This Data Processing Addendum, including its Appendices (collectively, the “DPA”), forms part of and is incorporated by reference into the Terms of Service or any other applicable written agreement between ShareCRM and Customer governing the provision and use of ShareCRM’s services, including any related offline or mobile applications or components (collectively, the “Services”) (the “Agreement”). This DPA sets out the Parties’ respective rights and obligations with respect to the Processing of Personal Data in connection with the Services.

Applicability

This DPA applies where ShareCRM, acting as the processor, processes Personal Data on behalf of Customer in connection with the Services and forms part of the agreement governing Customer’s use of the Services.

This DPA applies only where there is a valid contractual relationship governing the Customer’s use of the Services, including where Customer has entered into the Terms of Service directly with ShareCRM, or where Customer has entered into an applicable order form or similar purchasing document that incorporates such Terms, whether directly or through a ShareCRM Affiliate acting as a reseller or sales contracting entity.

Where the Services are provided to Customer indirectly through an authorized reseller or distributor that is not a ShareCRM Affiliate, this DPA applies solely to the Processing of Personal Data carried out by ShareCRM in connection with the provision and operation of the Services. This DPA does not govern any independent processing of Personal Data by such reseller or distributor, which shall be subject to the reseller’s or distributor’s own data protection terms and policies, and does not create a direct contractual relationship between Customer and any such reseller or distributor for purposes of this DPA.

The scope of this DPA is limited to the Processing of Personal Data in environments controlled by ShareCRM, including processing carried out through centralized or shared service arrangements within the ShareCRM Group and its authorized Sub-processors. This includes Personal Data transmitted to ShareCRM through the Services, but excludes any data that remains on Customer’s premises or within third-party environments independently selected and controlled by Customer.

For the avoidance of doubt, this DPA applies only to Personal Data that constitutes Customer Data and is processed by ShareCRM on behalf of Customer in its capacity as a processor. Any Personal Data Processed by ShareCRM or any of its Affiliates in their capacity as a controller, including in connection with account administration, billing, support, security, or compliance-related activities, is outside the scope of this DPA and is governed by ShareCRM’s Privacy Policy.

Execution of this DPA

This DPA may be executed by Customer by (i) signing this DPA, whether physically or electronically, including where this DPA is incorporated as an appendix or attachment to the Agreement; or (ii) accepting the Agreement or using the Services where such acceptance constitutes agreement to this DPA.

This DPA shall become effective on the date of the Customer’s acceptance or signature, whichever occurs first.

Where applicable law requires the execution of standard contractual clauses as a separate instrument, such clauses shall be deemed executed upon Customer’s acceptance of this DPA, unless otherwise agreed in writing.

Data Processing Terms

1. Definitions

Unless otherwise defined in this DPA, capitalized terms used but not defined herein shall have the meanings given to them in the Terms of Service.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Customer” means the legal entity that has entered into the Agreement with ShareCRM for the use of the Services. Where applicable, and solely for the purposes of this DPA, “Customer” may also include such entity’s Affiliates that are authorized to use the Services pursuant to the Agreement or an applicable order form or similar purchasing document, for so long as they remain Affiliates.

“Customer Data” means electronic data and information, including Personal Data, that is submitted, uploaded, transmitted, or otherwise made available by or on behalf of Customer to the Services in connection with Customer’s use of the Services, as further described in the Agreement. For the avoidance of doubt, this DPA applies only to Customer Data processed by ShareCRM on behalf of Customer and does not apply to data processed by third-party applications or services that are not provided by ShareCRM, as governed by their respective terms.

“Data Breach” means any confirmed or reasonably suspected breach of security, as such term may be defined or interpreted under applicable Data Protection Laws and Regulations, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data that is Processed by ShareCRM in connection with the Terms of Service, including any misuse, interference with, or compromise of the confidentiality, integrity, or availability of such Customer Data, whether caused by accidental, negligent, or unlawful acts.

“Data Protection Laws and Regulations” means all applicable laws and regulations relating to the Processing of Personal Data under the Agreement, including, where applicable, the data protection and privacy laws of the European Union, the European Economic Area and their member states, the United Kingdom, the United States (including applicable state laws), and other jurisdictions in which Customer or Data Subjects are located.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates, or any equivalent or analogous term used under applicable Data Protection Laws.

“Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom.

“EEA” means to the European Economic Area.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), as amended from time to time.

“Jurisdiction-Specific Requirements” means any additional or specific obligations, restrictions, or conditions relating to the Processing of Personal Data that apply under the Data Protection Laws and Regulations of particular jurisdictions, including, where applicable, requirements relating to cross-border data transfers, data subject rights, security measures, breach notification, or government access, as set out in Clause 13 (Jurisdiction-Specific Requirements).

“Lawful Transfer Mechanisms” means any legally valid mechanism or safeguard that permits the lawful transfer of Personal Data from a data exporter to a data importer under applicable Data Protection Laws and Regulations, as may be required or approved by a competent Supervisory Authority from time to time, including, where applicable and without limitation, standard contractual clauses or other model transfer terms prescribed under such laws, binding corporate rules, adequacy decisions, certifications, codes of conduct, or any required prior registration, authorization, or permission from a Supervisory Authority.

“Personal Data” means any information relating to (i) an identified or identifiable natural person, and (ii) to the extent protected as personal data, personally identifiable information, or an equivalent concept under applicable Data Protection Laws, an identified or identifiable legal entity, in each case where such information constitutes Customer Data that is processed by ShareCRM on behalf of Customer under the Agreement in connection with the provision of the Services.

“Privacy Policy” means ShareCRM’s privacy policy applicable to the Services, as made available at the URL referenced in the Agreement or otherwise notified to Customer from time to time, which describes, among other matters, ShareCRM’s practices regarding the Processing of Personal Data.

“Processing” means any operation or set of operations carried out on Personal Data, as defined under applicable Data Protection Laws, and the terms “Process” and “Processed” shall be interpreted accordingly.

“Processor” means the entity that Processes Personal Data on behalf of a Controller, including, where applicable under relevant Data Protection Laws, a “service provider” or equivalent concept.

“Public Authority” means any governmental, regulatory, supervisory, judicial, or law enforcement authority with competent jurisdiction.

“ShareCRM” means the ShareCRM group entity that is a party to the Agreement and, for the purposes of this DPA, collectively refers to ShareCRM and its Affiliates to the extent they are involved in the Processing of Personal Data in connection with the Services.

“Sub-processor” means any third party engaged by ShareCRM from time to time to Process Customer Data on ShareCRM’s behalf in connection with the provision of the Services, excluding ShareCRM Affiliates to the extent such Affiliates are involved in the Processing of Personal Data solely as part of ShareCRM’s internal, centralized, or shared service operations.

“Supervisory Authority” means any governmental, regulatory, or supervisory authority with competent jurisdiction over the Processing of Personal Data under applicable Data Protection Laws and Regulations.

“UK” means the United Kingdom of Great Britain and Northern Ireland.

“UK GDPR” means the United Kingdom General Data Protection Regulation, as incorporated into and given effect under the UK Data Protection Act 2018, and as amended, supplemented, or replaced from time to time, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

2. Roles of the Parties

The Parties acknowledge and agree that, in the context of the Services, Customer determines the purposes and means of the Processing of Personal Data and acts as the Controller (or, where applicable, as a processor acting on behalf of another controller), and that ShareCRM Processes Personal Data solely on behalf of Customer in its capacity as a Processor.

2.1 Customer’s Processing of Personal Data

In connection with its use of the Services, Customer shall be responsible for ensuring that Personal Data is made available to ShareCRM for Processing in a manner consistent with applicable Data Protection Laws and Regulations. Without limiting the foregoing, Customer is responsible for determining the purposes for which Personal Data is Processed and for ensuring that it has a valid legal basis to disclose Personal Data to ShareCRM for the provision of the Services.

Where required under applicable Data Protection Laws and Regulations, Customer shall ensure that appropriate information has been provided to Data Subjects regarding the Processing of their Personal Data. Where Customer acts as a processor on behalf of another controller, Customer represents that it has been authorized by such controller to instruct ShareCRM to Process Personal Data in accordance with this DPA.

Customer remains responsible for the overall accuracy and lawfulness of the Personal Data it provides to the Services.

2.2 ShareCRM’s Processing of Personal Data

ShareCRM shall Process Personal Data on behalf of Customer and strictly in accordance with Customer’s documented instructions, which shall include this DPA and the Agreement (together constituting Customer’s written instructions), and solely for the purposes of providing, operating, and supporting the Services.

By executing the Agreement and this DPA, Customer is deemed to have provided its prior written instructions to ShareCRM for the Processing of Personal Data as described herein, without the need for any further authorization, unless otherwise required by applicable law.

Such documented instructions include, where applicable: (a) the transfer of Personal Data to third countries as contemplated by the Services’ architecture, the Agreement, and this DPA; and (b) the engagement of Sub-processors in accordance with the Sub-processor disclosure and authorization mechanism set out in this DPA, including the Sub-processor list referenced herein.

Customer may issue additional or alternative instructions from time to time, provided that such instructions are mutually agreed in writing between Customer and ShareCRM.

Such Processing may include Processing initiated by authorized users in the course of their use of the Services, as well as Processing necessary to maintain the security, integrity, and functionality of the Services. ShareCRM shall not Process Personal Data for its own independent purposes and shall not use Personal Data except as necessary to perform the Services or as required by applicable law.

Where ShareCRM is required by applicable law to Process Personal Data otherwise than on Customer’s instructions, ShareCRM shall, to the extent permitted by law, inform Customer of such requirement.

3. Description of the Processing

3.1 Subject Matter and Purpose

The subject matter of the Processing of Personal Data under this DPA is the provision, operation, maintenance, and support of the Services in accordance with the Agreement. Personal Data is Processed by ShareCRM solely on behalf of Customer and only to the extent necessary to perform the Services as instructed by Customer.

3.2 Nature of the Processing

The Processing may include such operations as collection, recording, organization, structuring, storage, access, use, disclosure, transmission, combination, restriction, or deletion of Personal Data, as required to enable Customer and its authorized users to use the Services, and to ensure the security, integrity, availability, and proper functioning of the Services.

3.3 Categories of Personal Data and Data Subjects

The categories of Personal Data Processed and the categories of Data Subjects to whom such Personal Data relates depend on the nature of the Services used by Customer and Customer’s configuration and use of the Services, and are further described in Appendix I (Processing Details).

3.4 Duration of the Processing

Personal Data shall be Processed for the duration of the Agreement, unless otherwise agreed in writing or required under applicable law, and thereafter returned or deleted in accordance with the Agreement and this DPA.

3.5 Geographic Scope

Personal Data may be Processed in multiple jurisdictions as necessary to provide the Services, including within and outside the jurisdiction where Customer or Data Subjects are located, subject in all cases to applicable Data Protection Laws and Regulations and the implementation of appropriate Lawful Transfer Mechanisms where required.

4. ShareCRM Obligations as Processor

4.1 Processing on Instructions

ShareCRM shall Process Personal Data in accordance with Customer’s documented instructions, and in compliance with applicable Data Protection Laws and Regulations.

Where ShareCRM is required by applicable law to Process Personal Data otherwise than in accordance with Customer’s instructions, ShareCRM shall, to the extent permitted by law, inform Customer of such legal requirement prior to such Processing.

If ShareCRM reasonably believes that an instruction from Customer would result in a violation of applicable Data Protection Laws and Regulations, ShareCRM shall promptly notify Customer and may, where necessary to avoid such violation, suspend the Processing of Personal Data to the extent affected by the disputed instruction, pending clarification or amendment of such instruction.

4.2 Confidentiality and Access Controls

ShareCRM shall ensure that access to Personal Data is limited to its authorized personnel and authorized Sub-processors who require such access for the performance of the Services, and who are subject to confidentiality obligations or statutory duties of confidentiality that are appropriate in light of the nature of the Processing.

4.3 Security Measures

Taking into account the nature, scope, context, and purposes of the Processing, ShareCRM shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, as further described in Appendix II (Technical and Organizational Measures).

4.4 Assistance to Customer

Taking into account the nature of the Processing, and to the extent required by applicable Data Protection Laws and Regulations, ShareCRM shall provide reasonable assistance to Customer, insofar as practicable and legally permitted, to enable Customer to:

(a) respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws and Regulations;

(b) comply with obligations relating to security, breach notification, and record-keeping; and

(c) conduct data protection impact assessments and, where required under applicable law, prior consultations with relevant Supervisory Authorities.

5. Customer Obligations

5.1 Compliance with Data Protection Laws and Regulations

Customer represents and warrants that, in connection with its use of the Services:

(a) Personal Data has been collected, used, and disclosed to ShareCRM in a manner consistent with applicable Data Protection Laws and Regulations;

(b) Customer has a valid legal basis under applicable Data Protection Laws for the Processing of Personal Data and for making such Personal Data available to ShareCRM for the provision of the Services;

(c) Customer’s instructions to ShareCRM are lawful and do not require ShareCRM to Process Personal Data in violation of applicable Data Protection Laws and Regulations; and

(d) where required under applicable Data Protection Laws and Regulations, Customer has provided appropriate information to Data Subjects regarding the Processing of their Personal Data in connection with the Services.

5.2 Responsibility for Configuration and Use of the Services

Customer understands and acknowledges that the manner in which the Services are configured and used, including the types of Personal Data submitted to the Services and the purposes for which such Personal Data is Processed, depends on Customer’s specific use cases and business requirements. On this basis, Customer shall use reasonable efforts to ensure that its configuration and use of the Services are consistent with applicable Data Protection Laws and Regulations.

5.3 Indemnity

Customer shall indemnify and hold harmless ShareCRM from and against losses arising directly from Customer’s breach of this Section 5, to the extent permitted by, and subject to the limitations set out in the Agreement.

5.4 Cooperation

Customer shall provide information and assistance reasonably requested by ShareCRM in connection with any claim, inquiry, or investigation by a Supervisory Authority or other competent authority relating to the Processing of Personal Data under this DPA, to the extent such information or assistance is within Customer’s reasonable control.

6. Data Subject Rights and Assistance

6.1 Allocation of Responsibility for Data Subject Rights

Customer remains primarily responsible for responding to requests from Data Subjects relating to the exercise of rights under applicable Data Protection Laws and Regulations. ShareCRM supports Customer’s compliance with such obligations in its role as a processor and does not independently determine the scope or applicability of Data Subject rights in connection with the Services.

Nothing in this DPA is intended to require ShareCRM to act as the primary point of contact for Data Subjects or to independently assess the validity of Data Subject requests, except to the extent required under applicable law.

6.2 Handling of Data Subject Communications

Where ShareCRM receives a communication directly from a Data Subject that reasonably appears to relate to the Processing of Personal Data under this DPA, ShareCRM shall, to the extent legally permitted, notify Customer or redirect such communication to Customer for response.

ShareCRM shall not respond substantively to such communications on Customer’s behalf, except where required by applicable law or expressly agreed in writing with Customer.

6.3 Processor Assistance Required Under Applicable Laws

Taking into account the nature of the Processing and the Services, and to the extent required under applicable Data Protection Laws and Regulations, ShareCRM shall provide reasonable assistance to Customer, through appropriate technical and organizational measures, to support Customer’s compliance with obligations relating to Data Subject rights.

Such assistance may include, where required by applicable law and to the extent technically feasible within the Services:

(a) enabling access to, rectification of, or deletion of Personal Data;

(b) supporting restrictions on Processing or objection to Processing; and

(c) facilitating data portability or similar rights where such rights are recognized under applicable law.

6.4 Jurisdictional Variations in Data Subject Rights

Customer acknowledges that the scope, nature, and enforceability of Data Subject rights vary across jurisdictions. ShareCRM’s obligations under this Section apply only to the extent that such rights are granted and enforceable under applicable Data Protection Laws and Regulations and apply to ShareCRM in its capacity as a processor.

Nothing in this DPA shall be construed as requiring ShareCRM to provide a level of assistance or functionality that exceeds what is required under applicable law in a particular jurisdiction.

6.5 Additional Assistance and Limitations

Where Customer reasonably determines that it cannot address a Data Subject request using the standard functionality of the Services, ShareCRM shall, upon Customer’s reasonable request, use reasonable efforts to provide additional assistance, to the extent legally permitted and technically feasible.

To the extent permitted by applicable law, Customer shall be responsible for any reasonable costs incurred by ShareCRM in providing such additional assistance.

7. Data Breach Management

7.1 Security Incident Management

ShareCRM shall maintain appropriate policies and procedures designed to identify, assess, manage, and remediate security incidents affecting Personal Data Processed on behalf of Customer, taking into account the nature of the Services and the risks presented by the Processing.

7.2 Notification of Data Breach

ShareCRM shall notify Customer without undue delay after becoming aware of a Data Breach involving Personal Data Processed by ShareCRM on behalf of Customer.

Such notification shall be provided in accordance with applicable Data Protection Laws and Regulations and shall, to the extent reasonably practicable and based on the information available to ShareCRM at the time, include a description of the nature of the Data Breach, the categories of Personal Data affected, and the measures taken or proposed to contain, mitigate, or remediate the Data Breach. Additional information may be provided as it becomes reasonably available.

For the avoidance of doubt, ShareCRM’s notification of a Data Breach shall not be construed as an admission of fault or liability, and ShareCRM’s obligations with respect to investigation and remediation shall be limited to matters within ShareCRM’s reasonable control, including where the Data Breach was caused by Customer or Customer’s authorized users.

7.3 Investigation and Remediation

To the extent required under applicable Data Protection Laws and Regulations, and taking into account the nature of the Data Breach, ShareCRM shall make reasonable efforts to investigate the circumstances of the Data Breach and to take such measures as ShareCRM reasonably considers appropriate to contain, mitigate, or remediate the effects of the Data Breach, to the extent such measures are within ShareCRM’s reasonable control.

Nothing in this DPA shall be construed as requiring ShareCRM to investigate or remediate security issues that are attributable to Customer’s configuration or use of the Services, or to take actions that are not required or permitted under applicable law.

7.4 Assistance with Regulatory and Data Subject Notifications

Taking into account the nature of the Processing and to the extent required under applicable Data Protection Laws and Regulations, ShareCRM shall provide reasonable assistance to Customer in connection with Customer’s obligations to notify competent Supervisory Authorities, affected Data Subjects, or other persons of a Data Breach, where such notification is required by applicable law.

ShareCRM shall not notify any Supervisory Authority or Data Subject directly, except where required by applicable law.

7.5 Information Sharing and Limitations

ShareCRM shall provide Customer with information reasonably necessary to enable Customer to comply with its Data Breach-related obligations under applicable Data Protection Laws and Regulations, subject to any legal, security, or confidentiality restrictions.

Customer acknowledges that information relating to a Data Breach may evolve as an investigation progresses and that initial notifications may be based on incomplete information.

7.6 Jurisdictional Variations

Customer acknowledges that Data Breach notification obligations, timelines, and thresholds vary across jurisdictions. ShareCRM’s obligations under this Section 7 apply only to the extent such obligations are mandatory under applicable Data Protection Laws and Regulations and apply to ShareCRM in its capacity as a processor.

8. Sub-processing

8.1 Use of Sub-processors

Customer acknowledges and agrees that ShareCRM may engage its Affiliates and third-party service providers as Sub-processors to Process Personal Data on behalf of Customer for the purpose of providing, operating, and supporting the Services.

ShareCRM shall remain responsible for the Processing of Personal Data by its Sub-processors in accordance with applicable Data Protection Laws and Regulations, subject to the limitations set out in the Agreement.

8.2 Data Protection Safeguards for Sub-processors

Where required under applicable Data Protection Laws and Regulations, ShareCRM shall ensure that each Sub-processor is subject to a written agreement that imposes data protection obligations appropriate to the nature of the Processing performed by such Sub-processor and that are consistent with ShareCRM’s obligations under this DPA.

Nothing in this DPA shall be construed as requiring ShareCRM to impose obligations on Sub-processors beyond those required under applicable law in the relevant jurisdiction.

8.3 Transparency and Sub-processor Information

To the extent required under applicable Data Protection Laws and Regulations, ShareCRM shall make available to Customer information regarding its Sub-processors.

Information regarding ShareCRM’s current Sub-processors, including, where applicable, their identities, geographic locations, and the nature of the Processing performed, is made available to Customer via ShareCRM’s publicly accessible Sub-processor list, available at ShareCRM Sub-processor List or such other URL as ShareCRM may designate from time to time. ShareCRM shall ensure that such Sub-processor information remains reasonably accessible to Customer throughout the term of the Agreement.

8.4 Jurisdictional Variations

Customer acknowledges that requirements relating to Sub-processing, including authorization, disclosure, and objection rights, vary across jurisdictions. ShareCRM’s obligations under this Section 8 apply only to the extent such requirements are mandatory under applicable Data Protection Laws and Regulations and apply to ShareCRM in its capacity as a processor.

9. International Data Transfers

9.1 Cross-Border Processing

Customer acknowledges that, in connection with the provision of the Services, Personal Data may be transferred to, stored in, or otherwise Processed in jurisdictions other than the jurisdiction in which Customer or the relevant Data Subjects are located, including jurisdictions that may have different data protection laws.

Such transfers shall be carried out in accordance with applicable Data Protection Laws and Regulations.

9.2 Government Access and Legal Requirements

Where ShareCRM is required by applicable law or a valid legal process to disclose or provide access to Personal Data to a public authority in connection with an international transfer, ShareCRM shall, to the extent legally permitted, notify Customer of such requirement and take reasonable steps to limit the disclosure to what is legally required.

9.3 Transfers to the People’s Republic of China

Without limiting the generality of this Section 9, the Parties acknowledge that, in connection with the provision of the Services, certain data may be transferred to and Processed in the People’s Republic of China.

Such transfers are limited to Personal Data that is necessary for authentication and access control purposes, including user identification information and login-related information, and are carried out solely for the purpose of enabling user authentication, authorization, and security verification in connection with the Services.

The Parties further acknowledge that certain data transmitted to the People’s Republic of China in connection with the Services, including license or entitlement information, system monitoring data, operational logs, and deployment or release information, is not intended to identify any individual and, as processed by ShareCRM, is generally technical or operational in nature.

To the extent such data does not constitute Personal Data under applicable Data Protection Laws and Regulations, it falls outside the scope of this DPA. Where any such data is considered Personal Data under applicable law, it shall be treated as Personal Data in accordance with this DPA.

Any transfer of Personal Data to the People’s Republic of China under this Section shall be carried out in accordance with applicable Data Protection Laws and Regulations and shall be subject to appropriate Lawful Transfer Mechanisms, where required under such laws.

10. Return and Deletion

10.1 Return or Deletion upon Termination

Upon termination or expiration of the Agreement, and subject to applicable Data Protection Laws and Regulations, ShareCRM shall, at Customer’s written request, either return to Customer or delete Personal Data Processed on behalf of Customer in connection with the Services.

Unless otherwise agreed in writing, such return or deletion shall be carried out within a reasonable period following termination or expiration of the Agreement.

10.2 Deletion in the Ordinary Course of Business

In the absence of a written request from Customer, ShareCRM may delete Personal Data in accordance with its standard data retention and deletion practices, as applicable to the Services.

10.3 Retention Required by Law or Legitimate Purposes

Notwithstanding the foregoing, ShareCRM may retain Personal Data to the extent and for such period as required or permitted under applicable law, including for the purposes of complying with legal obligations, resolving disputes, enforcing agreements, or maintaining security, audit, and backup records.

Any Personal Data so retained shall continue to be protected in accordance with this DPA for so long as it is retained.

10.4 Backup and Residual Copies

Customer acknowledges that Personal Data may be retained in backup systems or residual copies for a limited period following deletion, provided that such Personal Data is not actively Processed and is securely isolated and protected, and is deleted in accordance with ShareCRM’s standard backup retention schedules.

11. Audit and Compliance

11.1 Demonstration of Compliance

ShareCRM shall make available to Customer such information as is reasonably necessary to demonstrate ShareCRM’s compliance with its obligations under this DPA, to the extent required under applicable Data Protection Laws and Regulations.

Such information may include, as appropriate, relevant policies, summaries of technical and organizational measures, or independent audit reports or certifications obtained by ShareCRM, where available.

11.2 Customer Audit Requests

To the extent required under applicable Data Protection Laws and Regulations, and only where such laws expressly grant Customer a right to audit a data processor, and subject to the conditions set out in this Section 11, Customer may request to conduct an audit of ShareCRM’s compliance with this DPA.

Any such audit shall:

(a) be limited in scope to matters directly relevant to the Processing of Personal Data under this DPA;

(b) be conducted no more than once in any twelve (12) month period, unless otherwise required by applicable law or a competent Supervisory Authority;

(c) be subject to reasonable prior written notice;

(d) be conducted during normal business hours and in a manner that does not unreasonably interfere with ShareCRM’s business operations; and

(e) be subject to appropriate confidentiality obligations.

11.3 Audit Methodology and Limitations

Unless otherwise required by applicable Data Protection Laws and Regulations, audits shall be conducted remotely and by way of document review, interviews, or other reasonable means determined by ShareCRM.

On-site audits shall be permitted only where strictly required under applicable law or pursuant to a binding order of a competent Supervisory Authority, and shall be subject to reasonable security, confidentiality, and access controls.

Unless otherwise required under applicable Data Protection Laws and Regulations, Customer shall bear all costs and expenses relating to any audit conducted at Customer’s request, including the fees of any auditor appointed by Customer.

12. Governing Law

This DPA shall be governed by and construed in accordance with the governing law specified in the Agreement.

Notwithstanding the foregoing, nothing in this DPA shall be construed as limiting the application of mandatory provisions of applicable Data Protection Laws and Regulations that apply to the Processing of Personal Data under this DPA.

To the extent required under applicable Data Protection Laws and Regulations, the interpretation and enforcement of any provisions of this DPA relating specifically to the Processing of Personal Data shall take into account the requirements of such laws.

13. Jurisdiction-specific Requirements

13.1 Applicability and Structure of Jurisdiction-Specific Requirements

This Section 13 establishes the general framework governing the application and priority of jurisdiction-specific data protection requirements. Specific country- or region-level requirements, where applicable, are set out exclusively in Appendix III (Jurisdiction-Specific Requirements).

This Section 13 does not introduce additional obligations beyond those expressly required under applicable Data Protection Laws and Regulations. Where the Processing of Personal Data under this DPA is subject to jurisdiction-specific data protection laws or regulations that impose mandatory obligations on ShareCRM in its capacity as a processor, such obligations shall apply only to the extent and in the manner described in Appendix III, where applicable.

Customer acknowledges that jurisdiction-specific requirements do not apply uniformly across all Processing activities, Data Subjects, or Service configurations.

13.2 Allocation of Responsibilities

Unless otherwise expressly required by applicable Data Protection Laws and Regulations:

(a) Customer remains responsible for determining the purposes and means of the Processing of Personal Data, including providing any required notices to Data Subjects and obtaining any required consents or authorizations; and

(b) ShareCRM’s obligations are limited to those applicable to a processor or equivalent role under the relevant jurisdiction-specific laws.

Nothing in this DPA shall be construed as requiring ShareCRM to assume obligations that are imposed solely on controllers under applicable law.

13.3 Local Law Variations

Customer acknowledges that jurisdiction-specific requirements may vary with respect to, without limitation:

(a) definitions of Personal Data or sensitive data;

(b) requirements relating to consent, notice, or transparency;

(c) restrictions on cross-border transfers;

(d) data localization or retention obligations;

(e) data breach notification thresholds and timelines; and

(f) enforcement mechanisms and regulatory oversight.

ShareCRM shall comply with such jurisdiction-specific requirements only to the extent they apply to ShareCRM in its role as a processor and are mandatory under applicable law.

13.4 Appendix III – Jurisdiction-Specific Requirements

Where required by applicable Data Protection Laws and Regulations, or where the Parties otherwise expressly agree in writing, country- or region-specific data protection requirements shall be set out in Appendix III to this DPA (the “Jurisdiction-Specific Requirements”).

Appendix III forms an integral part of this DPA solely with respect to the Processing activities, jurisdictions, and Services expressly identified therein.

In the event of any conflict between this DPA and Appendix III, Appendix III shall prevail only with respect to the specific jurisdiction and Processing activities to which the conflicting provisions expressly apply.

13.5 Regulatory Guidance and Changes in Law

Customer acknowledges that data protection laws and regulatory guidance may change over time and may be interpreted differently by competent authorities in different jurisdictions.

ShareCRM may, to the extent required by applicable law, update its Processing practices, security measures, or documentation as reasonably necessary to address changes in applicable jurisdiction-specific requirements, provided that such updates do not materially reduce the level of protection afforded to Personal Data under this DPA.

13.6 No Automatic Global Application

For the avoidance of doubt, jurisdiction-specific requirements applicable in one jurisdiction shall not apply globally unless expressly required under applicable Data Protection Laws and Regulations.

Appendix I: Processing Details

1. Categories of Data Subjects

Customer may submit Personal Data to the Services, the scope of which is determined and controlled by Customer, and which may include Personal Data relating to the following categories of Data Subjects:

(a) Customer’s authorized users of the Services;

(b) Prospects, customers, business partners, vendors, and counterparties of Customer who are natural persons;

(c) Employees, contractors, agents, advisors, or representatives of Customer or of Customer’s customers, partners, or vendors; and

(d) Any other individuals whose Personal Data is included in Customer Data by or at the direction of Customer.

2. Categories of Personal Data

Customer may submit Personal Data to the Services, which may include, without limitation, the following categories of Personal Data, to the extent determined by Customer:

(a) Identification data (such as name, username, user ID);

(b) Contact information (such as business email address, telephone number, business address);

(c) Professional or employment-related information (such as job title, role, organization);

(d) Account, login, and authentication-related information;

(e) Usage, access, and interaction data generated through use of the Services; and

(f) Any other Personal Data that Customer chooses to submit to or generate through the Services.

3. Special Categories of Personal Data (If Applicable)

The Services are not designed for the Processing of special categories of Personal Data (as defined under applicable Data Protection Laws and Regulations), unless expressly agreed otherwise.

To the extent Customer chooses to submit special categories of Personal Data to the Services, Customer is solely responsible for ensuring that such Processing complies with applicable Data Protection Laws and Regulations.

Appropriate technical and organizational measures applicable to the Services are described in Appendix II (Technical and Organizational Measures) and related security documentation made available by ShareCRM.

4. Frequency of the Processing

The Processing of Personal Data is carried out on a continuous basis, depending on Customer’s configuration and use of the Services.

5. Nature of the Processing

The nature of the Processing includes the collection, recording, organization, structuring, storage, retrieval, use, transmission, synchronization, access, and deletion of Personal Data, as necessary to provide, operate, maintain, and support the Services in accordance with the Agreement.

6. Purpose(s) of the Processing

ShareCRM Processes Personal Data solely for the following purposes:

(a) providing, operating, maintaining, and supporting the Services;

(b) enabling user authentication, authorization, access control, and security verification;

(c) providing customer support, troubleshooting, and service communications; and

(d) complying with Customer’s documented instructions, the Agreement, the DPA and applicable Data Protection Laws and Regulations.

7. Duration of the Processing

Personal Data will be Processed for the duration of the Agreement, unless otherwise agreed in writing.

Following termination or expiration of the Agreement, Personal Data will be returned or deleted in accordance with Section 10 (Return and Deletion) of the DPA, subject to applicable law.

8. Sub-processor Processing

Where ShareCRM engages Sub-processors to Process Personal Data on behalf of Customer, such Sub-processors will Process Personal Data solely for the purposes of providing the Services in accordance with the Agreement and this DPA, and for the duration of the Agreement, unless otherwise agreed or required by applicable law.

9. Cross-Border Processing

Personal Data may be transferred to, stored in, or otherwise Processed in jurisdictions other than the jurisdiction in which Customer or the relevant Data Subjects are located, including in connection with global infrastructure, support operations, and security functions.

Any such transfers shall be carried out in accordance with Section 9 (International Data Transfers) of the DPA and applicable Data Protection Laws and Regulations.

To the extent that applicable Data Protection Laws and Regulations require disclosure of the identity, category, or location of overseas recipients of Personal Data, information regarding such recipients (including, where applicable, ShareCRM Affiliates, cloud infrastructure providers, or other authorized Sub-processors) is made available in ShareCRM’s Privacy Policy or other publicly accessible documentation referenced therein, as updated from time to time.

10. Technical and Organizational Measures

ShareCRM implements reasonable and appropriate technical and organizational measures to protect Personal Data, as described in Appendix II (Technical and Organizational Measures) and related security documentation applicable to the Services, as updated from time to time.

Appendix II：Technical and Organizational Measures

ShareCRM implements reasonable and appropriate technical and organizational measures designed to protect Personal Data Processed on behalf of Customer against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, taking into account the nature of the Processing, the state of the art, the costs of implementation, and the risks presented by the Processing.

The measures described in this Appendix II apply when ShareCRM Processes Personal Data as a data processor (or equivalent role) in connection with the provision of the Services.

The Parties acknowledge and agree that ShareCRM’s security measures may evolve over time to reflect changes in technology, risk environment, and industry practices, provided that such measures continue to meet the standard of reasonable security arrangements under applicable data protection laws.

1. Data Segregation, and Data Protection Techniques

1.1 Tenant Isolation

ShareCRM employs logical, and where applicable physical, tenant isolation mechanisms designed to help ensure that Customer Data belonging to different customers remains logically separated and inaccessible to unauthorized parties. Such mechanisms may include tenant identifiers, access controls, and segregated database instances.

1.2 Encryption in Transit

ShareCRM uses industry-standard transport encryption protocols, such as TLS 1.2 or TLS 1.3, to encrypt Personal Data transmitted over public networks, helping to protect the confidentiality and integrity of data during transmission.

1.3 Encryption at Rest

Where appropriate and based on the nature of the data, ShareCRM applies encryption mechanisms to protect sensitive Personal Data stored in its systems. Core sensitive data fields may be encrypted at rest using strong cryptographic algorithms (such as AES-256), taking into account system architecture and security requirements.

1.4 Data Masking and De-identification

ShareCRM applies data masking or de-identification techniques, where appropriate, to limit the use of plaintext Personal Data outside of business-critical scenarios, thereby reducing exposure risks during non-production, testing, or support activities.

2. Identity and Access Management

2.1 Role-Based Access Control

ShareCRM applies the principle of least privilege and implements role-based access control (RBAC) mechanisms designed to ensure that access to Personal Data is limited to personnel whose job responsibilities require such access.

2.2 Multi-Factor Authentication

Multi-factor authentication (MFA) is enforced, where applicable, for administrative, operational, and management access to systems Processing Personal Data, to reduce the risk of unauthorized access resulting from compromised credentials.

3. Logging, Monitoring, and Auditing

3.1 Logging and Audit Controls

Processing activities involving Customer Data are subject to logging and audit controls designed to support security monitoring, incident detection, and compliance requirements.

Audit logs are protected against unauthorized modification and are retained for an appropriate period, including at least six (6) months or such other period as may be agreed with Customer or required under applicable law.

4. Vulnerability and Security Management

4.1 Security Monitoring and Threat Detection

ShareCRM implements security monitoring tools and controls designed to help detect and mitigate malicious activity, which may include intrusion detection systems (IDS), web application firewalls (WAF), and other monitoring mechanisms appropriate to the Services.

4.2 Vulnerability Assessment and Testing

Systems that Process Customer Data are subject to periodic vulnerability assessments and security testing designed to identify and remediate potential security risks, taking into account the criticality of the systems and the nature of the risks identified.

5. Organizational Measures

5.1 Internal Policies and Governance

ShareCRM has established and maintains internal policies and governance frameworks relating to the protection of Personal Data, including a Personal Information Security Management Policy and a Personal Information Processing Policy.

Such internal policies are designed to define roles and responsibilities, establish data handling standards, and support compliance with applicable Data Protection Laws and Regulations. These policies are reviewed and updated periodically, taking into account changes in regulatory requirements, business operations, and risk assessments.

5.2 Information Security Management

ShareCRM maintains an information security management program designed to support the confidentiality, integrity, and availability of Personal Data and to align with recognized industry standards and best practices.

5.3 Personnel Confidentiality and Training

Personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations and receive security and privacy awareness training relevant to their roles.

6. Technical Support for Data Subject Rights

ShareCRM maintains technical processes and mechanisms designed to support Customer’s compliance with applicable Data Protection Laws and Regulations in relation to Data Subject rights, which may include functionalities enabling the export, correction, and deletion of Personal Data, to the extent required under applicable law and consistent with the functionality of the Services.

7. Certifications and Compliance

ShareCRM has obtained and maintains certifications and attestations aligned with recognized industry standards, which may include, as applicable:

(a) ISO/IEC 27001 (Information Security Management);

(b) ISO/IEC 27701 (Privacy Information Management);

(c) SOC 2 Type II; and

(d) applicable national network security level protection certifications, including China’s Multi-Level Protection Scheme (MLPS) Level III certification.

Such certifications and attestations are intended to demonstrate ShareCRM’s commitment to information security and privacy management and do not constitute a guarantee of compliance with all applicable legal requirements in all jurisdictions.

8. Continuous Improvement

ShareCRM reviews and updates its technical and organizational measures on an ongoing basis, taking into account changes in technology, threats, regulatory requirements, and the nature of the Services, with the objective of maintaining an appropriate level of security.

9. Security Inquiries

If Customer has questions or concerns regarding the security measures described in this Appendix II, Customer may contact ShareCRM at privacy@sharecrm.com

Appendix III: Jurisdiction-Specific Requirements

1. EEA and UK

This Section 1 applies to the extent that the Processing of Personal Data under the DPA is subject to European Data Protection Law and supplements.

1.1 Additional Definitions

For the purposes of this Appendix III-1, the following definitions apply:

“Adequate Country” means:

(a) in respect of Personal Data subject to the GDPR, a member state of the European Economic Area or a country or territory recognized by the European Commission as ensuring an adequate level of protection under the GDPR;

(b) for data processed subject to the UK GDPR, the United Kingdom or a country or territory recognized as providing an adequate level of protection under UK adequacy regulations.

in each case, excluding mechanisms that are voluntary, transitional, or subject to revocation, unless expressly recognized as providing adequate protection under applicable European Data Protection Law.

“European Data Protection Law” means, as applicable:

(a) Regulation (EU) 2016/679 (GDPR);

(b) the GDPR as retained in UK law pursuant to the UK European Union (Withdrawal) Act 2018 (UK GDPR), together with the Data Protection Act 2018; and

(c) any binding guidance or decisions issued by a competent supervisory authority.

“Member State” means a member state of the European Union, and, where relevant, includes the United Kingdom to the extent applicable under UK data protection law.

“Restricted Transfer” means a transfer of Personal Data to a country or territory that is not an Adequate Country and is subject to Chapter V of the GDPR or UK GDPR.

“SCCs” means the standard contractual clauses adopted pursuant to Commission Decision (EU) 2021/914, as applicable, including:

 Module 2 (Controller-to-Processor);

 Module 3 (Processor-to-Processor), and/or

 Module 4 (Processor-to-Controller);

in each case depending on the roles of the Parties and the nature of the relevant transfer.

“Alternative Transfer Solution” means a lawful transfer mechanism, other than the SCCs, that enables the transfer of Personal Data to a third country in accordance with European Data Protection Law, including adequacy decisions, binding corporate rules, approved codes of conduct, or approved certification mechanisms, where applicable.

1.2 Processing Instructions and Notification

ShareCRM shall Process Personal Data only on Customer’s documented instructions, unless ShareCRM is required to do so by applicable Union or Member State law to which it is subject. In such case, ShareCRM shall inform Customer of that legal requirement before Processing, unless such law prohibits such notification on important grounds of public interest.

Without prejudice to ShareCRM’s obligations under the DPA, ShareCRM shall notify Customer without undue delay if, in ShareCRM’s reasonable opinion and to the extent permitted by law:

(a) an instruction from Customer infringes European Data Protection Law;

(b) ShareCRM is legally required to Process Personal Data in a manner that is inconsistent with Customer’s instructions; or

(c) ShareCRM is otherwise unable to comply with an instruction under European Data Protection Law.

Where Customer acts as a processor on behalf of a third-party controller, Customer shall promptly forward any such notification to the relevant controller.

Any person acting under the authority of ShareCRM who has access to Personal Data shall Process such Personal Data only in accordance with such documented instructions, unless required to do so by applicable Union or Member State law.

1.3 Sub-processing

Customer grants ShareCRM a general written authorization to engage Sub-processors in accordance with Article 28(2) of the GDPR and UK GDPR.

Information regarding ShareCRM’s current Sub-processors is made available in accordance with Section 8.3 (Transparency and Sub-processor Information) of this DPA, which provides for disclosure via ShareCRM’s publicly accessible Sub-processor List, as updated from time to time.

Customer acknowledges that such disclosure satisfies ShareCRM’s obligation to inform Customer of existing Sub-processors for the purposes of applicable Data Protection Laws and Regulations, including Article 28(2) of the GDPR and UK GDPR.

ShareCRM shall inform Customer of any intended changes concerning the addition or replacement of Sub-processors in accordance with the DPA and provide Customer with an opportunity to object where required under applicable law.

Where Customer acts as a processor on behalf of a third-party controller, Customer represents and warrants that it has obtained all necessary authorizations from such controller for the engagement of ShareCRM and its Sub-processors in accordance with this DPA.

Customer shall promptly forward to the relevant controller any information provided by ShareCRM under this Section 8, including information relating to existing or newly appointed Sub-processors.

ShareCRM shall remain responsible for the performance of its Sub-processors’ obligations in accordance with Article 28(4) of the GDPR and UK GDPR.

1.4 Assistance with Data Subject Rights

Taking into account the nature of the Processing, ShareCRM shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR and UK GDPR.

1.5 Personal Data Breach Notification

ShareCRM shall notify Customer without undue delay after becoming aware of a Personal Data Breach, in accordance with Article 33(2) of the GDPR and UK GDPR.

Such notification shall include the information required under applicable law to the extent reasonably available to ShareCRM at the time.

1.6 Data Protection Impact Assessments and Prior Consultation

ShareCRM shall provide reasonable assistance to Customer in carrying out data protection impact assessments under Article 35 of the GDPR and UK GDPR, and, where required, prior consultations with Supervisory Authorities under Article 36, taking into account the nature of the Processing and the information available to ShareCRM.

1.7 Return and Deletion

Upon termination or expiration of the Agreement, and at the choice of Customer, ShareCRM shall delete or return all Personal Data Processed on behalf of Customer after the end of the provision of the Services, and shall delete existing copies, in each case in accordance with Article 28(3)(g) of the GDPR and the UK GDPR and Section 10 of the DPA, unless Union law or applicable UK law requires storage of such Personal Data.

1.8 Audits and Demonstration of Compliance

ShareCRM shall, to the extent required under applicable European Data Protection Law, make available to Customer all information reasonably necessary to demonstrate compliance with its obligations as a processor under Article 28 of the GDPR and the UK GDPR, and shall allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, in each case subject to the conditions and limitations set out in Section 11 (Audit and Compliance) of the DPA.

1.9 International Transfers of Personal Data

(a) Transfers to Adequate Countries

Where Personal Data is transferred to or Processed in an Adequate Country, no additional transfer mechanism is required under European Data Protection Law.

(b) Restricted Transfers and Applicable Transfer Mechanisms

Where a Restricted Transfer occurs, ShareCRM shall ensure that such transfer is subject to appropriate safeguards in accordance with European Data Protection Law.

The applicable SCC module shall be determined based on the roles of the Parties in the relevant transfer, including:

(i) SCC Module 2 (Controller-to-Processor), where Customer acts as a controller and ShareCRM acts as a processor;

(ii) SCC Module 3 (Processor-to-Processor), where Customer and ShareCRM each act as processors; or

(iii) SCC Module 4 (Processor-to-Controller), where ShareCRM acts as a processor transferring Personal Data to Customer acting as a controller.

Where applicable, the SCCs are incorporated by reference into the DPA, and the relevant Annexes shall be deemed completed using Appendix I (Processing Details) and Appendix II (Technical and Organizational Measures).

1.10 Transfers Involving Sub-processors

Where ShareCRM engages a Sub-processor located in a third country that is not an Adequate Country, ShareCRM shall ensure that an appropriate transfer mechanism is in place, including Processor-to-Processor SCCs or other lawful safeguards as required under European Data Protection Law.

1.11 Authentication and Access Management Data

Customer acknowledges that, for the purposes of identity verification, access control, and security monitoring, limited Personal Data relating to authorized users (including account identifiers, authentication credentials, login metadata, IP address, and device information) may be transmitted to and Processed in the People’s Republic of China.

Such Processing is limited in scope, subject to appropriate technical and organizational measures, and carried out in accordance with applicable transfer mechanisms under European Data Protection Law, including the SCCs where required.

2. United States

2.1 Additional Definitions

For the purposes of this Appendix III-2, the following definitions apply:

“CCPA” means the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (“CPRA”), together with any implementing regulations, as may be amended from time to time.

“California Privacy Laws” means the CCPA and any other California laws or regulations governing the processing of personal information.

“U.S. State Privacy Laws” means, collectively, the California Privacy Laws and any other applicable U.S. state data protection or privacy laws (including, where applicable, the Virginia Consumer Data Protection Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, and similar laws), in each case to the extent applicable to the Processing of Personal Data under the Agreement.

“Customer Personal Data” includes “personal information” as defined under the CCPA.

The terms “business”, “business purpose”, “consumer,” “personal information”, “processing”, “sell”, “sale”, “share”, “service provider”, and “contractor” shall have the meanings given under the CCPA, as applicable.

For purposes of the California Privacy Laws, ShareCRM acts as a “service provider” and/or “contractor” (as applicable) with respect to Customer Personal Data.

2.2 California-Specific Use Restrictions

Without prejudice to ShareCRM’s obligations under the DPA, and to the extent required under applicable California Privacy Laws, ShareCRM shall not, unless otherwise permitted by such laws:

(a) Sell or Share Customer Personal Data;

(b) Retain, use, or disclose Customer Personal Data:

(i) other than for a business purpose under the CCPA, on behalf of Customer and solely to perform the Services in accordance with the Agreement; or

(ii) outside of the direct business relationship between Customer and ShareCRM;

(c) Combine Customer Personal Data received from or on behalf of Customer with personal information obtained from another source or from ShareCRM’s own interactions with consumers, except to the extent expressly permitted under the California Privacy Laws.

2.3 Extension to Other U.S. State Privacy Laws

To the extent Customer Personal Data is subject to other applicable U.S. State Privacy Laws, ShareCRM shall, to the extent required under such laws and in its capacity as a processor or service provider:

(a) Process such Personal Data solely on behalf of Customer and in accordance with Customer’s instructions as reflected in the Agreement, this DPA, and Customer’s use of the Services;

(b) Implement reasonable and appropriate technical and organizational measures designed to provide a level of privacy protection required under such applicable U.S. State Privacy Laws; and

(c) Refrain from Processing activities that, to the extent within ShareCRM’s reasonable control, would be inconsistent with Customer’s obligations under such applicable U.S. State Privacy Laws.

2.4 Compliance Notification

Without prejudice to any other rights or obligations of either Party under the Agreement, ShareCRM shall notify Customer without undue delay if, in ShareCRM’s reasonable opinion, ShareCRM is unable to comply with its obligations under the California Privacy Laws or other applicable U.S. State Privacy Laws with respect to the Processing of Customer Personal Data, unless such notification is prohibited by applicable law.

2.5 Customer Oversight and Remediation Rights

Where required by applicable California Privacy Laws or other U.S. State Privacy Laws, and upon reasonable written request or notice:

(a) Customer may take reasonable and appropriate steps to ensure that ShareCRM Processes Customer Personal Data in a manner consistent with Customer’s obligations under such laws;

(b) Where Customer reasonably believes that ShareCRM is Processing Customer Personal Data in violation of applicable U.S. Privacy Laws, Customer may take reasonable and appropriate steps to stop and remediate such unauthorized Processing; and

(c) ShareCRM shall make available to Customer information reasonably necessary to demonstrate ShareCRM’s compliance with this Appendix III-2, subject to reasonable confidentiality, security, and proportionality limitations.

2.6 Consumer Rights Assistance

To the extent required under applicable California Privacy Laws or other U.S. State Privacy Laws:

(a) ShareCRM shall cooperate with Customer in responding to verified consumer requests, including requests to access, delete, or correct Personal Data, in accordance with Customer’s documented instructions;

(b) ShareCRM shall not be required to respond directly to a consumer request submitted to ShareCRM, except where required by applicable law, and shall instead refer such requests to Customer;

(c) Upon Customer’s instruction, ShareCRM shall delete, or enable Customer to delete, Customer Personal Data, and shall notify its own service providers or contractors to delete such data, unless deletion is not required or permitted under applicable U.S. Privacy Laws.

2.7 Sub-processors

Where ShareCRM engages a Sub-processor to assist in Processing Customer Personal Data for a business purpose on behalf of Customer:

(a) information regarding such Sub-processor is made available to Customer through ShareCRM’s publicly accessible Sub-processor list referenced in the main body of the DPA; and

(b) such engagement shall be governed by a written agreement imposing data protection obligations on the Sub-processor that are no less protective than those set out in this Appendix III-2, as required under the California Privacy Laws.

2.8 Level of Privacy Protection

Taking into account the context of the Processing, ShareCRM shall implement appropriate technical and organizational measures designed to provide a level of privacy and security protection required under applicable California Privacy Laws and other U.S. State Privacy Laws.

3. Japan

3.1 Additional Definitions

For the purposes of this Appendix III-3, the following definitions apply:

“APPI” means the Act on the Protection of Personal Information (Act No. 57 of 2003), as amended from time to time.

“Identifiable Individual” means a specific natural person who can be identified by Personal Information, as defined under the APPI.

“Personal Information” has the meaning given under Article 2(1) of the APPI.

“Personal Data” has the meaning given under Article 16(3) of the APPI.

“PIPC” means the Personal Information Protection Commission of Japan.

3.2 Purpose Limitation and Scope of Processing

In the provision of the Services, ShareCRM processes Personal Data on behalf of Customer. ShareCRM shall process such Personal Data solely to the extent necessary to perform the Services and in accordance with Customer’s documented instructions. Customer is responsible for ensuring that the “Purpose of Use” has been properly notified or published to Data Subjects pursuant to the APPI.

ShareCRM shall not use or otherwise Process such Personal Data beyond the agreed scope, except to the extent such Processing is required or permitted under applicable Japanese law.

Nothing in this Section shall restrict ShareCRM from Processing Personal Data where such Processing is permitted under the APPI, including for compliance with legal obligations, protection of life, body or property, promotion of public interests, cooperation with government authorities, or academic research, as applicable.

3.3 Entrustment and No Third-Party Provision

The Parties acknowledge that the provision of Services constitutes the “Entrustment” of the handling of Personal Data pursuant to Article 25 of the APPI, and does not constitute a “Third-Party Provision” requiring the consent of the Data Subject. ShareCRM acts as a trustee on behalf of Customer.

3.4 Security Control Measures and Supervision

(a) Security Control Measures

ShareCRM shall implement necessary and appropriate security control measures for the handling of Personal Data, including measures to prevent unauthorized access, leakage, loss, or damage, in accordance with the APPI and relevant guidelines issued by the PIPC.

(b) Supervision and Verification

To enable Customer to satisfy its statutory duty of supervision under the APPI, the Parties agree to the following verification framework:

(i) Upon Customer’s written request, ShareCRM shall make available third-party security certifications or independent audit reports reasonably relevant to the Services (such as a SOC 2 Type II report).

(ii) Only where Customer can reasonably demonstrate that such materials are objectively insufficient for APPI compliance verification, Customer may request additional information or, as a last resort, an on-site inspection. Any such additional verification shall:

A. be conducted at Customer’s expense;

B. be subject to reasonable advance notice and mutual scheduling; and

C. comply with ShareCRM’s applicable security policies and the conditions and limitations set out in Section 11 (Audit and Compliance) of the DPA.

3.5 Supervision of Sub-processors

ShareCRM is authorized to engage Sub-processors (Re-entrustment) to perform the Services. Where ShareCRM engages Sub-processors to Process Personal Data subject to the APPI, ShareCRM shall:

(a) exercise necessary and appropriate supervision over such Sub-processors; and

(b) ensure that such Sub-processors are subject to contractual obligations consistent with this DPA and this Appendix III-3.

3.6 Cross-Border Transfers from Japan

Where Personal Data subject to the APPI is transferred from Japan to a foreign country in connection with the provision of the Services:

(a) such transfer shall be carried out in accordance with Customer’s documented instructions; and

(b) ShareCRM shall implement appropriate safeguards required under applicable Japanese law, including contractual or other measures, to ensure a level of protection equivalent to that required under the APPI, to the extent applicable to ShareCRM in its capacity as a trustee processing Personal Data on behalf of Customer.

Nothing in this Appendix III-3 shall be construed as requiring ShareCRM to independently obtain the consent of any identifiable individual, except where such obligation is expressly imposed on ShareCRM under applicable Japanese law or Customer’s documented instructions.

3.7 Data Breach Notification Assistance

To the extent required under the APPI, ShareCRM shall notify Customer without undue delay upon becoming aware of any leakage, loss, or damage of Personal Data subject to the APPI, and shall provide reasonable assistance to Customer in complying with its notification obligations to regulators and affected individuals

3.8 Data Subject Rights Assistance

Taking into account the nature of the Processing, ShareCRM shall provide reasonable assistance to Customer, insofar as practicable and legally permitted, to enable Customer to respond to requests from individuals relating to disclosure, correction, deletion, or suspension of use of Personal Data under the APPI.

4. Republic of Korea

4.1 Additional Definitions

For the purposes of this Appendix III-4, the following definitions apply:

“PIPA” means the Korean Personal Information Protection Act, as amended from time to time.

“Personal Information Controller” means a person who determines the purposes and means of processing Personal Information under the PIPA.

“Person Entrusted” (or “Entrusted Processor”) means a third party that processes Personal Information on behalf of a Personal Information Controller pursuant to Article 26 of the PIPA.

“Entrusted Processing” means the processing of Personal Information entrusted by a Personal Information Controller to a Person Entrusted under Article 26 of the PIPA.

“Cross-Border Transfer” has the meaning set out in Article 28-8 of the PIPA, and includes cross-border provision, entrusted processing, or storage of Personal Information.

4.2 Purpose Limitation and Scope of Entrusted Processing

ShareCRM processes Personal Information solely on behalf of Customer and only within the scope of the entrusted work and for the purpose of providing the Services, in accordance with Customer’s documented instructions.

Where Customer acts as a person entrusted under Article 26 of the PIPA, references in this Appendix to a “Personal Information Controller” shall be construed mutatis mutandis as references to a “Person Entrusted”, to the extent applicable.

ShareCRM shall not process Personal Information for any purpose other than the entrusted work, nor use or disclose such Personal Information beyond the entrusted scope, except where required or permitted under applicable Korean law.

4.3 Assistance with Supervision Obligations

To support Customer’s supervision obligations under Article 26(4) of the PIPA, ShareCRM shall make available, upon reasonable request, information reasonably necessary to demonstrate that it processes Personal Information safely and in accordance with the entrusted scope.

The provision of such information shall ordinarily satisfy Customer’s supervision obligations, unless otherwise required by applicable law.

4.4 Sub-Entrustment

Customer hereby grants ShareCRM its prior written consent to re-entrust the processing of entrusted Personal Information to Sub-processors, as identified in ShareCRM’s Sub-processor list made available in the main body of this DPA, for the Processing of Personal Data in accordance with this DPA.

Where re-entrustment is approved, ShareCRM shall ensure that the sub-entrusted party is bound by written obligations no less protective than those applicable to ShareCRM under this DPA and the PIPA.

4.5 Cross-Border Transfers from Korea

Where Personal Information subject to the PIPA is transferred outside the Republic of Korea in connection with the provision of the Services:

(a) such transfer shall be carried out solely in accordance with Customer’s documented instructions, including Customer’s determination of the applicable legal basis and requirements under Article 28-8 of the PIPA; and

(b) ShareCRM shall, to the extent applicable to it as a Person Entrusted, implement reasonable protective measures required under applicable law, including contractual, technical, and organizational measures, to support such transfer.

Nothing in this Section shall be construed as requiring ShareCRM to independently determine the applicability of Article 28-8 of the PIPA or to obtain data subject consent, except where expressly required by applicable law.

4.6 Disclosure to Data Subjects

Customer acknowledges that, under Articles 26 and 28-8 of the PIPA, disclosure obligations toward data subjects (including disclosure of entrusted processing and cross-border transfers) rest primarily with the Personal Information Controller.

ShareCRM shall reasonably cooperate with Customer by providing information necessary for Customer to meet such obligations.

5. Singapore

5.1 Additional Definitions

For this Appendix III-5, the following definitions apply:

“PDPA” means the Personal Data Protection Act 2012 of Singapore, as amended from time to time.

“Customer Personal Data” means Personal Data Processed by ShareCRM on behalf of Customer in connection with the Services.

“Personal Data” has the meaning given under Section 2(1) of the PDPA.

“Data Intermediary” means an organization that Processes Personal Data on behalf of another organization and for the purposes of that organization, within the meaning of Section 2(1) and Section 4(2) of the PDPA.

5.2 Compliance with PDPA

To the extent applicable under the PDPA, ShareCRM shall comply with the obligations imposed on data intermediaries.

5.3 Process, Use and Disclosure

ShareCRM shall only process, use or disclose Customer Personal Data:

(a) strictly for the purposes of fulfilling its obligations and providing the Services required under the Agreement;

(b) with the Customer’s prior written consent; or

(c) when required by law or an order of court, but shall notify the Customer as soon as practicable before complying with such law or order of court at its own costs.

5.4 Transfer of Personal Data outside Singapore

Customer acknowledges that, as part of the normal operation of the Services, limited categories of Customer Personal Data may be transferred outside Singapore, including to jurisdictions where ShareCRM or its Affiliates maintain operational or support functions, in accordance with the Agreement and Customer’s documented instructions.

ShareCRM shall take reasonable steps, to the extent required under the PDPA and applicable guidelines issued by the Personal Data Protection Commission of Singapore, to ensure that Customer Personal Data transferred outside Singapore is subject to a standard of protection that is comparable to that under the PDPA.

Where such transfers involve third parties outside Singapore, ShareCRM shall take commercially reasonable measures to ensure that such third parties are subject to appropriate contractual or other legally binding obligations relating to the protection of Customer Personal Data, as required under applicable law.

5.5 Security Measures

ShareCRM shall, taking into account the nature of the Services, the scope of the Processing, and the Personal Data under its control, implement reasonable and appropriate technical and organizational security measures designed to protect Customer Personal Data against reasonably foreseeable risks, including unauthorized or unlawful access, use, disclosure, alteration, loss, or destruction.\

For the avoidance of doubt, “reasonable and appropriate security measures” do not require ShareCRM to guarantee absolute security or to prevent all possible incidents.

5.6 Data Breach Notification

Where ShareCRM becomes aware of a data breach involving Customer Personal Data that it Processes on behalf of Customer, ShareCRM shall notify Customer without undue delay, to enable Customer to comply with its obligations under Sections 26C and 26D of the PDPA.

5.7 Assistance and Cooperation

Upon reasonable request, ShareCRM shall provide Customer with information reasonably necessary to assist Customer in demonstrating compliance with the PDPA, including information relating to ShareCRM’s security measures.

Nothing in this Appendix shall require ShareCRM to take actions beyond those required of a Data Intermediary under the PDPA.

6. Thailand

6.1 Additional Definitions

For this Appendix III-6, the following definitions apply:

“PDPA” means the Personal Data Protection Act B.E. 2562 (2019) of Thailand, as amended from time to time.

“Data Controller” has the meaning given under Section 6 of the PDPA.

“Data Processor” means a person who processes Personal Data on behalf of a Data Controller under the PDPA.

“Personal Data” has the meaning given under Section 6 of the PDPA.

“Sensitive Personal Data” has the meaning given under Section 26 of the PDPA.

6.2 Processing in Accordance with Instructions

ShareCRM shall collect, use, or disclose Personal Data solely in accordance with the documented instructions of Customer, unless such instructions are contrary to applicable law or the provisions on personal data protection under the PDPA.

6.3 Security Measures and Breach Notification

ShareCRM shall implement appropriate security measures to prevent unauthorized or unlawful loss, access to, use, alteration, correction, or disclosure of Personal Data.

Where a Personal Data Breach occurs in relation to Personal Data Processed on behalf of Customer, ShareCRM shall notify Customer, to the extent required under applicable law.

6.4 Records of Processing Activities

ShareCRM shall prepare and maintain records of Personal Data Processing activities to the extent required under the PDPA and applicable rules issued by the Personal Data Protection Committee.

Where ShareCRM qualifies as a small organization under applicable regulations, this obligation shall apply only where required by law, including where the Processing presents risks to the rights and freedoms of Data Subjects or involves Sensitive Personal Data.

6.5 Cross-Border Transfers from Thailand

To the extent ShareCRM Processes Personal Data subject to the PDPA and such Personal Data is transferred outside the Kingdom of Thailand in connection with the provision of the Services, ShareCRM shall:

(a) Process such Personal Data solely in accordance with Customer’s documented instructions and within the scope of the Services; and

(b) implement reasonable contractual, technical, and organizational measures required under applicable law, to support the protection of Personal Data in connection with such cross-border transfer, to the extent applicable to ShareCRM in its capacity as a Data Processor.

7. Malaysia

7.1 Additional Definitions

For this Appendix III-7, the following definitions apply:

“PDPA” means the Malaysian Personal Data Protection Act 2010 and its subsidiary legislation, rules, and guidelines as may be amended from time to time.

“Personal Data” has the meaning given under Section 4 of the PDPA.

“Data Controller” means the person who determines the purposes and means of the Processing of Personal Data, and includes, where applicable, the term “data user” under the PDPA.

“Data Processor” means a person who Processes Personal Data on behalf of a Data Controller, and includes ShareCRM when Processing Personal Data in accordance with the Agreement and this DPA.

7.2 Security Measures

To the extent required under the PDPA (as amended) and applicable subsidiary legislation, and as directly applicable to data processors with effect from 1 April 2025, ShareCRM shall:

(a) implement reasonable and practical technical and organizational security measures, having regard to the nature of the Personal Data processed, the manner and location of Processing, and the risks involved; and

(b) take reasonable steps to maintain and apply such measures while the Personal Data remains under ShareCRM’s control or possession.

The Parties acknowledge that the specific security measures implemented by ShareCRM are further described in Appendix II (Technical and Organizational Measures) and may be updated from time to time, provided that such updates do not materially reduce the overall level of protection.

7.3 Assistance and Cooperation

To the extent required under applicable Malaysian law, ShareCRM shall provide reasonable assistance to Customer to enable Customer to comply with its obligations under the PDPA, including by making available information reasonably necessary to demonstrate compliance with applicable security requirements.

Nothing in this Appendix shall require ShareCRM to disclose confidential information, trade secrets, or information that would compromise the security of its systems.

7.4 Cross-Border Transfers from Malaysia

Where Personal Data subject to the PDPA is transferred outside Malaysia in connection with the provision of the Services:

(a) such transfer shall be carried out in accordance with Customer’s documented instructions and applicable PDPA requirements; and

(b) ShareCRM shall implement reasonable safeguards, including contractual and organizational measures, to ensure that Personal Data continues to be protected at a standard at least comparable to that required under the PDPA, to the extent applicable to ShareCRM as a Data Processor.

The Parties acknowledge that compliance with Section 129 of the PDPA (cross-border transfers) is primarily the responsibility of the Data Controller, and nothing in this Appendix shall require ShareCRM to independently assess adequacy determinations, obtain data subject consent, or conduct transfer impact assessments, except to the extent required by applicable law and Customer’s instructions.

7.5 Data Breach and Incident Response

To the extent required under applicable Malaysian law, ShareCRM shall notify Customer without undue delay upon becoming aware of a Personal Data breach affecting Personal Data Processed on behalf of Customer, and shall provide reasonable information available to ShareCRM to support Customer’s compliance obligations.

8. Indonesia

8.1 Additional Definitions

For this Appendix III-8, the following definitions apply:

“Failure of Personal Data Protection” means failure to protect a person’s Personal Data in terms of confidentiality, integrity, and availability, including a security breach, whether intentional or unintentional, leading to destruction, loss, alteration, disclosure, or unauthorized access to Personal Data sent, stored or processed.

“PDP Law” means Law No. 27 of 2022 on Personal Data Protection of the Republic of Indonesia.

“Personal Data” means any data relating to an identified or identifiable natural person, either independently or in a combination with other information, directly or indirectly, through an electronic or nonelectronic system, as defined under Article 1(1) of the PDP Law.

“Personal Data Controller” means a party that determines the purposes and controls the processing of Personal Data.

“Personal Data Processor” means a party that processes Personal Data on behalf of the Personal Data Controller.

8.2 Processing on Instructions

ShareCRM shall Process Personal Data:

(a) solely for the purpose of providing the Services; and

(b) strictly in accordance with the Customer’s documented instructions and stated objectives,

unless otherwise required by applicable law.

Where ShareCRM becomes aware that any instruction violates the PDP Law, ShareCRM shall notify the Customer to the extent permitted by applicable law.

8.3 Security Measures

To the extent applicable to ShareCRM as a Personal Data Processor under the PDP Law, ShareCRM shall implement and maintain appropriate technical and operational security measures to protect Personal Data under its control or possession, including measures designed to:

(a) prevent unauthorized access to Personal Data; and

(b) prevent disruption, misuse, alteration, loss, disclosure, or destruction of Personal Data arising from Processing activities that are contrary to applicable laws and regulations,

taking into account the nature of the Personal Data and the risks associated with the Processing.

Such security measures shall include the use of reliable, secure, and responsible electronic systems where Personal Data is processed electronically, and shall be maintained throughout the period during which the Personal Data is Processed by ShareCRM.

8.4 Assistance to Customer

To the extent applicable and reasonable, ShareCRM shall assist Customer in fulfilling its obligations under the PDP Law, including with respect to:

(a) responding to data subject rights requests; and

(b) demonstrating compliance with applicable data protection obligations,

taking into account the nature of the processing and the information available to ShareCRM.

8.5 Failure of Personal Data Protection Notification

Where ShareCRM becomes aware of a Failure of Personal Data Protection, ShareCRM shall notify Customer without undue delay and shall provide such information as is reasonably available to ShareCRM to enable Customer to comply with its notification obligations under the PDP Law.

8.6 Sub-processing

Customer hereby grants ShareCRM its prior approval to engage a Sub-processors to Process Customer Personal Data, as disclosed in the Sub-processor list referenced in the main body of this DPA, where applicable.

8.7 Cross-Border Transfer of Personal Data

Where Personal Data subject to the PDP Law is transferred outside Indonesia in connection with the provision of the Services:

(a) such transfer shall be carried out in accordance with Customer’s instructions; and

(b) ShareCRM shall implement appropriate safeguards required under the PDP Law, including contractual or organizational measures, to the extent applicable to ShareCRM as a Personal Data Processor.

Nothing in this Appendix shall require ShareCRM to independently obtain data subject consent unless required by applicable law.

9. Vietnam

9.1 Additional Definitions

For this Appendix III-9, the following definitions apply:

“PDPL” means the Law on Personal Data Protection adopted by the National Assembly of Vietnam on 26 June 2025, as amended, supplemented, or replaced from time to time, together with any implementing decrees, circulars, or guidance issued thereunder, which comes into force on 1 January 2026.

“Personal Data” means data in digital or other formats that identifies or helps identify a specific individual, as defined under Article 2 of the PDPL.

“Personal Data Controller”, and “Personal Data Processor”, shall have the meanings assigned to them under Article 2 of the PDPL.

9.2 Processing on Instructions

ShareCRM shall Process Personal Data:

(a) solely for the purpose of providing the Services; and

(b) strictly in accordance with Customer’s documented instructions and the agreed scope of Processing,

unless otherwise required by applicable Vietnamese law.

Where ShareCRM becomes aware that an instruction would result in non-compliance with the PDPL, ShareCRM shall notify Customer to the extent permitted by law.

9.3 Security Measures

To the extent applicable to ShareCRM as a Personal Data Processor under the PDPL, ShareCRM shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, loss, or other unlawful Processing, taking into account:

(a) the nature of the Personal Data; and

(b) the risks arising from the Processing activities.

The specific measures implemented by ShareCRM are described in Appendix II (Technical and Organizational Measures) and may evolve over time, provided that the overall level of protection is not materially reduced.

9.4 Personal Data Breach Notification

Where ShareCRM becomes aware of a Personal Data breach affecting Personal Data Processed on behalf of Customer, ShareCRM shall notify Customer without undue delay and provide reasonably available information to assist Customer in complying with its notification and remediation obligations under the PDPL.

9.5 Cross-Border Transfer of Personal Data

Where Personal Data subject to the PDPL is transferred outside Vietnam in connection with the provision of the Services:

(a) such transfer shall be carried out in accordance with Customer’s instructions and applicable PDPL requirements; and

(b) ShareCRM shall apply appropriate safeguards required under applicable law, to the extent such requirements apply to ShareCRM in its capacity as a Personal Data Processor.

Customer remains responsible for determining the legal basis for any cross-border transfer, including consent or other lawful grounds under the PDPL.

9.6 Data Protection Impact Assessments

ShareCRM shall provide reasonable cooperation, upon Customer’s request and to the extent legally required, to assist Customer in preparing or updating any personal data processing impact assessment or cross-border data transfer impact assessment required under the PDPL.

Nothing in this Appendix III-9 shall be construed as requiring ShareCRM to independently prepare, submit, or file such assessments, unless expressly required under applicable law.

10. Philippines

10.1 Additional Definitions

For this Appendix III-10, the following definitions apply:

“Philippines Data Protection Law” means Republic Act No. 10173 (Data Privacy Act of 2012), together with its Implementing Rules and Regulations (IRR), and all circulars, advisories, and issuances of the National Privacy Commission (“NPC”), as amended or replaced from time to time.

“Personal Information” and “Sensitive Personal Information” have the meanings given under the Philippines Data Protection Law.

“Personal Information Controller” or “PIC” and “Personal Information Processor” or “PIP” have the meanings assigned under the Philippines Data Protection Law.

10.2 Scope and Instructions

ShareCRM shall Process Personal Information only upon Customer’s documented instructions, including with respect to the purpose, scope, and duration of Processing, unless otherwise required by applicable law.

Where ShareCRM reasonably believes that an instruction infringes the Philippines Data Protection Law or its IRR, ShareCRM shall inform Customer to the extent permitted by law.

10.3 Security Measures

To the extent applicable to ShareCRM as a Personal Information Processor under the Philippines Data Protection Law, ShareCRM shall implement reasonable and appropriate organizational, physical, and technical security measures to protect Personal Information under its control.

Such security measures shall be designed to maintain the confidentiality, integrity, and availability of Personal Information, and to protect it against accidental or unlawful destruction, alteration, disclosure, unauthorized access, or other unlawful processing, taking into account the nature of the Personal Information and the risks involved in the Processing.

ShareCRM shall take reasonable steps to ensure that any personnel authorized to Process Personal Information do so only in accordance with Customer’s documented instructions or as required by applicable law, and are subject to appropriate confidentiality obligations.

The Parties acknowledge that the specific security measures implemented by ShareCRM are further described in Appendix II (Technical and Organizational Measures) and may be reviewed and updated from time to time in line with industry-recognized standards, provided that the overall level of protection is not materially reduced.

10.4 Assistance to Customer

Taking into account the nature of the Processing and the information available to ShareCRM, ShareCRM shall provide reasonable assistance to Customer, by appropriate technical and organizational measures, to enable Customer to comply with its obligations under the Philippines Data Protection Law, including in relation to:

(a) responding to Data Subject rights requests; and

(b) demonstrating compliance to the National Privacy Commission.

11. India

11.1 Additional Definitions

For this Appendix III-11, the following definitions apply:

“DPDP Act” means the Digital Personal Data Protection Act, 2023 (India).

“DPDP Rules 2025” means the Digital Personal Data Protection Rules, 2025, as notified by the Government of India and as amended from time to time.

“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of Personal Data, as defined under the DPDP Act.

“Data Principal” means the individual to whom the Personal Data relates and where such individual is：

(a) a child, includes the parents or lawful guardian of such a child;

(b) a person with disability, includes her lawful guardian, acting on her behalf.

“Data Processor” means any person who Processes Personal Data on behalf of a Data Fiduciary.

“Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act.

11.2 Processing on Documented Instructions

ShareCRM shall Process Personal Data only in accordance with Customer’s documented instructions and solely for the purposes of providing the Services, unless otherwise required by applicable law.

Where ShareCRM becomes aware that an instruction is inconsistent with the DPDP Act, ShareCRM shall notify Customer to the extent permitted by law.

11.3 Security Safeguards

To support Customer’s obligation under the DPDP Act to protect Personal Data, ShareCRM shall implement reasonable technical and organizational security safeguards with respect to Personal Data in its possession or control, as appropriate to the nature of the processing and the risks involved.

The Parties acknowledge that such safeguards are implemented by ShareCRM as a Data Processor under Customer’s authority and form part of Customer’s overall compliance with its statutory security obligations.

11.4 Personal Data Breach Assistance

Where ShareCRM becomes aware of a Personal Data breach relating to Personal Data Processed on behalf of Customer, ShareCRM shall notify Customer without undue delay and provide reasonable information available to assist Customer in complying with its notification obligations under the DPDP Act.

Nothing in this Section shall be construed as requiring ShareCRM to independently notify the Data Protection Board of India or data principals, except where expressly required by applicable law.

11.5 Cross-Border Transfers

ShareCRM shall not transfer Personal Data to any country restricted or prohibited under applicable Indian law, except in accordance with Customer’s documented instructions and applicable legal requirements.

The Parties acknowledge that any determination regarding permitted or restricted jurisdictions under the DPDP Act remains the responsibility of Customer as the Data Fiduciary.

12. Turkey

12.1 Additional Definitions

For this Appendix III-12, the following definitions apply:

“KVKK” means the Turkish Law on the Protection of Personal Data No. 6698 dated 7 April 2016, together with its secondary legislation and guidance issued by the Turkish Personal Data Protection Authority.

“Turkish Personal Data” means Personal Data subject to the KVKK.

“Data Controller” and “Data Processor” shall have the meanings given under the KVKK, and shall be interpreted in accordance with the roles of the Parties in the relevant Processing.

12.2 Processing on Instructions

ShareCRM shall Process Turkish Personal Data solely on behalf of Customer and strictly in accordance with Customer’s documented instructions and for the purpose of providing the Services, unless otherwise required by applicable law.

Where ShareCRM becomes aware that an instruction would result in Processing that is unlawful under the KVKK, ShareCRM shall notify Customer to the extent permitted by law.

12.3 Security Measures

ShareCRM shall implement reasonable technical and organizational measures appropriate to the nature of the Turkish Personal Data and the risks of Processing, in order to protect such data against unlawful access, disclosure, alteration, loss, or damage.

The Parties acknowledge that the specific security measures implemented by ShareCRM are described in Appendix II (Technical and Organizational Measures) and may evolve over time, provided that the overall level of protection is not materially reduced.

12.4 International Transfers of Turkish Personal Data

Turkish Personal Data may be transferred outside Türkiye in connection with the provision of the Services, subject to the KVKK and Customer’s instructions.

The Parties acknowledge that the assessment of the adequacy of transfer safeguards and any required regulatory filings or approvals remain the responsibility of Customer as the Data Controller.

13. United Arab Emirates (UAE)

13.1 Additional Definitions

For this Appendix III-13, the following definitions apply:

“UAE Data Protection Law”means the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, together with its Implementing Regulations, as amended or replaced from time to time.

“Data Controller” means an establishment or natural person that has Personal Data, and by virtue of its activity, determines whether individually or jointly with other persons or establishments, the method and criteria for processing such Personal Data and the purpose of processing it.

“Data Processor” means an establishment or Natural Person that processes Personal Data on behalf of the Controller. It processes it under their supervision and in accordance with their instructions.

13.2 Purpose Limitation and Instructions

ShareCRM shall Process Personal Data only for the purposes of providing the Services and strictly in accordance with Customer’s documented instructions, unless otherwise required by applicable UAE law.

Where ShareCRM becomes aware that an instruction is inconsistent with the UAE Data Protection Law, ShareCRM shall notify Customer to the extent permitted by law.

If the processing exceeds the specified period, ShareCRM shall so notify the Customer to authorize it to extend such period or give appropriate instructions.

13.3 Technical and Organizational Measures

ShareCRM shall adopt appropriate technical and organizational measures and procedures to protect Personal Data, at the design stage, whether during the identification of the means of processing or during the processing, taking into account:

(a) the nature, scope, and purposes of the Processing; and

(b) the cost and feasibility of implementing such measures.

Such measures are intended to ensure the security of Processing, including the protection of electronic systems, media, and devices used in Processing.

13.4 Confidentiality and Non-Disclosure

ShareCRM shall not disclose Personal Data or the results of Processing to any third party, except as authorized by Customer or required by applicable law.

ShareCRM shall ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations.

13.5 Records of Processing

To the extent required under applicable UAE law, ShareCRM shall maintain records of Processing activities carried out on behalf of Customer, which may include:

(a) the identity and contact details of the Controller, the Processor, and, where applicable, the Data Protection Officer;

(b) a general description of the categories of Personal Data Processed and the categories of Data Subjects;

(c) the categories of personnel authorized to access the Personal Data;

(d) the purpose, scope, and duration of the Processing, including applicable retention periods and restrictions;

(e) the mechanisms for deletion, modification, or other Processing of Personal Data upon Customer’s instructions;

(f) information relating to any cross-border transfer or Processing of such Personal Data; and

(g) a general description of the technical and organizational measures implemented to protect Personal Data and ensure information security.

Where required by applicable law, and upon a lawful request by the competent authority, ShareCRM shall make such records available to the relevant authority, to the extent applicable to ShareCRM in its role as a processor.

13.6 Personal Data Breach Notification

If ShareCRM becomes aware of a breach of Personal Data, ShareCRM shall notify Customer of such breach as soon as it becomes aware of the same, and shall provide the information reasonably available to ShareCRM that is necessary for Customer to comply with its notification obligations under applicable law.

Nothing in this Section requires ShareCRM to notify any authority directly, unless expressly required by applicable law.

13.7 Demonstration of Compliance

Upon reasonable request by Customer or a competent UAE authority, and subject to applicable law and confidentiality obligations, ShareCRM shall make available information reasonably necessary to demonstrate compliance with its obligations as a processor under the UAE PDPL.

14. Saudi Arabia

14.1 Additional Definitions

For this Appendix III-14, the following definitions apply:

“Saudi PDPL” means the Personal Data Protection Law issued by Royal Decree No. (M/19) dated 9/2/1443H, as amended, together with its Implementing Regulations and any binding guidance issued by the Saudi Data & AI Authority (SDAIA).

“Controller” means any Public Entity, natural person or private legal person that specifies the purpose and manner of Processing Personal Data, whether the data is processed by that Controller or by the Processor.

“Processor” means any Public Entity, natural person or private legal person that processes Personal Data for the benefit and on behalf of the Controller.

14.2 Processing in Accordance with Instructions and Applicable Laws

ShareCRM shall Process Personal Data only in accordance with Customer’s documented instructions.

Where ShareCRM becomes aware of any violation of Customer’s instructions or applicable laws in the Kingdom, ShareCRM shall notify Customer in writing and without undue delay, to the extent permitted by law.

14.3 Compliance Assessments and Cooperation

To support Customer’s obligation to periodically assess and monitor the Processor’s compliance under Saudi PDPL, ShareCRM shall, upon reasonable written request, cooperate in good faith by providing information reasonably necessary to demonstrate its compliance with this DPA, subject to:

(a) ShareCRM’s confidentiality, security, and access control policies;

(b) the limitations set out in this DPA, including Section 11 (Audit and Compliance); and

(c) the principle of proportionality and non-disruption of ShareCRM’s normal business operations.

Any assessment or monitoring conducted by Customer, or by an independent third party appointed by Customer, shall be limited to the Processing of Personal Data under this DPA and shall not impose obligations on ShareCRM beyond those expressly required by applicable law or expressly agreed in writing by the Parties.

14.4 Sub-processing

Customer hereby grants ShareCRM a prior acceptance to engage Sub-processors for the Processing of Personal Data, as disclosed in the Sub-processor list referenced in the main body of this DPA, where applicable. Customer shall have the right to object to any such Sub-processor in accordance with the objection mechanism and within the timeframe agreed between Customer and ShareCRM.

Before engaging any Sub-processor, ShareCRM shall:

(a) ensure that the engagement does not reduce the level of protection applicable to Personal Data;

(b) select only Sub-processors that provide sufficient guarantees to comply with the Saudi PDPL.

15. Egypt

15.1 Additional Definitions

For this Appendix III-15, the following definitions apply:

“Egyptian PDPL” means Law No. 151 of 2020 concerning the Protection of Personal Data, together with its Executive Regulations, as amended or supplemented from time to time.

“Controller” means any natural or legal person who, by virtue or nature of their work, has the right to access Personal Data and determine the method, manner, and criteria for its retention or processing, in accordance with a defined purpose or activity.

“Personal Data” means any data relating to an identified or identifiable natural person, whether directly or indirectly, through linking such data with other information such as name, voice, image, identification number, online identifier, or any data that reveals psychological, health, economic, cultural, or social identity.

“Personal Data Breach or Violation” means any unauthorized access to or unlawful acquisition of Personal Data, or any unlawful operation of copying, transmitting, distributing, exchanging, transferring, or circulating that aims at revealing, disclosing, damaging, or modifying Personal Data during its storage, transfer, or processing.

“Processor” means any natural or legal person who, by virtue of their role, processes Personal Data for their own benefit or on behalf of the controller in accordance with the controller’s instructions and under a formal agreement.

“The Center” means the Egyptian Personal Data Protection Center established under the Egyptian PDPL.

15.2 Processing Instructions and Lawful Processing

ShareCRM shall Process Personal Data solely on behalf of Customer, in accordance with:

(a) Customer’s documented instructions; and

(b) the Egyptian PDPL,

ShareCRM shall not exceed the scope or duration of the Processing purpose as instructed by Customer, and shall notify Customer if it becomes aware that continued Processing may exceed such scope or duration, to the extent permitted by law.

15.3 Purpose Limitation and Lawfulness

ShareCRM shall ensure that:

(a) the Processing is carried out for lawful and legitimate purposes; and

(b) the Processing does not violate public order or morals under applicable Egyptian law.

ShareCRM shall not Process Personal Data in a manner that contradicts the business purpose or activity of Customer, except where such Processing is expressly permitted by applicable law (including non-profit statistical or educational purposes that do not infringe Data Subject privacy).

15.4 Security Measures

ShareCRM shall implement appropriate technical and organizational measures to protect Personal Data, including the Processing environment, media, and electronic devices used, taking into account:

(a) the nature of the Personal Data; and

(b) the risks associated with the Processing.

The specific security measures implemented by ShareCRM are further described in Appendix II (Technical and Organizational Measures).

15.5 Confidentiality and Non-Disclosure

ShareCRM shall not disclose Personal Data or the results of Processing, except:

(a) as instructed by Customer; or

(b) where such disclosure is required or permitted under applicable law.

15.6 Records of Processing

ShareCRM shall maintain a record of Processing activities relating to Personal Data Processed on behalf of Customer, which shall include, to the extent required under the Egyptian PDPL:

(a) categories of Processing activities;

(b) contact details of ShareCRM and its Data Protection Officer (if applicable);

(c) Processing duration and scope;

(d) mechanisms for deletion or amendment; and

(e) a general description of technical and organizational security measures.

Such records shall be made available to Customer or the Center upon lawful request.

15.7 Compliance Demonstration and Inspections

To the extent required under applicable law, ShareCRM shall provide Customer with information reasonably necessary to demonstrate compliance with the Egyptian PDPL and shall cooperate with inspections or verification requests by the Center, subject to reasonable confidentiality, security, and proportionality limitations.

16. Brazil

16.1 Additional Definitions

For this Appendix III-16, the following definitions apply:

“LGPD” means Lei Geral de Proteção de Dados Pessoais (Law No. 13,709/2018), as amended from time to time.

“ANPD” means the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados).

“Controller” means natural person or legal entity of either public or private law in charge of making the decisions regarding the processing of personal data.

“Personal Data” means information regarding an identified or identifiable natural person.

“Processor” means natural person or legal entity of either public or private law that processes Personal Data on behalf of the Controller.

16.2 Processing Instructions

ShareCRM shall Process Personal Data solely in accordance with Customer’s documented instructions.

Where ShareCRM becomes aware that an instruction may violate applicable data protection laws, ShareCRM shall notify Customer to the extent permitted by law.

16.3 Records of Processing Activities

To the extent required under Article 37 of the LGPD, ShareCRM shall maintain records of Personal Data Processing activities performed on behalf of Customer, particularly where such Processing is based on legitimate interest.

16.4 Cooperation and Compliance Support

ShareCRM shall provide Customer with information reasonably necessary to support Customer’s compliance obligations under the LGPD, including in connection with audits, regulatory inquiries, or data subject requests, to the extent applicable to ShareCRM as a processor.

17. Mexico

17.1 Additional Definitions

For this Appendix III-17, the following definitions apply:

“FDPL” means the Ley Federal de Protección de Datos Personales en Posesión de los Particulares, together with its implementing Regulations, as amended from time to time.

“Data Controller” means an individual or private legal entity that carries out the Processing of Personal Data and determines the purposes and means of such Processing.

“Personal Data” means any information concerning an identified or identifiable person. A person is considered identifiable when his identity can be determined directly or indirectly through any information;

“Processor” means natural or legal person who alone or jointly with others processes Personal Data on behalf of the Data Controller.

17.2 Processing Instructions and Purpose Limitation

ShareCRM shall Process Personal Data solely in accordance with Customer’s documented instructions and only for the purposes determined by Customer, as required under the FDPL.

ShareCRM shall not Process Personal Data for any purpose other than those instructed by Customer, unless otherwise required by applicable law.

17.3 Confidentiality

ShareCRM shall maintain the confidentiality of all Personal Data Processed on behalf of Customer and shall ensure that personnel authorized to Process such Personal Data are subject to appropriate confidentiality obligations.

17.4 Retention and Deletion

Upon termination of the legal relationship with Customer, or upon Customer’s documented instructions, ShareCRM shall delete Personal Data Processed on behalf of Customer, unless retention of such Personal Data is required under applicable law.

17.5 Data Transfers and Sub-processing

ShareCRM shall not transfer or otherwise communicate Personal Data to third parties unless:

(a) such transfer is expressly instructed or authorized by Customer, including where the communication arises from approved subcontracting arrangements; or

(b) such transfer is required by a competent authority under applicable law.

Any approved sub-processing shall be subject to contractual obligations that provide a level of protection consistent with this DPA.

17.6 Compliance Support

To the extent applicable to ShareCRM as a Processor, ShareCRM shall provide Customer with information reasonably necessary to demonstrate compliance with its obligations under the FDPL.

18. Australia

18.1 Additional Definitions

For this Appendix III-18, the following definitions apply:

“Australian Privacy Law” means the Privacy Act 1988 (Cth), including the Australian Privacy Principles (“APPs”), and any binding codes, guidelines, or determinations issued by the Office of the Australian Information Commissioner (“OAIC”).

“APP Entity” has the meaning given under the Privacy Act 1988 (Cth).

“Overseas Recipient” means a recipient of Personal Information located outside Australia.

18.2 Processing on Instructions

ShareCRM shall Process Personal Information solely for the purpose of providing the Services and strictly in accordance with Customer’s documented instructions, unless otherwise required or authorized under Australian Privacy Law.

Where ShareCRM becomes aware that an instruction would require Processing in violation of Australian Privacy Law, ShareCRM shall notify Customer to the extent permitted by law.

18.3 Security of Personal Information

ShareCRM shall take reasonable steps to protect Personal Information under its control from misuse, interference, loss, and from unauthorized access, modification, or disclosure, having regard to the nature of the information and the risks associated with the Processing.

The specific technical and organizational measures implemented by ShareCRM are further described in Appendix II (Technical and Organizational Measures) and may evolve over time, provided that the overall level of protection is not materially reduced.

18.4 Overseas Disclosure and Cross-Border Transfers

To the extent ShareCRM discloses or transfers Personal Information outside Australia in connection with the Services, such disclosure shall be made only in accordance with Customer’s instructions and subject to appropriate safeguards required under Australian Privacy Law.

18.5 Sub-processing

ShareCRM may engage Sub-processors to Process Personal Information on behalf of Customer, provided that such engagement is subject to written arrangements requiring the Sub-processor to implement security measures and Processing restrictions no less protective than those set out in this DPA.

19. Russia

19.1 Additional Definitions

For this Appendix III-19, the following definitions apply:

“Russian Personal Data Law” means Federal Law No. 152-FZ “On Personal Data” dated 27 July 2006, as amended, and applicable regulations and guidance issued by Roskomnadzor.

“Operator” means a state authority, municipal authority, legal entity, or individual that organizes and/or carries out the Processing of Personal Data, and determines the purposes and scope of such Processing.

“Processor” means a person Processing Personal Data on behalf of and pursuant to the instructions of the Operator.

19.2 Processing on Instructions

ShareCRM shall Process Personal Data solely on behalf of Customer and strictly in accordance with Customer’s documented instructions and for the purposes of providing the Services, unless otherwise required by applicable Russian law.

Where ShareCRM becomes aware that an instruction would result in Processing in violation of Russian Personal Data Law, ShareCRM shall notify Customer without undue delay to the extent permitted by law.

19.3 Cross-Border Transfers

Where Personal Data is transferred outside the territory of the Russian Federation in connection with the provision of the Services, such transfer shall be carried out in accordance with Customer’s instructions and applicable Russian Personal Data Law, including requirements relating to the adequacy of protection in the recipient jurisdiction or other lawful bases for transfer.

Customer remains responsible for determining the legal basis for such cross-border transfers as the Operator.

19.4 Personal Data Breach Assistance

Where ShareCRM becomes aware of an incident involving unauthorized access to or disclosure of Personal Data, ShareCRM shall notify Customer without undue delay and provide reasonable assistance to enable Customer to comply with its notification and remediation obligations under Russian Personal Data Law.

19.5 Sub-processing

ShareCRM may engage Sub-processors to Process Personal Data on behalf of Customer, provided that such Sub-processors are bound by written obligations ensuring confidentiality, security measures, and Processing restrictions consistent with this DPA.

19.6 Compliance Support

Upon reasonable request, ShareCRM shall make available information reasonably necessary to demonstrate its compliance with this DPA, subject to reasonable confidentiality, security, and trade secret limitations.