ADDENDUM TO CONTRACT FOR THE PROVISION OF SERVICES

Net Real Solutions, SLU, (hereinafter "NRS" or "Data Processing Manager") with fiscal identification number ESB12550877, located at Av. Arcadi García Sanz, 19, 1ºA, Vila Real, Castellón, Spain; Registered in the Mercantile Registry of Castellón, volume 1058, book 622, sheet 183, section 8, page CS-17458; legally represented by Mr. Joaquín Edo, as Director-General, with national ID number 29018346M, as sole administrator.

The parties have agreed in advance, either through

a) a Service Provision Contract

b) or through the explicit Acceptance of the Terms of Service at the time of registration on any of the NRS websites (www.nrsgateway.com and/or www360nrs.com), that NRS will provide the Client with a web platform or Integration API for the mass sending of communications by SMS, e-mail, notifications, web, push notifications or automatic calls.

For reasons of providing the services mentioned in the previous paragraph, NRS is required to process certain personal data on behalf of the Client, who will be the person responsible for the processing of personal data, as defined by the applicable Law on Protection of Personal Data;

The parties agree to sign this Addendum on data protection in accordance with article 28 of the General Regulation of Data Protection of the European Union, in the following terms:


2nd (Definitions)

a) GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

b) "personal data" means any information about an identified or identifiable natural person ("the interested party"); a natural person will be considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or several elements of their physical, physiological, genetic, mental, economic, cultural or social identity;

c) "processing": any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated procedures, such as collection, registration, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of access authorisation, comparison or interconnection, limitation, deletion or destruction;

d) "person responsible for processing": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the processing; if the purposes and means of the treatment are defined by the law of the European Union or of the Member States, the person responsible for the treatment or the specific criteria for their appointment may be established by the law of the European Union or of the Member States;

e) "data processor": the natural or legal person, public authority, service or other body that processes personal data on behalf of the person responsible for processing;

f) "security breach" means any breach of security resulting from the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorised communication of or access to such data;


3rd (Object)

1. By this contract and in the terms of its signature, the Person responsible for processing empowers Net Real Solutions as the Data Processor of personal data to provide the service specified below.

The treatment will consist solely and exclusively of the provision of services of "SMS messages, e-mails, web and app notifications and automatic calls through the web platform owned by NRS or by integration with the NRS server"


4th (Duration)

This agreement will enter into force as of the date of signature, by both parties, of this contract and will be valid during the provision of the service, by the Processing Manager, object of the main contract.

The data processor's obligation of confidentiality shall remain valid for two years after the end of the service described in the main contract.

Once the present contract ends, the data processor must return any personal data to the person responsible for said personal data, and delete any copy that they have in their possession. However, they can keep the data secured, for any possible administrative or legal processes.


5th (Obligations of the data processor)

The data processor and all their employees undertake to:

a) Use the personal data to which they have access only for the purpose of this assignment. In no circumstances may data be used for their personal purposes.

b) Process the data in accordance with the instructions of the person responsible for processing.

If the data processor considers that any of the instructions violate the GDPR or any other law of the European Union or a Member State regarding data protection, the data processor shall immediately inform the person in charge.

c) Keep a written record of all categories of processing activities carried out on behalf of the person responsible for processing, containing:

    - The name and contact information of the data processor(s) and of each person on behalf of which the data processor is acting and, where appropriate, the representative of the person responsible or of the data processor and the data protection delegate.

    - The categories of processing carried out by each person responsible.

    - Where applicable, transfers of personal data to a third country or international organisation, including the identification of said third country or international organisation and, in the case of transfers indicated in Article 49, clause 1, paragraph two of the GDPR, the documentation of appropriate guarantees.

    - A general description of the technical and organisational security measures related to:

        i. The pseudonymisation and the encryption of personal data.

        ii. Guaranteeing the confidentiality, integrity, availability and permanent resilience of the processing systems and services.

        iii. The ability to restore the availability and access to personal data quickly, in case of a physical or technical incident.

        iv. The verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the safety of the processing.

d) Refrain from disclosing data to third parties, unless you have the express authorisation of the person in charge of processing, in legally accepted cases.

The data processor can communicate the data to others designated by the person in charge, according to the instructions of the person in charge of processing. In such a case, the person in charge will identify, in advance and in writing, the entity to which the data must be communicated, the data which is to be communicated and the security measures to be applied in order to proceed with the communication.

If the person in charge must transfer personal data to a third country or to an international organization, pursuant Union or Member State law, he/she will inform the person responsible for that legal requirement in advance, unless such right prohibits for important reasons of public interest.

e) Refrain from outsourcing any of the services mentioned in this contract which may involve the processing of personal data, except for the auxiliary services necessary for the normal operation of the services of the data processor.

If it is necessary to subcontract any processing, this fact must be communicated in writing to the person in charge, one month in advance, indicating the processes that are to be subcontracted and clearly and unequivocally identifying the subcontractor company and their contact information. The subcontracting can be carried out if the person in charge does not make any objection known within the established period (one month).

The subcontractor, who shall also have the status of data processor, also undertakes to comply with the obligations established herein for the data processor and with the instructions which the manager may enforce. It is the responsibility of the initial data processor to regulate the new relationship so that the new data processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as them, in relation to the appropriate processing of data personal and guaranteeing the rights of the people affected. In the case of non-compliance on the part of the subcontacted data processor, the initial manager will answer to the person responsible for processing in terms of compliance with the obligations.

f) Maintaining confidentiality with respect to personal data to which they have had access under this commission, even after the conclusion of the contract.

g) Guarantee that the persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, and must be informed accordingly.

h) Make available to the person in charge the documentation proving compliance with the obligation established in the previous section.

i) Guarantee the necessary training in terms of protection of personal data of the persons authorised to process personal data.

j) Assist the data processor in the response to the exercise of rights of:

    - Access, rectification, deletion and opposition.

    - Limitation on processing.

Data portability

Not being subject to automated individualised decisions (including profiling).

The data processor must resolve, on behalf of the person in charge, and within the established period, requests to exercise rights of access, rectification, deletion and opposition, limitation of the processing, portability of data and not being subject to automated individualised decisions, in relation to the data subject to processing

k) It is the responsibility of the person responsible to provide the right to information at the time of the data collection.

l) Notification of data security breaches

The data processor will notify the person in charge of processing, without undue delay, and in any case within a maximum period of 72 hours, of security breaches concerning data for which they are responsible and of which they are aware, together with all the relevant information for the documentation and communication of the incident.

Notification will not be necessary when it is unlikely that such a breach of security constitutes a risk to the rights and freedoms of natural persons.

At least the following information will be provided:

    - A description of nature of the personal data security breach, including, whenever possible, the categories and the approximate number of affected users, and the categories and the approximate number of personal information records affected.

    - The name and contact information of the data protection officer or another contact point where more information could be obtained.

    - A description of the possible consequences of the personal data security breach.

    - A description of the measures adopted or proposed to remedy the personal data security breach, including, if applicable, the measures adopted to mitigate possible negative effects.

If it is not possible to provide all the information at the same time, and to the extent to which it is not, the information will be provided gradually without undue delay.

m) Provide the person in charge with all the necessary information to demonstrate compliance with their duties, as well as for carrying out the audits or inspections performed by the person in charge or by another authorised auditor.

n) Implement the security measures included in the APPENDIX SECURITY MEASURES.

o) In all cases, you must implement the necessary security measures to:

    - Guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services.

    - Restore the availability and access to personal data quickly, in case of physical or technical incident.

    Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to guarantee the safety of the processing.

    - Pseudonymise and encrypt personal data, if applicable.

p) Destination of the data

Destroying the data, once the service has been completed. Once destroyed, the data processor must certify their destruction in writing and must deliver the certificate to the person responsible.

However, the processor may keep a copy, with the data duly encrypted, as long as responsibilities for the execution of the provision can be fulfilled.


6th (Obligations of the Person in charge of processing)

The person responsible for processing shall:

a) Send digital communications through the web platform owned by NRS, or through integration with NRS servers, only to recipients who previously and explicitly granted their authorisation to receive such communications.

b) Deliver to the data processor the data referred to in clause 3 of this document, in order to facilitate the provision of the services to which the main contract refers.

c) Carry out an evaluation of the impact, if necessary, on the protection of personal data of the processing operations to be carried out by the person in charge.

d) Conduct the prior consultations required.

e) Ensure, prior to and throughout the processing, compliance with the GDPR by the data processor.

f) Oversee the processing, including carrying out inspections and audits.


7th (SECURITY MEASURES)

ORGANISATIONAL MEASURES

INFORMATION THAT SHALL BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA

All personnel with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed of these obligations. The minimum information that will be known by all the staff will be the following:

- DUTY OF CONFIDENTIALITY AND SECRECY

    - The access of unauthorised persons to personal data should be avoided, in order to avoid: leaving personal data exposed to third parties (unattended electronic screens, paper documents in areas of public access, supports with personal data, etc.), this consideration includes the screens that are used for the visualisation of images from the video-surveillance system. When you are absent from the workplace, the screen must be locked or the session closed.

    - Paper documents and electronic media will be stored in a secure place (cabinets or restricted access rooms) 24 hours a day.

    - Documents or electronic media (CDs, pen drives, hard drives, etc.) will not be discarded with personal data without guaranteeing their destruction.

    - Personal data or any personal information will not be communicated to third parties, special attention will be given in not divulging protected personal data during telephone consultations, emails, etc.

    - The duty of secrecy and confidentiality persists even when the worker's employment relationship with the company ends.

- RIGHTS OF THE DATA HOLDERS

All workers will be informed of the procedure to address the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, referring to the Data Protection Officer if there is one, postal address, etc.). ) taking into account the following:

    - Upon presentation of their national identity document or passport, the holders of personal data (interested parties) may exercise their rights of access, rectification, deletion, opposition and portability. The person responsible for the processing must respond to the interested parties without undue delay.

For the right of access, the interested parties will be provided with a list of the personal data they have available, along with the purpose for which they were collected, the identity of the recipients of the data, the conservation periods, and the identity of the person responsible. who can request the rectification, deletion and opposition to the processing of the data.

For the right to recification, the data of the interested parties that were inaccurate or incomplete for the purposes of the processing will be corrected.

For the right to deletion, the data of the interested parties will be deleted when the interested parties express their refusal or opposition to consent for the processing of their data and there is no legal duty that prevents deletion.

For the right to portability, the interested parties must communicate their decision and inform the person responsible, as the case may be, about the identity of the new person responsible to whom they provide their personal data.

The person responsible for the processing must inform all persons with access to personal data about the terms of compliance to meet the rights of the interested parties, and the manner and procedure in which said rights will be met.

- SECURITY VIOLATIONS OF PERSONAL DATA

    - When there are security breaches of PERSONAL DATA, such as, for example, theft or improper access to personal data, the Spanish Data Protection Agency will be notified within 72 hours of said security breaches, including all information necessary for the clarification of the facts that would have given rise to the improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Agency for Data Protection at the address: https://sedeagpd.gob.es


TECHNICAL MEASURES

IDENTIFICATION

- When the same computer or device is used for the processing of personal data and personal purposes, it is recommended to have several profiles or different users for each of the purposes. The professional and personal uses of the computer must be kept separate.

- It is recommended to have profiles with administrator rights for the installation and configuration of the system and users without privileges or administrative rights for access to personal data. This measure will prevent access privileges being obtained or the operating system being modified in case of cybersecurity attack.

- Passwords for access to personal data stored in electronic systems must be guaranteed. The password must have at least 8 characters, and be a mixture of numbers and letters.

- When personal data are accessed by different people, for each person with access to personal data, a specific username and password must be used (unambiguous identification).

- The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. In no case will passwords be shared nor written down in a shared space and accessed by people other than the user.

DUTY OF SAFEGUARD

The following are the minimum technical measures to guarantee the safeguarding of personal data:

- UPDATING OF COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept as up-to-date as possible.

- MALWARE: On computers and devices where the automated processing of personal data is carried out, an antivirus system must be available to guarantee protection against the theft and destruction of personal information and data as much as possible. The antivirus system should be updated periodically.

- FIREWALL: To avoid illicit remote access to personal data, there must be an activated firewall installed on those computers and devices in which personal data is stored and/or processed.

- ENCRYPTION OF DATA: When it is necessary to perform the extraction of personal data away from the site where it is processed, either by physical means or by electronic means, the possibility of using an encryption method to guarantee the confidentiality of the data in case of undue access should be assessed.

- COPY OF SECURITY: Periodically a backup copy will be made in a second device different from that used for daily work. The copy will be stored in a secure place, different from that in which the computer is located with the original files, in order to allow the recovery of personal data in case of loss of information.

The security measures will be reviewed periodically, the review may be done by automatic mechanisms (software or computer programs) or manually. Consider that any computer security incident that has happened to any acquaintance can occur to you, and take precautions against it.