Waymark Tech GDPR Annex

1. DATA PRIVACY

1.1. Data Protection Legislation. Each party will at all times comply with the Data Protection Legislation in respect of its processing of Personally Identifiable Information.

1.2. Role of Waymark Tech. The parties acknowledge that, in relation to any Service, Waymark Tech may process Personally Identifiable Information as Processor and/or Controller or (where Waymark Tech does not process Personally Identifiable Information in the context of that Service) as neither Controller nor Processor. Further information on Waymark Tech’ role in relation to a specific Service may be set out in product information made available by Waymark Tech from time to time at www.waymark.tech/privacy- information.

1.3. Use of PII. Waymark Tech may process Personally Identifiable Information for the purpose of or in connection with: (i) carrying out relevant diligence and administrative tasks prior to the provision of the Services; (ii) providing the Services; (iii) as permitted or in accordance with law (the "Purposes").

1.4. Waymark Tech as Processor. To the extent that Waymark Tech processes Client Personal Data as Processor of Client pursuant to this Agreement, the following provisions of this paragraph 1.4 shall apply:

1.4.1. Scope of processing. The subject matter, nature, purpose and duration of Waymark Techs’ processing of Client Personal Data as Processor of Client is set out, in respect of a Service (where applicable) in product information made available by Waymark Tech from time to time at www.wayamrk.tech/privacy-information. Information on the types of Client Personal Data processed and the categories of data subjects is also available at such web address.

1.4.2. Documented instructions for processing. Waymark Tech, as Processor, will only process Client Personal Data on the documented instructions of Client unless required to process that Client Personal Data for other purposes by EU Law. Where such a requirement is placed on Waymark Tech, it shall provide prior notice to Client unless the relevant law prohibits the giving of notice.

1.4.3. Processor obligations. Notwithstanding anything to the contrary in this Agreement, with effect from 25 May 2018, Waymark Tech shall comply with the express obligations of a Processor as set out in Articles 28(3)(b) to 28(3)(h) inclusive of the GDPR, provided that: (a) Client may not instruct Waymark Tech to delete copies of data that it holds on its own behalf as Controller; and (b) the requirements of Article 28(3)(b) of the GDPR shall not apply to persons that Waymark Tech is required by applicable laws or regulatory requirements to grant access to Client Personal Data.

1.4.4. General Authorisation for Sub-processing. Client provides a general authorisation to Waymark Tech to engage further Processors to process Client Personal Data. A list of those further Processors is available via publication on www.waymark.tech/privacy-information and Waymark Tech shall give Client notice of any intended addition to or replacement of those further Processors by updating that list from time to time. If Client reasonably objects to a change to the list, at Waymark Techs’ option Waymark Tech will either: (i) give Client an opportunity to pay for a version of the relevant part of the Service without use of the Processor to which Client objects; or (ii) terminate the provision of the affected part of the Service to Client immediately upon notice.

1.4.5. Client’s Responsibilities. Client acknowledges that it has the primary responsibility for the processing of Client Personal Data and shall notify Waymark Tech of any assistance it requires pursuant to Articles 28(3)(a) to 28(3)(h) of the GDPR inclusive. The parties acknowledge that such assistance will be provided following agreement between the parties on the scope and timing of such assistance, and the fees chargeable by Waymark Tech for such assistance.

1.4.6. Verification. From 25 May 2018, and following a written request from Client, Waymark Tech shall, in fulfilment of its obligation to demonstrate compliance with this paragraph 1.4 (and any other relevant parts of paragraph 1), make available to Client information on its processing of Client Personal Data. At Waymark Tech's discretion, such information may take the form of certificates, third party audit reports or other relevant information.

1.5. Waymark Tech as Controller. The parties acknowledge that Waymark Tech may process Personally Identifiable Information as Controller, and that in such circumstances the provisions of this paragraph 1.5 shall apply:

1.5.1. Waymark Tech Privacy Notice. The Client acknowledges that Waymark Tech has made a privacy notice for each Service available to the Client (each a “Privacy Notice”). The Client shall take reasonable steps to bring this Privacy Notice to the attention of any individuals that Client makes the Service available to (or requests Waymark Tech to deal with or carry out research on in the context of the Services).

1.5.2. Client as Separate Controller. The parties acknowledge that where Waymark Tech acts as Controller in the provision of the Services, Client acts as a Controller in respect of any Personally Identifiable Information it chooses to record as a result of its receipt and use of the Services and that, in such circumstances, Client will be responsible for the use and receipt of the Services in accordance with Data Protection Legislation.

1.6. Joint Responsibility. The parties acknowledge and agree that they may be jointly responsible for the processing of Personally Identifiable Information to the extent specified in any applicable Schedule or product information and that in such circumstances their respective responsibilities in relation to that processing are as stated in the Schedule or product information.

1.7. Transfers outside of the EEA. The parties acknowledge and agree that Waymark Tech may transfer Client Personal Data outside of the EEA where permitted for that transfer under Articles 44 to 49 of the GDPR.

1.8. Client-Provided Data. Client shall ensure that any Client Personal Data has been collected and disclosed in accordance with Data Protection Legislation. When using the Services or accessing Waymark Techs' systems or any other information held by Waymark Tech, Client shall ensure that it does not input, upload or disclose to Waymark Tech, or allow any other third party to disclose on its behalf, any irrelevant or excessive information about individuals.

1.9. Cooperation. The parties shall use reasonable efforts to assist one another in relation to the investigation and remedy of any claim, allegation, action, suit, proceeding or litigation with respect to alleged unauthorised access, use, processing or disclosure of Personally Identifiable Information.

1.10. Protective Measures. Each party will maintain, and will require all Processors each such party engages to maintain, appropriate physical, technical and organisational measures to protect Personally Identifiable Information against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access (“Security Breach”). Client shall, without undue delay, notify Waymark Tech within a reasonable time period of any actual or suspected non-trivial Security Breach relating to Personally Identifiable Information and shall take adequate remedial measures as soon as possible. Where Waymark Tech acts as Processor of Client, Waymark Tech will notify Client without undue delay of any non-trivial Security Breach that may adversely affect Client Personal Data.

2. DEFINITIONS

Capitalised terms which are used but not defined in this Schedule shall have the meaning given to them in the Master Terms

Client Personal Data – means PII made available or uploaded into the Services by, or on behalf of, Client, and processed by Waymark Tech in connection with this Agreement

Controller - means a data controller or controller (as such term is defined in Data Protection Legislation)

Data Protection Legislation – the following legislation to the extent applicable from time to time: (a) national laws implementing the Data Protection Directive (95/46/EC) (b) the GDPR; and (c) any other similar national privacy law.

EEA - European Economic Area.

EU Law - European Union Law and the law of any current Member State of the European Union from time to time.

GDPR - the General Data Protection Regulation (2016/679).

Personally Identifiable Information or PII - personal data (as such term is defined in Data Protection Legislation) processed as part of the Services or in connection with this Agreement.

Processor - means a data processor or processor (as such term is defined in Data Protection Legislation) that processes Client Personal Data.

Sensitive Personal Data – sensitive personal data (as such term is defined in Data Protection Legislation).