DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use (“Terms”) by and between Krembo LLC. dba Growth-X (collectively “Growth-X” or “Company” or “we” or “us” or “our “) and the Customer (as defined under the Terms), and applies to the extent that the Company Processes Personal Data, or has access to Personal Data, in the course of its performance under the Terms.

This DPA forms an integral part of the Terms, and is incorporated therein by reference. Definitions used herein shall have the meaning assigned to them under the Terms.

1. Definitions
   1. “CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
   2. “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (as may be amended or superseded from time to time), including without limitation, where applicable, EU Data Protection Law, the United Kingdom privacy laws and CCPA.
   3. The terms “Data Controller”, “Data Processor”, “Data Subject”, “Processing” (and “Process”), “Personal Data Breach” shall all have the same meanings as ascribed to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA.
   4. “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii)any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
   5. “Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) uploaded or otherwise generated and collected through Customers use of the Product and Services.
   6. “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Relationship of The PartiesThe parties acknowledge that in relation to Personal Data Processed under the Terms, as between the parties, Customer is the Controller, and Company, in providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Company is the Service Provider. Without derogating from the above, it is hereby clarified that in addition to the Company’s capacity as a Processor of the Personal Data, Company is also a Controller of certain Personal Data related to the Customer, such as Customer’s personnel contact details, etc., and such Personal Data shall be used in accordance with Company’s privacy policy available at: https://growth-x.com/.
3. Processing of Personal Data and Compliance With Data Protection Law
   1. The subject matter and duration of the Processing carried out by the Company on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data, categories of Data Subjects (as required under the GDPR) and categories of Personal Information (as required under the CCPA) are described in Schedule A attached hereto.
   2. Company represents and warrants that it shall Process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with the written instructions in the Terms and this DPA. Notwithstanding the above, in the event required under applicable laws, Comapny may Process Personal Data other than as instructed by Customer, in such event, Company shall make best efforts to inform the Customer of such requirement unless prohibited under applicable law.
   3. The Customer represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and the Customer acknowledges that, taking into account the nature of the Processing, Company is not in a position to determine whether the Customer’s instructions infringe applicable Data Protection Law; (b) it will comply with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data, as well as the CCPA, specifically, where applicable, provide Data Subjects with the ability to opt out; (c) Special Categories of Personal Data shall not be Processed or shared in connection with the Services; (d) the Customer shall not share any Personal Data with the Company that contains Personal Data relating to children under 16 years old.
4. Disclosures & ConsentThe Customer acknowledges and agrees that the Company is solely a service provider, and has no contractual relationship or interaction with end users. Hence, in the event required under applicable laws, the Customer shall be responsible to obtain the end users’ consent to the collection and processing of Personal Data through the Services. The Customer will enable end users to opt-out of data collection, as required under applicable laws.
5. No Sale of Personal InformationIt is hereby agreed that any share of Personal Data between the Customer and Company is made solely for fulfilling a Business Purpose and the Company does not receive or process any Personal Data as consideration for the Services. Thus, such collection, processing and share of Personal Data shall not be considered as a Sale.
6. Rights of Data Subject and Parties Cooperation ObligationsIt is agreed that where Company receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by the Company on behalf of Customer, where relevant, the Company will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
7. Sub-ProcessorThe Customer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors for the purpose of providing the Services ( “Sub-Processor”). The list of the Company’s current Sub-Processors is available in Schedule B attached hereto. The Customer hereby, authorizes the Company to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Company shall, where it engages any Sub-Processor impose, through a legally binding contract between the Company and Sub-Processor, data protection obligations as required under Data Protection Law.
8. Technical and Organizational MeasuresThe Company shall use appropriate security measures to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, used, or transmitted in connection with this DPA and the Terms and to protect such Personal Data from Security Incidents taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
9. Security IncidentThe Company will notify the Customer upon becoming aware that an actual Security Incident involving the Personal Data Processed under the Terms in Company’s possession or control has occurred. Company’s notification of or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by the Company of any fault or liability with respect to the Security Incident. The Company will, in connection with any Security Incident affecting the Personal Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
10. Audit RightsThe Company shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including
    inspections, by such reputable auditor solely in relation to the Processing of Personal Data on behalf of Customer (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). The Company may object to an auditor appointed by the Customer in the event the Company reasonably believes, the auditor is not suitably qualified or independent, a competitor of the Company or otherwise manifestly unsuitable. In such event, the Customer will appoint a different auditor. The Customer shall bear all expenses related to the Audit and shall avoid causing any damage, injury or disruption to Company’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to the Company immediately.
11. Data TransferThe Personal Data Processed by the Company might be transfer and stored in different territories, including the US. Processor shall take such measures as are necessary to ensure the transfer is in compliance with Data Protection Law.
12. GeneralAny claims brought under this DPA will be subject to the terms and conditions of the Terms. In the event of a conflict between the Terms (and any document referred to therein) and this DPA, the provisions of this DPA shall prevail. This DPA supersedes any prior agreements or contracts (whether implied or explicit and whether written or not) between the parties in connection with Processing of Personal Data.

SCHEDULE A

DETAILS OF PROCESSING OF PERSONAL DATA

This Schedule A includes certain details of the Processing Personal Data as required by Data Protection Law.

Subject matter and duration of the Processing of Personal Data:

Processing shall be carried out in connection with the provision of the Services set forth under the Terms, and until otherwise instructed by the Controller.

The nature and purpose of the Processing of Personal Data:

To provide the Services pursuant to the Terms.

The types/categories of Personal Data Processed:

The types of Personal Data will vary depending on the type of Services and may include: email address, names, place of work and position.

Special categories of data (if appropriate)

NA

The categories of Data Subjects to whom the Personal Data relates:

Business leads on behalf of the Customer.

SCHEDULE B

Sub-Processors