights or obligations under this Agreement without the prior written consent of the other Party, except:

• The Processor may assign to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets

• Upon assignment, the assignee shall assume all obligations under this Agreement

8.8 Third-Party Beneficiaries

This Agreement is intended solely for the benefit of the Parties and their permitted successors and assigns. Nothing in this Agreement confers any rights or remedies upon any third party.

8.9 Relationship of Parties

The Parties are independent contractors. Nothing in this Agreement creates any agency, partnership, joint venture, or employment relationship.

8.10 Waiver

No waiver of any provision of this Agreement shall be effective unless in writing and signed by the waiving Party. No waiver shall constitute a waiver of any other provision or a continuing waiver.

8.11 Counterparts

This Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall be deemed valid and binding.

ARTICLE 9: DEFINITIONS FOR U.S. EDUCATIONAL INSTITUTIONS

Where the Controller is a U.S. educational institution, the following additional definitions and modifications apply:

9.1 FERPA Definitions

9.1.1 "Education Records" has the meaning set forth in 20 U.S.C. § 1232g and 34 CFR Part 99.

9.1.2 "School Official" means a party to whom an educational institution has outsourced services or functions it would otherwise use employees to perform.

9.1.3 "Legitimate Educational Interest" means the need to review education records to fulfill professional responsibilities for the educational institution.

9.2 COPPA Definitions

9.2.1 "Child" means an individual under the age of 13.

9.2.2 "Verifiable Parental Consent" means consent that meets the requirements of 16 CFR § 312.5.

SIGNATURES

IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the date last written below.

FOR THE DATA CONTROLLER:

Signature: _______________________________

Print Name: _____________________________

Title: __________________________________

Date: ___________________________________

FOR THE DATA PROCESSOR:

Signature: _______________________________

Print Name: _____________________________

Title: __________________________________

Date: ___________________________________

ANNEX I

CATEGORIES OF PERSONAL DATA PROCESSED BY UNIHELPER

1. INTRODUCTION

This Annex I describes the categories of Personal Data that the Processor processes when providing the Services to Controller. Unless otherwise specified, references to “Personal Data” shall have the meaning set forth in the Agreement. 

All capitalised terms used in this Annex shall have the same definition set forth in this DPA or as defined in the Agreement. Where definitions differ between this DPA and the Agreement, the definition set forth in the Agreement shall prevail and control.

2. PERSONAL DATA PROCESSED WHEN PROVIDING SERVICES (PROCESSOR ROLE)

When the Controller engages the Processor to provide the Services, Controller may Process  the following categories of Personal Data:

2.1 Identity Information

Data Categories:

• Full names

• User email addresses (typically associated with or provided by user’s educational institution

• Enrollment data (course name, section, academic year)

• Team numbers assigned by Controller

Data Subjects: Controller’s students, faculty, and staff, and other users as assigned by the Controller

Processing Purpose: to enable group formation, facilitate communication, manage user accounts, and track participation in group formation exercises, and otherwise make use of the Services.

Lawful Bases for Processing: Processor’s performance of contractual obligations and compliance with Controller’s lawful Processing instructions

Source of Personal Data: Provided by the Controller or by Controller’s users

2.2 Educational Information

Data Categories:

• User’s course enrollments and program information

• User’s academic levels and classification

• User’s subject specializations or disciplines

Data Subjects: Controller’s students, faculty, and staff, and other users as assigned by the Controller

Processing Purpose: To contextualize group formation recommendations and ensure academically aligned grouping and to otherwise provide the Services.

Lawful Basis: Processor’s performance of contractual obligations and compliance with Controller’s lawful Processing instructions

Source: Provided by the Controller or by Controller’s users at Controller’s instruction

Note: To the extent such data Personal Data constitutes Special Categories of Personal Data, such data is treated as sensitive and Processed only as instructed by Controller.

2.3 Collaboration and Preference Data

Data Categories:

• User’s stated availability (times/dates when a user is available)

• User’s expressed work preferences (e.g., working style preferences, group size preferences)

• User’s skills assessments and competencies (self-identified by user or provided by Controller)

• User’s expectations for group work and collaboration

• User’s communication preferences

• User’s expertise areas or knowledge domains relevant to coursework

Data Subjects: Controller’s students, faculty, and staff, and other users as assigned by the Controller

Processing Purpose: To serve as input parameters for the Service to generate optimally balanced student groups

Lawful Bases: Processor’s performance of contractual obligations and compliance with Controller’s lawful Processing instructions

Source: Provided by the Controller or by Controller’s users

Note: This data is Processed is used by the Service to create recommendations only and is not used for purposes other than student group formation.

2.4 Technical Data (Services Access and User Authentication)

Data Categories: 

• Login credentials and authentication information

• Session tokens and temporary identifiers

• Device identifiers (linked to Services access only)

• Timestamps of access to Services

Data Subjects: Controller’s students, faculty, and staff, and other users as assigned by the Controller

Processing Purpose: To manage user authentication, maintain secure access to the Services, and enable platform functions, to otherwise use the Services.

Lawful Bases: Processor’s performance of contractual obligations and compliance with Controller’s lawful Processing instructions

Source: Generated by the Services during user authentication

2.5 Optional/Customized Institutional Data

Data Categories

• Varies; the type of Personal Data collected and Processed may include or Special Categories of Personal Data, depending on Controller’s choices

• Demographic information (if Controller chooses to collect this information through the Services)

• Disability or accessibility requirements (if Controller chooses to collect this information through the Services)

• Any other data the Controller chooses to collect through the Services.

Data Subjects:  Controller’s students, faculty, and staff, and other users as assigned by the Controller

Processing Purpose: Controller-specific student group formation and optimization through the Services

Lawful Basis:  Processor’s performance of contractual obligations and compliance with Controller’s lawful Processing instructions

Source: Provided by the Controller or by Controller’s users

Approval Required: Controller’s Data Protection Officer or legal counsel must review custom questions before implementation

3. ANONYMIZED AND AGGREGATED DATA

4.1 Service Improvement Analytics

Data Categories (All data is anonymized)

• Aggregated patterns of group formation outcomes

• Algorithm performance metrics (how effectively groups were formed)

• Feature usage trends (which features are used most frequently)

• System reliability metrics (uptime, response times)

• Anonymized user experience patterns

Processing Purpose:

• Optimizing the Service’s algorithm

• Improving platform features and performance

• Identifying and resolving technical issues

• Developing new Services features

All Personal Data is removed, rendering the data anonymized

Data Subjects: None (anonymized)

Retention Period: Indefinite (retained for Services improvement)

Source: Processor collects usage data through the Services

4. SPECIAL CATEGORIES OF PERSONAL DATA

4.1 Restrictions on Special Category Processing

The Processor acknowledges the protections afforded to Special Categories of Personal Data. The categories of Personal data listed in this Section 4.1 may only be processed under the specific conditions noted below.

Special Categories of Personal Data and Processing Conditions:

• Data revealing racial/ethnic origin: Only at Controller’s request and in compliance with GDPR requirements for Processing such data and in accordance with Section 4.2 of this Annex

• Data revealing political opinions: Only at Controller’s request and in compliance with GDPR requirements for Processing such data and in accordance with Section 4.2 of this Annex

• Data revealing religious beliefs: Only at Controller’s request and in compliance with GDPR requirements for Processing such data and in accordance with Section 4.2 of this Annex

• Health data: Only at Controller’s request and in compliance with GDPR requirements for Processing such data and in accordance with Section 4.2 of this Annex

• Data concerning sex life or sexual orientation: Only at Controller’s request and in compliance with GDPR requirements for Processing such data and in accordance with Section 4.2 of this Annex

Data revealing trade union membership, genetic data and biometric data is not collected or Processed.

4.2 Institutional Responsibilities for Special Categories of Personal Data

The Processor has no way of knowing what information the Controller chooses to collect using the Services’ custom fields. 

When the Controller chooses to use the Services to collect Personal Information that constitutes Special Categories of Personal Data:

• The Controller must ensure it has a lawful bases for Processing

• The Controller must notify the Processor in writing before processing begins

• The Controller remains responsible for obtaining appropriate consent

5. DATA RETENTION SCHEDULE

Backup data may persist beyond primary retention periods.

THIS ANNEX IS CONSIDERED EXECUTED AS OF THE EFFECTIVE DATE OF THE DPA

ANNEX II 

TECHNICAL AND ORGANIZATIONAL MEASURES

This Annex II describes the technical and organizational measures Processor implements to protect Personal Data processed through, or as part of providing, the Services.

All capitalised terms used in this Annex shall have the same definition set forth in this DPA or as defined in the Agreement. Where definitions differ between this DPA and the Agreement, the definition set forth in the Agreement shall prevail and control.

1. TECHNICAL SECURITY MEASURES

1.1 Encryption

• All Personal Data encrypted at rest using AES-256 encryption

• All data transmissions encrypted using TLS 1.3 protocol

• Encryption keys managed through secure key management systems

• Secure file transfer protocol (SFTP) for data imports

1.2 Access Controls

• Multi-factor authentication and/or Single Sign-On (SSO) integration for Services access (Microsoft Entra Single Sign-On (SSO) for Controller’s instructors)

• API integration with Controller's learning management systems (where applicable)

• Automated session timeout and credential revocation processes

• Logging and monitoring of access attempts and session activity

• Role-based access control (RBAC) limiting data access based on job function

• Principle of least privilege applied to all system access

• Formal documented procedures for granting and revoking access upon employee hiring/termination

1.3 Network Security; Incident Detection; Security Monitoring

• Intrusion detection and prevention systems actively monitoring unauthorized access attempts, Continuous monitoring of systems for unauthorized access or anomalous activity

• Antivirus software with continuous automated updates (or operating system built-in security for updated systems)

• Regular security audits and vulnerability assessments of infrastructure

• Logging, detection, and notification of personal data breaches

• Implementation of automated alerts and incident response workflows

1.4 Data Integrity and Availability

• Comprehensive logging of data access and modifications (where technically feasible)

• Redundant backup systems with regular testing

• Documented disaster recovery and business continuity plans

• Secure storage in encrypted cloud databases

• Version control and audit trail maintenance

• Data lifecycle management according to retention policies

• Archive and retrieval systems

1.5 Development and Testing Safeguards

• Pseudonymization or full anonymization of Personal Data used in development, testing and non-production environments

• Separation of production and non-production environments

• Use of pseudonymized or synthetic data in non-production environments

• Controlled access and logging for any processing in staging or QA systems

2. ORGANIZATIONAL SECURITY MEASURES

2.1 Personnel Security

• Background checks conducted for all new employees with access to Personal Data

• All employees sign confidentiality agreements and Personal Data policy compliance declarations upon hiring

• Mandatory annual security awareness training covering IT security and GDPR compliance requirements

• Access rights reviewed annually to verify continued business need

2.2 Access Management

• Access limited strictly to employees with documented business need-to-know

• Management oversight and approval required for access provisioning

• Annual review and recertification of all access rights

2.3 Incident Response

• Documented incident response plan maintained through GDPR Portal system

• Security incidents investigated immediately upon detection

• Controller notification without undue delay and in any event within 24 hours of Processor becoming aware of a security breach affecting Personal Data

• Incident documentation including timeline, impact assessment, and remediation measures

• Breach certificates provided upon request

2.4 Risk Management

• Annual risk assessments conducted and documented

• Identified risks tracked with documented mitigation measures

• Annual compliance audits of sub-processors

• Regular review and updates of security measures based on risk assessment findings

3. DATA PROCESSING SAFEGUARDS

3.1 Data Minimization

• Personal Data collection limited to information necessary for group formation purposes

• Controller responsible for ensuring data provided is relevant and not excessive

3.2 Data Segregation

• Strict separation maintained between Services data (processed as Processor) and business/marketing data (processed as Controller)

• Services data never used for marketing purposes

• Services data never sold or shared with third parties except Controller-authorized sub-processors

3.3 Retention and Deletion

• Personal Data retained only during active processing period plus 8 months after last group formation

• Secure deletion procedures applied upon instruction or contract termination

• Backup data may persist in backup systems but will not be actively restored

3.4 Pseudonymization Where Feasible

• Personal identifiers removed from data used for Services improvement analytics

• Anonymized data cannot be used to identify natural persons

• Pseudonymization of personal data for analytics and reporting

• Anonymization or aggregation of data for research, benchmarking, and product improvement

• Data minimization practices ensuring only strictly necessary data is collected and processed

• Automated deletion of transient identifiers once processing is complete

4. SUB-PROCESSOR MANAGEMENT

4.1 Sub-Processor Agreements

• Written data processing agreements in place with all sub-processors

• Sub-processors bound by same or more strict data protection obligations as Processor

• Primary infrastructure hosted on Amazon Web Services'

4.2 Sub-Processor Oversight

• Current sub-processor list maintained at www.unihelper.io/sub-processors

• 30 days advance notice provided before engaging new sub-processors

• Annual risk assessments and compliance audits of sub-processors

• Controller objection rights

5. INTERNATIONAL DATA TRANSFERS

5.1 Transfer Mechanisms

• Standard Contractual Clauses (SCCs) implemented for all cross-border transfers

• AWS Data Processing Agreement and Supplementary Addendum in place addressing Schrems II requirements

• Transfer impact assessments conducted and documented

5.2 Data Location

• Primary data storage: Amazon Web Services data centers in Sweden

• Limited sub-processing in United States (Typeform) with appropriate safeguards

• All transfers require Controller authorization and documented legal basis

6. PHYSICAL SECURITY

6.1 Data Center Security (via Amazon Web Services)

• Physical access controls including biometric authentication

• 24/7 security monitoring and surveillance

• Environmental controls for equipment protection

• Compliance with ISO 27001, SOC 2, and other industry certifications

7. MONITORING AND AUDIT

7.1 Continuous Monitoring

• Real-time monitoring of security systems and access logs

• Automated alerts for suspicious activity or policy violations

• Regular security testing including penetration testing where applicable

7.2 Audit Rights

• Controller entitled to audit Processor's compliance with these measures upon reasonable notice

• Processor will provide reasonable assistance and access for audit purposes

• Third-party audit reports (e.g., SOC 2) available upon request subject to confidentiality obligations

8. UPDATES AND REVIEW

8.1 Continuous Improvement

• Technical and organizational measures reviewed annually at minimum

• Measures updated in response to identified risks, industry developments, and regulatory changes

• Material changes communicated to Controller with 30 days advance notice

8.2 Certification and Compliance

• Processor maintains compliance with applicable security standards

• Compliance documentation available upon reasonable request

This Annex may be updated by Processor to reflect improvements in security measures, provided such updates do not reduce the overall level of protection and Controller is notified in accordance with Section 8.1.

Sub-Processors

EXECUTED AS OF THE EFFECTIVE DATE OF THE DPA

ANNEX III

DATA SUBJECT ACCESS REQUEST ASSISTANCE PROCEDURES

This Annex III describes the process and procedure the Processor will use to respond to and assist the Controller in responding to Data Subject Access Requests (“DSARs”).

All capitalised terms used in this Annex shall have the same definition set forth in this DPA or as defined in the Agreement. Where definitions differ between this DPA and the Agreement, the definition set forth in the Agreement shall prevail and control.

1. GENERAL PRINCIPLES

1.1 Controller Responsibility Controller remains solely responsible for:

• Assessing the validity of DSARs

• Verifying the identity of data subjects making requests

• Determining what data must be disclosed and any applicable exemptions or limitations

• Communicating final responses to data subjects

• Meeting GDPR response deadlines (one month, extendable to three months for complex requests) so long as Processor responds to such requests in a timely manner

1.2 Processor Assistance Obligation Processor shall provide assistance to Controller by appropriate technical and organizational measures, insofar as possible given the nature of the Services, to enable Controller to fulfill its obligations to respond to DSARs.

1.3 Scope of Assistance This Annex addresses assistance with the following Data Subject Access Request:

• Right of access (Article 15)

• Right to rectification (Article 16)

• Right to erasure (Article 17)

• Right to restriction of processing (Article 18)

• Right to data portability (Article 20)

• Right to object (Article 21)

2. RECEIPT AND NOTIFICATION OF REQUESTS

2.1 Requests Received by Processor If Processor receives a DSAR or other data subject rights request directly from a data subject (including students, faculty, or staff), Processor shall:

• Immediately forward the request to Controller's designated contact (specified in Section 9 of this Annex)

• Forward the request within 24 hours of receipt

• Not respond directly to the data subject except to acknowledge receipt and inform them that their request has been forwarded to Controller

• Provide Controller with the date, time, and method by which the request was received

2.2 Instructions from Controller Upon receiving instructions from Controller to assist with a DSAR or other data subject rights request, Processor shall:

• Acknowledge receipt of Controller's instructions within 24 hours

• Confirm the scope of assistance required

• Advise Controller immediately if unable to comply with instructions or if instructions conflict with GDPR obligations

• Provide an estimated timeline for completing the requested assistance

3. DATA SUBJECT ACCESS REQUESTS (ARTICLE 15)

3.1 Data Identification and Location Within 10 business days of receiving Controller's instruction, Processor shall identify and locate all Personal Data relating to the data subject within Processor's systems, including:

• Production databases containing Services data

• System logs and access records (where technically feasible)

• Backup and archived data

• Any data held by sub-processors

3.2 Data Extraction and Compilation Processor shall:

• Extract all identified Personal Data relating to the data subject

• Compile the data in a structured, commonly used, and machine-readable format (CSV or JSON preferred, unless Controller specifies otherwise)

• Organize data by category or system if extracted from multiple sources

• Ensure extracted data is complete, accurate, and reflects the current state of processing

3.3 Third-Party Data Redaction Before providing data to Controller, Processor shall:

• Review compiled data for personal data of other individuals

• Redact or remove such third-party personal data to prevent unauthorized disclosure

• Document all redactions made and the reasons therefor

• Notify Controller of any redactions that may affect the completeness of the response

3.4 Metadata and Processing Information Processor shall provide Controller with the following information regarding the data subject's Personal Data:

• Categories of Personal Data processed

• Purposes of processing under the Services

• Categories of recipients to whom data has been disclosed (identifying specific sub-processors)

• Retention period applicable to the data or criteria for determining the retention period

• Source of the data (if not collected directly from the data subject)

• Existence of automated decision-making, including profiling (if applicable to the Services)

• Details of any international data transfers and safeguards applied

3.5 Delivery to Controller Processor shall:

• Transmit all compiled data and documentation to Controller via encrypted email or secure file transfer system

• Use the secure transmission method specified by Controller in Section 9 of this Annex

• Provide transmission within the timeframes specified in Section 8 of this Annex

• Maintain a transmission log recording date, time, method, and recipient

4. RIGHT TO RECTIFICATION (ARTICLE 16)

4.1 Data Correction Upon Controller's instruction to rectify inaccurate Personal Data, Processor shall:

• Identify all instances of the data to be corrected within Processor's systems

• Implement the corrections as specified by Controller

• Confirm completion of corrections to Controller within 5 business days

• Document the rectification including date, nature of correction, and systems affected

4.2 Notification of Rectification Where Controller instructs Processor to notify recipients of the rectification, Processor shall provide Controller with a list of all recipients (sub-processors or other parties) to whom the data was disclosed, to enable Controller to fulfill notification obligations under Article 19.

5. RIGHT TO ERASURE (ARTICLE 17)

5.1 Data Deletion Upon Controller's instruction to erase Personal Data, Processor shall:

• Identify all instances of the data subject's Personal Data within Processor's systems

• Permanently delete the data from production systems within 5 business days

• Delete the data from backup systems in accordance with Processor's standard backup deletion cycle (maximum 8 months per retention schedule)

• Provide Controller with written confirmation of deletion, including:

  • Date of deletion from production systems

  • Systems from which data was deleted

  • Estimated timeline for deletion from backup systems

  • Any technical limitations preventing immediate deletion from backups

5.2 Sub-Processor Coordination Processor shall:

• Instruct all sub-processors to delete the data subject's Personal Data

• Obtain confirmation of deletion from sub-processors

• Provide Controller with documentation of sub-processor deletions

5.3 Exceptions If Processor is required by law to retain certain data, Processor shall:

• Notify Controller immediately of the legal obligation

• Specify the data that must be retained and the legal basis

• Restrict processing of such data to the minimum necessary to comply with legal obligations

6. RIGHT TO RESTRICTION OF PROCESSING (ARTICLE 18)

6.1 Processing Restriction Upon Controller's instruction to restrict processing, Processor shall:

• Implement technical measures to prevent further processing of the data subject's Personal Data (such as flagging records, moving data to separate storage, or temporarily removing data from active processing)

• Confirm to Controller the specific restrictions implemented

• Ensure restricted data is processed only:

  • With the data subject's consent

  • For establishment, exercise, or defense of legal claims

  • For protection of rights of another person

  • For reasons of important public interest

• Notify Controller before lifting any restriction, per Controller's further instructions

6.2 Duration of Restriction Processor shall maintain restrictions until Controller provides further instructions to:

• Lift the restriction

• Permanently delete the data

• Continue the restriction indefinitely

7. RIGHT TO DATA PORTABILITY (ARTICLE 20)

7.1 Data Export in Machine-Readable Format When Controller requests assistance with data portability, Processor shall:

• Extract the data subject's Personal Data that was provided by the data subject to Controller

• Provide data in structured, commonly used, and machine-readable format (JSON, CSV, or XML)

• Exclude data derived from analysis or generated by Processor's algorithms unless Controller specifically requests such data

• Provide data within 10 business days of Controller's instruction

7.2 Direct Transfer (If Technically Feasible) If Controller requests that Processor transmit data directly to another controller specified by the data subject:

• Processor shall cooperate to the extent technically feasible

• Processor may charge reasonable fees for direct transfer services not contemplated in standard Services functionality

• Controller and Processor shall agree on technical specifications and security measures prior to transfer

8. RESPONSE TIMEFRAMES

8.1 Standard Timeframes Unless otherwise agreed in writing, Processor shall provide assistance within the following timeframes after receiving Controller's instructions:

8.2 Complex Requests For complex requests involving:

• Data relating to multiple individuals

• Large volumes of data (exceeding 10,000 records)

• Data requiring extensive redaction

• Data held by multiple sub-processors

Processor may extend the response time by up to an additional 10 business days, provided Processor:

• Notifies Controller within 3 business days of receiving instructions

• Explains the reason for the extension

• Provides Controller with a specific completion date

8.3 Expedited Requests If Controller requires expedited assistance due to urgent circumstances, Controller shall:

• Clearly mark the request as "URGENT"

• Explain the circumstances requiring expedited processing

• Processor shall use reasonable efforts to accommodate expedited requests but is not obligated to do so if technically infeasible

9. COMMUNICATION AND COORDINATION

9.1 Controller Contact Information Controller designates the following contact for DSAR-related communications:

• Primary Contact: [Name/Title]

• Email: [Email Address]

• Phone: [Phone Number]

• Alternate Contact: [Name/Title]

Controller shall notify Processor in writing of any changes to designated contacts within 5 business days.

9.2 Processor Contact Information Processor designates the following contact for DSAR-related communications:

• Primary Contact: Data Protection Officer

• Email: contact@unihelper.io

• Response Time: Acknowledgment within 24 hours

• Escalation Contact: Daniel Pratte, Head of Sales, daniel@unihelper.io

9.3 Secure Transmission Methods Parties agree to use the following methods for secure transmission of Personal Data:

• Primary Method: Encrypted email (TLS 1.3 minimum)

• Alternative Method: Secure file transfer system (to be mutually agreed)

• Controller may specify additional security requirements on a case-by-case basis

10. SUB-PROCESSOR COORDINATION

10.1 Sub-Processor Instructions When Processor engages sub-processors in fulfilling Controller's DSAR instructions, Processor shall:

• Forward Controller's instructions to relevant sub-processors within 2 business days

• Impose the same assistance obligations on sub-processors as set forth in this Annex

• Monitor sub-processor compliance with instructions and timeframes

• Consolidate responses from multiple sub-processors before providing to Controller

10.2 Sub-Processor Response Times Processor shall ensure sub-processor agreements require response times that enable Processor to meet its obligations under Section 8 of this Annex.

10.3 Liability Processor remains fully liable to Controller for the performance of sub-processors in providing DSAR assistance, per GDPR Article 28(4).

11. DOCUMENTATION AND AUDIT TRAIL

11.1 Records Maintenance Processor shall maintain records of all DSAR assistance provided, including:

• Date and time request received from Controller

• Scope of data subject's request

• Systems searched and data extracted

• Any redactions or limitations applied

• Date and time response provided to Controller

• Any issues, delays, or technical limitations encountered

11.2 Record Retention Processor shall retain DSAR assistance records for 3 years following completion of the request, or for such longer period as required by law.

11.3 Availability for Audit Upon Controller's reasonable request, Processor shall make DSAR assistance records available for audit or inspection to demonstrate compliance with this Annex.

12. FEES AND COSTS

12.1 No Additional Fees Processor shall provide assistance under this Annex without charging additional fees beyond those specified in the Agreement, except as provided in Section 12.2.

12.2 Excessive or Manifestly Unfounded Requests If Controller instructs Processor to assist with a request that Processor reasonably believes is manifestly unfounded or excessive (particularly due to repetitive nature), Processor may:

• Notify Controller of the excessive nature of the request

• Provide Controller with an estimate of additional costs and resources required

• Charge reasonable fees for assistance with such requests, subject to Controller's advance written approval

12.3 Custom Development Fees for custom development or system modifications required to fulfill specific DSAR requests shall be agreed between the parties in writing prior to undertaking such work.

13. LIMITATIONS AND EXCEPTIONS

13.1 Technical Limitations Processor shall notify Controller promptly of any technical limitations that prevent full compliance with Controller's instructions, including:

• Data that cannot be extracted due to technical constraints

• Data commingled with other data subjects' data that cannot be separated

• Backup data that cannot be immediately accessed or deleted

• Sub-processor limitations on data access or extraction

13.2 Legal Obligations If Processor determines that Controller's instructions conflict with GDPR or other applicable law, Processor shall:

• Immediately inform Controller of the conflict

• Refrain from executing the conflicting instruction

• Work with Controller to find an alternative approach that complies with law

13.3 Resource Constraints Processor shall maintain sufficient technical and personnel resources to fulfill obligations under this Annex. If unforeseen circumstances prevent timely performance, Processor shall notify Controller immediately and propose alternative timeframes.

14. TRAINING AND CAPABILITY MAINTENANCE

14.1 Personnel Training Processor shall ensure that personnel involved in DSAR assistance are trained on:

• GDPR data subject rights requirements

• Procedures set forth in this Annex

• Technical systems for data identification, extraction, and deletion

• Confidentiality obligations

14.2 Technical Capability Processor shall maintain technical and organizational measures enabling efficient DSAR assistance, including:

• Searchable and retrievable data systems

• Data export functionality in machine-readable formats

• Secure transmission capabilities

• Documentation and audit trail systems

14.3 Process Review Processor shall review and update DSAR assistance procedures annually and whenever material changes occur to the Services or processing activities.

15. UPDATES TO PROCEDURES

15.1 Amendment Process This Annex may be amended by mutual written agreement of the parties.

15.2 Processor Improvements Processor may update procedures to improve efficiency or security, provided such updates:

• Do not reduce the level of assistance provided

• Do not extend response timeframes

• Are communicated to Controller with 30 days advance notice

15.3 Regulatory Changes If changes to GDPR or other applicable law require modifications to procedures, Processor shall notify Controller and propose necessary amendments within 30 days of such changes taking effect.

16. MISCELLANEOUS

16.1 Cooperation Both parties agree to cooperate in good faith to facilitate efficient handling of data subject rights requests while ensuring GDPR compliance.

16.2 Escalation Either party may escalate issues or disputes regarding DSAR assistance to executive contacts specified in the main Agreement.

16.3 Precedence In the event of conflict between this Annex and the main body of the Agreement, this Annex shall control with respect to DSAR assistance procedures.

EXECUTED AS OF THE EFFECTIVE DATE OF THE DATA PROCESSING AGREEMENT