BrainPayroll DATA PROCESSING ADDENDUM

1. Scope, Order of Precedence and Parties

This Data Processing Addendum (“DPA”) applies to the Processing of Personal Data by BrainPayroll on Your behalf when providing BrainPayroll Payroll software services, technical support services or consulting services (“Services”). The Services are described in the relevant BrainPayroll payroll software license and/or services agreement and the applicable order for Services (collectively, the “Agreement”). In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA shall control. In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses and/or the UK SCC Addendum (if applicable), the terms of the EU Standard Contractual Clauses and/or the UK SCC Addendum (if applicable) shall control.

This DPA is between the end-user customer (“You”) and the BrainPayroll UK Limited and is incorporated by reference into the Agreement. Your location determines the BrainPayroll entity as identified at: https://www.brainpayroll.co.uk/end-user-license-agreement

2. Definitions

“You” means the end-user/customer specified under this DPA, refer to a person or entity that uses Brain Payroll Software “Affiliate” means any subsidiary, contractor, or vendor of BrainPayroll UK Limited. that may assist BrainPayroll in the processing of Your Personal Data under this DPA. “Aggregate” means information that relates to a group or category of individuals, from which identities have been removed such that the information is not linked or reasonably linkable to any individual subject to Applicable Data Protection Laws.

“Applicable Data Protection Laws” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws or regulations implementing or supplementing the GDPR; and (ii) any other international, federal, state, provincial and local privacy or data protection laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective that apply to the Processing of Personal Data under this Agreement.

“Customer Content” means any data uploaded to Your account for storage or data in Your computing environment to which BrainPayroll is provided access in order to perform Services.

“European Economic Zone" means the European Economic Area, Switzerland and the United Kingdom for the purpose of this DPA.

“2021 EU Standard Contractual Clauses” or “2021 EU SCCs” means the contractual clauses annexed to the EU Commission Decision 2021/914/EU or any successor clauses approved by the EU Commission.

“Personal Data” means any Customer Content Processed in connection with the performance of Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of individuals or as such information may be otherwise defined under Applicable Data Protection Laws.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed in order to perform the Services that compromises the security of the Personal Data.

“Sub-Processor” means any third party engaged to assist with the Processing of Personal Data for the performance of Services under the Agreement. "UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (vB1.0 or any subsequent version) issued by the UK Information Commissioner’s Office. Terms used but not defined in this DPA (e.g., “Business Purpose, Consumer, Controller, Data Subject, Process/Processing, Processor”) shall have the same meaning as set forth in the Agreement or Applicable Data Protection Laws.

3. Roles as Data Controller and Data Processor

For purposes of this DPA, You are the Data Controller of the Personal Data Processed by BrainPayroll in its performance of the Services under the terms of the Agreement. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Personal Data to BrainPayroll for the performance of the Services, including without limitation obtaining any consents, providing any notices, or otherwise establishing the required legal basis. Unless specified in the Agreement, You will not provide BrainPayroll with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and you will limit BrainPayroll’s access to Personal Data as necessary to perform the Services.

BrainPayroll is the Data Processor and service provider with respect to such Personal Data, except when You act as a Processor of Personal Data, in which case BrainPayroll is a Sub-Processor. BrainPayroll is responsible for complying with its obligations under Applicable Data Protection Laws that apply to its Processing of Personal Data under the Agreement and this DPA.

4. BrainPayroll’s Purpose of Processing

BrainPayroll and any persons acting under its authority under this DPA, including Sub-Processors and Affiliates as described in Section 6, will Process Personal Data only for the purposes of performing the Services in accordance with Your written instructions as specified in the Agreement, this DPA and in accordance with Applicable Data Protection Laws. BrainPayroll will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (a “Demand”) unless required by law. BrainPayroll will promptly notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand. BrainPayroll may also Aggregate Personal Data as part of the Services in order to provide, secure, and enhance BrainPayroll products and Services.

5. Data Subjects and Categories of Personal Data

You determine the Personal Data to which You provide BrainPayroll access to in order to perform the Services. This may involve the Processing of Personal Data of the following categories of Your Data Subjects:

• Employees
• Customers and end users

The Processing of Your Personal Data may also include the following categories of Personal Data:

• Payroll employee personal data (NINO, address, DOB, email, phone, Tax Code etc.)
• Employee Bank Information
• Company Data (Name, HMRC Office details, UTR, Bank Account etc.)
• Company Pension Data (name, pension scheme, etc.)
• Employee Pension data (Pension status, Pension dates, pension schemes etc.)
• Communications data such as home telephone number, cell telephone number, email address, postal mail address, and fax number
• Family and other personal circumstance information, such as age, date of birth, marital status, spouse or partner
• Other Personal Data to which You provide BrainPayroll access in connection for payroll processing

6. Sub-Processing

Subject to the terms of this DPA, You authorize BrainPayroll to engage Sub-Processors and Affiliates for the Processing of Personal Data. These Sub-Processors and Affiliates are bound by written agreements that require them to provide at least the level of data protection required of BrainPayroll by the Agreement and this DPA. You may request BrainPayroll to perform an audit on a Sub-Processor or to obtain an existing third-party audit report related to the Sub-Processor’s operations to verify compliance with these requirements. You may also request copies of the data protection terms BrainPayroll has in place with any Sub-Processor or Affiliate involved in providing the Services. BrainPayroll remains responsible at all times for such Sub-Processors’ and Affiliates’ compliance with the requirements of the Agreement, this DPA and Applicable Data Protection Laws.

7. International Transfer of Personal Data

Depending upon the Services, You and BrainPayroll may agree upon the location for storage of Personal Data. Notwithstanding the foregoing, BrainPayroll may transfer Personal Data to the India and/or to other third countries as necessary to perform the Services, and you appoint BrainPayroll to perform any such transfer in order to process Personal Data as necessary to provide the Services. BrainPayroll will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.

Where the Processing involves the international transfer of Personal Data under other Applicable Data Protection Laws to BrainPayroll, Affiliates or Sub-Processors, such transfers are subject to the data protection terms specified in in this DPA and Applicable Data Protection Laws.

We considers pseudonymisation to be a valid safeguard for international transfers but only to the extent the following conditions are met:

• A data exporter transfers personal data processed in such a manner that the personal data can no longer be attributed to a specific data subject, nor be used to single out the data subject in a larger group without the use of additional information,
• That additional information is held exclusively by the data exporter and kept separately in a Member State or in a third country, by an entity trusted by the exporter in the EEA or under a jurisdiction offering an essentially equivalent level of protection to that guaranteed within the EEA,
• Disclosure or unauthorised use of that additional information is prevented by appropriate technical and organisational safeguards, it is ensured that the data exporter retains sole control of the algorithm or repository that enables re-identification using the additional information, and
• The controller has established by means of a thorough analysis of the data in question - taking into account any information that the public authorities of the recipient country may be expected to possess and use - that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person even if cross-referenced with such information.

8. Requests from Data Subjects

BrainPayroll will make available to You the Personal Data of Your Data Subjects and the ability to fulfill requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws in a manner consistent with BrainPayroll’s role as a Data Processor. BrainPayroll will provide reasonable assistance to assist with Your response.

If BrainPayroll receives a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws, BrainPayroll will direct the Data Subject to You unless prohibited by law.

9. Security

BrainPayroll shall implement and maintain appropriate administrative, technical, and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. BrainPayroll seeks to continually strengthen and improve its security practices, and so reserves the right to modify the controls described herein. Any modifications will not diminish the level of security during the relevant term of Services.

BrainPayroll employees are bound by appropriate confidentiality agreements and required to take regular data protection trainings as well as comply with BrainPayroll corporate privacy and security policies and procedures.

10. Personal Data Breach

BrainPayroll shall notify You without undue delay after becoming aware of a Personal Data Breach involving Personal Data in BrainPayroll’s possession, custody or control. Such notification shall at least: (i) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Your Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) provide the name and contact details of the data protection officer or other contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate,

measures to mitigate its possible adverse effects. You will coordinate with BrainPayroll on the content of any public statements or required notices to individuals and/or Supervisory Authorities.

11. Your Instructions and Providing Information & Assistance

You may provide additional instructions to BrainPayroll related to the Processing of Personal Data that are necessary for You and BrainPayroll to comply with our respective obligations under Applicable Data Protection Laws as a Data Controller and Data Processor. BrainPayroll will comply with Your instructions at no additional charge, provided that in the event that Your instructions impose costs on BrainPayroll beyond those included in the scope of Services under the Agreement, the parties agree to negotiate in good faith to determine the additional costs. BrainPayroll will promptly inform You if it believes that Your instructions are not consistent with Applicable Data Protection Laws, provided that BrainPayroll shall not be obligated to independently inspect or verify Your Processing of Personal Data.

BrainPayroll will provide You with information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws, including without limitation BrainPayroll’s obligations under the EU General Data Protection Regulation to implement appropriate data security measures, carry out a data protection impact assessment and consult the competent Supervisory Authority (taking into account the nature of Processing and the information available to BrainPayroll), and as further specified in this DPA.

12. Return and Deletion of Personal Data

BrainPayroll will provide an opportunity for You to retrieve all Personal Data after the end of the provision of Services and delete existing copies. With respect to cloud services, you shall have thirty (30) calendar days to download Your Personal Data after termination of the Agreement. In the event You do not contact BrainPayroll technical support for this purpose within 30 calendar days after the end of the provision of Services, BrainPayroll shall delete Your Personal Data promptly once that Personal Data is no longer accessible by You, except for (i) back-ups deleted in the ordinary course, and (ii) retention as required by applicable law. In the event of either (i) or (ii), BrainPayroll will continue to comply with the relevant provisions of this DPA until such data has been deleted.

13. Audit

In the event the information you request of BrainPayroll under Section 11 above does not satisfy your obligations under Applicable Data Protection Laws, You may carry out an audit of BrainPayroll’s Processing of Your Personal Data up to one time per year or as otherwise required by Applicable Data Protection Laws. To request an audit, you must provide BrainPayroll with a proposed detailed audit plan three weeks in advance, and BrainPayroll will work with you in good faith to agree on a final written plan. Any such audit shall be conducted at Your own expense, during normal business hours, without disruption to BrainPayroll’s business, and in accordance with BrainPayroll’s security rules and requirements. Prior to any audit, BrainPayroll undertakes to provide You reasonably requested information and associated evidence to satisfy Your audit obligations, and You undertake to review this information prior to undertaking any independent audit. If any of the requested scope of the audit is covered by an audit report issued to BrainPayroll by a qualified third-party auditor within the prior twelve months, then the parties agree that the scope of Your audit will be reduced accordingly.

You may use a third-party auditor with BrainPayroll’s agreement, which will not be unreasonably withheld. Prior to any third-party audit, such auditor shall be required to execute an appropriate confidentiality agreement with BrainPayroll. If the third party is Your Supervisory Authority that applicable law enables it to audit BrainPayroll directly, BrainPayroll will cooperate with and provide reasonable assistance to the Supervisory Authority in accordance with Applicable Data Protection Laws.

You will provide BrainPayroll with a copy of any final report unless prohibited by Applicable Data Protection Laws, will treat the findings as Confidential Information in accordance with the terms of the Agreement (or Confidentiality) agreement entered into between You and BrainPayroll), and use it solely for the purpose of assessing BrainPayroll’s compliance with the terms of the Agreement, this DPA, and Applicable Data Protection Laws.

14. Data Protection Officer

You may contact the BrainPayroll global Data Protection at [email protected] If you have appointed a Data Protection Officer, you may include their contact information in your order for Services.

15. Term

This Agreement becomes effective upon your purchase of the Services.