Data Processing Terms

These Data Processing Terms form part of the Terms between Sine and you and apply when we process Personal Data on your behalf in the course of providing the Services. These Data Processing Terms do not apply where we are the Controller. Defined and/or capitalized terms not defined here have the meanings given them in the Terms. If not defined in the Terms, capitalized terms have the meaning given them, or an equivalent term, in applicable data protection, privacy or security laws (“Privacy Laws”).These Data Processing Terms take precedence over any other terms of the Terms in relation to the Processing of Personal Data.

Processing. With respect to the Processing of Personal Data, you act as a Controller, “business”, or Processor and Sine is a Processor or “service provider”. We will only Process Personal Data as permitted under the Terms and applicable Privacy Laws. We will not “sell” Personal Data. You agree that the Terms represents your complete instructions to us and any additional changes you require must be mutually agreed. We will inform you if we believe that any of your instructions violate law, unless prohibited on important grounds of public interest. Details regarding the Processing of Personal Data are specified in Annex 1. You are solely responsible for complying with Privacy Laws regarding the Processing of Personal Data (including obtaining consents) and warrant that you comply with the same. You shall indemnify us, our Affiliates, subcontractors, and licensors from all third-party claims or losses arising from the Processing of Personal Data in accordance with the Terms.

Subprocessors. You authorize us to use other Processors, including Sine affiliates and service providers, (“Subprocesors”) in any jurisdiction to Process Personal Data, so long as they are required to abide by terms substantially similar to these Data Processing Terms. We will be liable to you for the performance of our Subprocessor’s obligations under the Terms. On written request, we will provide you with a list of Subprocessors and will notify you of any changes, giving you five business days to object after receipt of the notification. If you legitimately object to a Subprocessor on reasonable data protection grounds and we do not resolve the matter within one month following notification, we may terminate the Terms with respect to the Services impacted by the new Subprocessor, without penalty, upon written notice.

Security. We will implement appropriate technical and organizational measures to protect Personal Data, as described in Annex 2 (“Security Measures”). We may update or modify the Security Measures, so long as the overall security level of the Services is maintained. You are solely responsible for determining whether the Security Measures meet your requirements. You agree that the level of security provided by the Security Measures is appropriate to the risk inherent in the Services. You are responsible for configuring the Services in a manner which enables you to comply with applicable Privacy Laws. We will ensure that only authorized personnel who are under written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality may access Personal Data. The Services is not designed to Process Special Categories of Data (except with respect to facial recognition in connection with Face Check and limited health data, where available), cardholder data subject to the Payment Card Industry Security Standard (“PCI DSS”), protected health information under HIPAA, children’s Personal Data, or other Personal Data inappropriate for the nature of the Services (collectively, “Prohibited Data”). You shall not submit Prohibited Data to us or to the Services, unless authorized to do so in writing by Sine.

Security Incident. We will notify you without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized access, disclosure or use of Personal Data while processed by us (each a “Security Incident”) in relation to the Services under the Terms. We will investigate the Security Incident and provide you with relevant information about the Security Incident as required under Privacy Laws. We will use reasonable efforts to assist you in mitigating, where possible, the adverse effects of any Security Incident.

Compliance. On written request and subject to obligations of confidentiality, we will provide to you information reasonably necessary, including relevant certifications, to demonstrate our compliance with these Data Processing Terms. Where required by applicable Privacy Laws, you (or an independent auditor mandated by you) may audit our compliance with such obligations once per year at the applicable facility (“Audits“). Audits will only be performed following your written request at least ninety (90) days prior to the proposed start date and you providing a reasonably detailed audit plan describing the proposed scope, start date and duration. Before the Audit, the Parties will agree on a final Audit plan. Audits will be conducted during Sine’s regular business hours, subject to the published policies of the audited facility, and may not unreasonably interfere with business activities. The personnel conducting the Audit on your behalf or an independent auditor mandated by you must enter into an appropriate written confidentiality agreement acceptable to us prior to conducting the Audit and will be accompanied by at least one member of our staff at all times. To preserve the security of the Sine organization and our customers, we reserve the right to not share information that could expose or compromise its security, privacy, employment policies or obligations to other customers or third parties or share confidential information. Records may not be copied or removed from our facilities. You will generate and provide us with an audit report within three months after the Audit. All information obtained or generated in connection with an Audit, including audit reports, must be kept strictly confidential and may only be used for the purposes of confirming our compliance with its obligations under these Data Processing Terms. Customer will pay or reimburse our reasonable costs for allowing for and contributing to Audits. With respect to Subprocessors, we may fulfil our responsibilities under this Section 5 by providing you with audit reports or certifications provided by such Subprocessors.

Data Transfers. You authorize us and our Subprocessors to transfer Personal Data to locations outside of its country of origin for the performance of the Terms, provided that we implement appropriate transfer safeguards to comply with applicable Privacy Laws. If we transfer Personal Data from the European Economic Area (“EEA”), UK, Switzerland or from any other jurisdiction that restricts the cross-border transfer of Personal Data to locations outside that jurisdiction, you shall be bound by the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 including the provisions in Modules 2 and 3, as applicable, (“SCCs”) in the capacity of “data exporter”, and Sine in the capacity of “data importer” as those terms are defined therein. The SCCs will be deemed to have been signed by each Party and are hereby incorporated by reference into the Terms in their entirety as if set out in full as an annex to these Terms. The Parties acknowledge that the information required to be provided in the appendices to the SCCs is set out in Annex 1 below as a “Description of the Transfer” and “Security Measures” as a “Description of the Technical Organizational Measures” in Annex 2. Audits under Section 8.9 of the SCCs shall be carried out in accordance with the above Section 5. The SCCs will prevail over these Data Processing Terms or the Terms, in the event of conflict.

Cooperation. We will cooperate with you to respond to requests, complaints or inquiries from data subjects, supervisory authorities, or other third parties, conduct a privacy impact assessment and prior consultation with supervisory authorities, provided that you reimburse us for all reasonably incurred costs. If we receive a data subject request relating to Personal Data, we will provide it to you. We will not respond to the data subject request unless required by applicable law.

Termination. Upon termination of the Terms, we will return, delete or anonymize Personal Data except to the extent (i) we are required by applicable law to retain Personal Data or (ii) for compliance, audit or security purposes, in which case these Data Processing Terms will continue to apply to the retained Personal Data. Any certification of deletion will be provided to you only upon your written request.

Last Updated 4 November 2021; Version 1

ANNEX 1

DESCRIPTION OF THE PROCESSING AND TRANSFER

(MODULE 2: CONTROLLER TO PROCESSOR)

A. LIST OF THE PARTIES
Controller / Data Exporter	You and your Affiliates, as set forth in the Terms.
Processor / Data Importer	Name: Sine Group Pty Ltd A.C.N. 167 296 219. Address: 100 Pirie Street, Adelaide, South Australia 5000 Contact: Privacy Officer Email: [email protected]
B. DETAILS OF PROCESSING/TRANSFER
CATEGORIES OF DATA SUBJECTS	The Personal Data processed and transferred is determined and controlled by you in your sole discretion and may include, without limitation, the following categories of Data Subjects: (i) employees, contractors and temporary workers (current, former, prospective) of data exporter; (ii) channel partners, distributors, sales partners, and business partners (iii) advisors, trainers, consultants, service providers and other third parties; (iv) Users of the Services; (v) any other data subject as described in the Terms.
CATEGORIES OF PERSONAL DATA	The Personal Data processed and transferred is determined and controlled by you in your sole discretion and may include, without limitation, the following categories of data: name, email address, job title, country of residence, mobile phone number, username, password, security question, IP addresses, unique identification numbers and signatures, voice, video and data recordings, location data, and device identification (e.g., UUID, IMEI-number, SIM card number, MAC address).
SPECIAL CATEGORIES OF DATA	The Services is not intended for the Processing of Special Categories of Data or Prohibited Data, and you shall not transfer, directly or indirectly to us, except with respect to facial recognition in connection with Face Check and limited health data, where applicable.
1. FREQUENCY	The Personal Data transfers under the Terms will take place on a continuous basis.
2. NATURE OF THE PROCESSING	Sine and its Subprocessors are providing the Services or fulfilling contractual obligations to you, as described in the Terms. These Services may include the processing of Personal Data by Sine and/or its Subprocessors.
PURPOSE OF PROCESSING / TRANSFER	Your Personal Data is processed and transfer is made for the following purposes: (i) providing the Services and facilitating communication with customers, employees and Users; (ii) administration and management of channel partners, distributors and/or sales partners; (iii) identity management and security; (iv) managing product and service development, improving existing and developing new products and services, research and development; (v) research; (v) any other scope and purpose as described in the Terms.
RETENTION	Your Personal Data will be retained in accordance with the Terms unless applicable law requires storage of the Personal Data for a longer period.
TRANSFER TO SUBPROCESSORS	Sine may process and transfer Personal Data to Subprocessors in relation to the performance of the Terms and in accordance with the following scope: Subject Matter : The subject matter of the processing under the Terms is the Personal Data. Nature of the processing : Sine and its Subprocessors are providing services or fulfilling contractual obligations to you, as described in the Terms. These services may include the processing of Personal Data by Sine and/or its Subprocessors. Duration : The duration of the processing under the Terms is determined by you and as set forth in the Terms.
C. COMPETENT SUPERVISORY AUTHORITY
For the purposes of Clause 13 of the SCCs, the competent supervisory authority for the Customer shall be the supervisory authority applicable to the Customer in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.
D. GOVERNING LAW AND CHOICE OF FORUM
GOVERNING LAW	For the purposes of Clause 17 of the SCCs, the parties select the law of Ireland.
CHOICE OF FORUM	For the purposes of Clause 18 of the SCCs, the parties agree that the courts of Ireland will have jurisdiction.
E. OTHER
Where the SCCs identify optional provisions or provisions with multiple options the following will apply:	For Clause 7 (Docking Clause), the optional provision will apply.
	For Clause 9(a), option 2 will apply. The parties will follow the process agreed in Section 2 (Subprocessors).
	For Clause 11(a) (Redress), the optional provision will not apply.
	For Clause 12 (Liability), the limitation of liability in the Terms applies to these Data Processing Terms.

ANNEX 2

SECURITY MEASURES

This Annex 2 describes the Security Measures designed to protect and secure our SaaS Services when we Process Personal Data under the Terms. We may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services provided under the Terms. Beta Services may be subject to different practices.

Categories	Practices
Personnel Security	Sine personnel engaged in data processing are under a written obligation of confidentiality and may not collect, process or use personal data without authorization. Sine follows the Global Data Privacy Policy of Honeywell, which requires employees to comply with Data Protection Laws with respect to the processing of Personal Data. Background or verification checks are performed on personnel (employees and contractors) when appropriate and permitted by local laws. Sine’s annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. The security awareness a program may also provide materials specific to certain job functions. Separation of duties between administrators and security personnel.
Physical Security	Sine and its cloud services providers (e.g., Amazon Web Services) take measures to prevent unauthorized physical access to premises and facilities holding Personal Data. This may be accomplished through: Protecting and restricting physical access to data processing equipment Physical security perimeters (fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) are implemented to safeguard sensitive information and information systems Physical access to facilities and data centers is restricted in order to protect hosted information, applications, systems, and infrastructure. Visitor access is subject to approval and is logged. Secure cabinets are leveraged within data centers to secure hosted information, applications, systems, and infrastructure. Identification badges are used, and key card access is required to enter facilities. Where necessary security cameras and security guards are utilized to observe and enforce access controls.
Access Control	Sine has robust Identity and Access Management controls in place with usage of unique user ID and complex password for authentication. Sine follows complex password policy. The protection measures include: Identity and access management systems and processes for authentication & authorization limiting access only to authorized users. Role based access (least privilege). Secure log-in with unique user-ID/password. Periodic access reviews.
Asset Management	Sine’s Asset Management comprises the following: o Information Asset Protection to protect information throughout its lifecycle including creation, use, processing, storage, transmission and destruction. o Continuous Monitoring Strategy with data loss prevention mechanism. o Asset Inventory to maintain inventories of its systems supporting customer information. o Asset Configuration and Control.
Incident Management	Incident response procedures exist for security and data protection incidents, which includes incident analysis, containment, response, remediation, reporting and the return to normal operations. Sine implements logging and analysis of system usage.
Network Security	Network perimeter security through intrusion detection and prevention systems, routers and state of the art firewalls. Usage of DMZ. VPN for remote access and Secure Shell/Layer access as applicable. Anti-malware and anti-virus mechanisms. Vulnerability scanning.