DATA PROCESSING ADDENDUM

This Data Processing Addendum ("DPA") forms part of the Agreement between Revgentic Ltd ("Revgentic") and the Customer, and governs Revgentic's processing of Personal Data on behalf of the Customer. This DPA takes effect as of the Effective Date of the Order Form.

1. Definitions

For the purposes of this DPA:

"Data Protection Laws" means all applicable data protection and privacy laws, including the UK GDPR and the EU GDPR.

"GDPR" means the General Data Protection Regulation (EU) 2016/679.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Revgentic on behalf of the Customer under the Agreement.

"Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the UK GDPR.

2. Status of the Parties

2.1 The Customer is the data controller and Revgentic is the data processor in relation to Personal Data processed under the Agreement. Revgentic will process Personal Data only on the Customer's documented instructions and in compliance with Data Protection Laws.

2.2 Each party will notify the other without undue delay if it can no longer meet its obligations under this DPA.

2.3 Each party will identify a contact for data protection matters.

3. Revgentic's Obligations

With respect to all Personal Data, Revgentic agrees that it will:

3.1 only process Personal Data as necessary to provide the Services and only on the Customer's documented instructions. If Revgentic is required by law to process Personal Data outside the Customer's instructions, it will notify the Customer unless legally prohibited;

3.2 implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented by the processing, including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data;

3.3 ensure that its personnel have access to Personal Data only as necessary to perform the Services, and that all such persons are under obligations of confidentiality;

3.4 notify the Customer without undue delay, and within 48 hours where feasible, upon becoming aware of a Personal Data breach;

3.5 promptly notify the Customer if Revgentic believes any instruction infringes Data Protection Laws, and maintain records of processing activities as required by law;

3.6 provide reasonable assistance to the Customer in responding to Data Subject requests and in fulfilling its obligations under Data Protection Laws.

4. Sub-processing

4.1 The Customer authorises Revgentic to use sub-processors. An up-to-date list of sub-processors is available in Revgentic's Trust Centre. Revgentic will give the Customer at least 14 days' prior written notice of any changes to its sub-processor list. The Customer may object to a new sub-processor on reasonable data protection grounds within that period.

4.2 Revgentic remains responsible for the acts and omissions of its sub-processors.

5. International Data Transfers

5.1 Revgentic uses the EU Standard Contractual Clauses and the UK International Data Transfer Addendum for international transfers of Personal Data. These transfer mechanisms are incorporated by reference into this DPA.

6. Data Subject Requests

6.1 If Revgentic receives a request from a Data Subject relating to Personal Data processed on behalf of the Customer, Revgentic will notify the Customer and provide reasonable assistance.

7. General

7.1 This DPA forms part of the Agreement. If there is a conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict.

Annex A – Processing Schedule

This Annex forms part of the DPA and sets out the particulars of Revgentic's processing of Personal Data.