Data Processing Agreement

1.0 Preamble

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SOVRINT ("Processor") and the Customer ("Controller") regarding the processing of personal data on behalf of the Controller. This DPA allows the Controller to ensure compliance with Data Protection Laws, including the GDPR and CCPA.

2.0 Definitions

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
• "Processor" means the entity which processes Personal Data on behalf of the Controller.
• "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data and privacy.

3.0 Processor Obligations

SOVRINT shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. We agree to:

• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights.

4.0 Sub-processing

The Controller provides general authorization for the Processor to engage sub-processors to assist in providing the Services. SOVRINT shall maintain a list of current sub-processors and provide notice of any intended changes concerning the addition or replacement of other sub-processors.

5.0 Data Deletion & Return

Upon termination of the Services, at the choice of the Controller, SOVRINT shall delete or return all the Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.