The purpose of this Data Processing Addendum ("DPA") is to set out WIP Systems' obligations relating to the Personal Data processed by it in the provision of the Service to the Customer and is incorporated by reference into WIP Systems' Terms of Service or other agreement governing the use of WIP Systems' services ("Agreement") entered by and between the Customer and WIP Systems ("Processor"). Both parties shall be referred to as the "Parties" and each, a "Party".

By using the Services, Customer accepts this DPA and you represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.

In the event of any conflict between certain provisions of this DPA and the provisions of the Terms of Service, the provisions of this DPA shall prevail over the conflicting provisions of the Terms of Service, solely with respect to the Processing of Personal Data.

"Appropriate Safeguards" means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time including the EU SCCs and UK Addendums.

"Applicable Law" means as applicable and binding on Customer, WIP Systems and/or the Services:

1. any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject;
2. any court order, judgment or decree;
3. or any direction, policy, rule, or order that is made or given by any regulatory body having jurisdiction over a party.

"Authorised Affiliate" means any of Customer's Affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between Customer and WIP Systems but has not signed its own agreement with WIP Systems and is not a "Customer" as defined under the Agreement.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Customer Content" means electronic files, logos, data and information uploaded under Customer's account to the Service, whether directly or through the application programming interface (API).

"Data Protection Laws" means

1. the General Data Protection Regulation (EU) 2016/679 and any applicable national implementing laws as amended from time to time;
2. the UK Data Protection Laws; and;
3. all laws about the processing of personal data and privacy applicable to the processing of Protected Data pursuant to this DPA.

"Data Subject" means the identified or identifiable person to whom Personal Data relates.

"Data Subject Request" means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws.

"EU SCCs" means Module 2 of the Controller to Processor Standard Contractual Clauses approved by the European Commission pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (as amended and updated from time to time).

"Personal Data" means any information relating to

1. an identified or identifiable natural person and,
2. an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.

"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.

"Processor" means the entity which Processes Personal Data on behalf of the Controller.

"Processing Instructions" has the meaning given to that term in clause 3.ii.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and related terms such as process have corresponding meanings).

"Protected Data" means Personal Data submitted to the Service (excluding any in Customer Content) or otherwise provided to WIP Systems by the Customer in pursuance of use of the Service by Customer.

"Standard Contractual Clauses" means (a) in respect of transfers of Personal Data subject to the GDPR, the Standard Contractual Clauses between controllers and processors, and between processors and processors as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I, II and V thereto, ("EU SCCs"); (b) in respect of transfers of Protected Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0) ("IDTA"), as incorporated into the EU SCCs through Annex III thereto ("UK Addendum"); and (c) in respect of transfers subject to the Federal Act on Data Protection (as revised as of 25 September 2020), the terms set forth in Annex IV of the EU SCCs ("Switzerland Addendum").

"Sub-Processor" means another Processor engaged by WIP Systems for carrying out processing activities in respect of the Protected Data.

"UK Data Protection Laws" means the Data Protection Act 2018 and UK GDPR.

"UK GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

"UK Addendum" means the International Data Transfer Addendum issued by the Information Commissioner's Officer under Section 119A of the Data Protection Act 2018, effective from 21 March 2022.

The parties agree that, for the Protected Data, Customer shall be the Controller and WIP Systems shall be the Processor.

Processor shall process the Protected Data in compliance with:

1. the obligations of Processors under Data Protection Laws; and
2. the terms of this DPA.

Customer, is required to ensure all Personal Data it provides to Processor for use in connection with the Service shall be collected and transferred to Processor or submitted to the Service in accordance with Data Protection Laws. For the avoidance of doubt, it shall be Customer's responsibility to:

1. ensure the terms of use it supplies to the Data Subjects of the Protected Data comply with Data Protection Laws including in particular any fair processing information requirements relating to the processing of the Protected Data by Processor; and
2. to ensure it has a legal basis for the processing of the Protected Data by Processor.

Customer as Controller is required, in its use of the Service, to Process Protected Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer's instructions for the Processing of Protected Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Protected Data and the means by which Customer acquired Personal Data.

Insofar as Processor processes Protected Data, Processor:

1. shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with Customer's documented instructions from time to time and in accordance with Schedule 1 (Data Processing Particulars), as updated from time to time ("Processing Instructions"); and
2. shall inform Customer if Processor is aware of a Processing Instruction that, in its opinion, infringes Data Protection Laws.

4.1 Controls for the Protection of Protected Data.

Processor shall maintain appropriate industry-standard technical and organizational measures for protection of Personal Data Processed hereunder (including measures against unauthorised or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Protected Data, confidentiality and integrity of Personal Data). Upon Customer's reasonable request, Processor will reasonably assist Customer, at Customer's cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to Processor.

4.2 Audits and Inspections.

Upon Customer's 30 days prior written request at reasonable intervals (but no more than once every 12 months), and subject to strict confidentiality undertakings by Customer, Processor shall make available to Customer that is not a competitor of Processor (or Customer's independent, reputable, third-party auditor that is not a competitor of Processor and not in conflict with Processor, subject to their confidentiality and non-compete undertakings) information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by them. Processor may satisfy its obligations under this section by answering Customer's questionnaire-based audits and/or by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors solely related to Processor's compliance with this DPA. Any information relating to audits, inspections and the results therefrom, including the documents reflecting the outcome thereof, shall only be used by Customer to assess Processor's compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Processor's prior written approval. Upon Processor's first request, Customer shall transfer to Processor all records or documentation that was provided by Processor or collected and/or generated by Customer (or each of its mandated auditors) in the context of the audit and/or the inspection.

4.3 Audit Conduct.

In the event of an audit or inspections as set forth above, Customer shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimise) any damage, injury or disruption to Processor's operations, premises, equipment, personnel and business, as applicable, while conducting such audit or inspection.

4.4 Audit Rights.

The audit rights set forth in 4.2 above, shall only apply to the extent that the Agreement does not otherwise provide Customer with audit rights that meet the relevant requirements of Data Protection Laws (including, where applicable, article 28(3)(h) of the GDPR or the UK GDPR). If and to the extent that the Standard Contractual Clauses apply, nothing in this Section 4 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority's or Data Subject's rights under the Standard Contractual Clauses. 5.1 Sub-processors.

Processor has appointed Sub-processor(s) under a written contract containing materially equivalent obligations to those in this Data Processing Addendum. A list of current Sub-processors can be found in our Privacy Policy.

5.2 Personnel.

Processor shall ensure that all of its personnel and contractors processing Protected Data are subject to a binding written contractual obligation with Processor or are under professional obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Processor shall, where practicable and not prohibited by Applicable Law, notify Customer of any such requirement before such disclosure) Processor is responsible for the acts, omissions, willful misconduct or negligence of sub-processors, staff and agents to include employees, contractors and temporary staff.

5.3 Notification and Objection to New Sub-processors.

Processor may change Sub-processor(s) form time to time. It is the responsibility Customer to regularly check the list of Sub-processors published in our Privacy Policy for changes. The Customer has twenty days (from date of the change in Sub-processor) to object to the change in Sub-processor on reasonable and objectively justifiable grounds. If Customer objects to the change in Sub-processor, Processor will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable change to Customer's configuration or use of the Service to avoid Processing of the Protected Data by the objected to new Sub-processor. If Processor is unable to make available such change within a reasonable period of time, Customer may, by written notice, terminate the Service which cannot be provided by Processor without the use of the objected to new Sub-processor. Processor will provide a refund of any prepaid fees covering the remainder of the term of such Service following the effective date of termination with respect to such terminated Service.

If Processor receives a request from a Data Subject or Consumer to exercise their rights (to the extent available to them under applicable Data Protection Laws), including of access, rectification, restriction of Processing, erasure, data portability, objection to the Processing, not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or not to be discriminated against ("Data Subject Request"), Processor shall notify Customer or refer Data Subject or Consumer to Customer. Taking into account the nature of the Processing, Processor shall assist Customer, insofar as this is possible and reasonable, to enable Customer to respond to a Data Subject Request. Processor may refer Data Subjects or Consumers to the Customer for the treatment of such request or advise them on using the self-exercising features available within the Service.

To the extent required under Data Protection Laws, Processor shall ensure that any transfers (and any onward transfers) of Protected Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories (Third Countries), are effected by way of Appropriate Safeguards.

Where Processor processes Protected Data in non-EEA/UK countries, Processor shall comply with the EU SCCs which shall be entered into and incorporated into this DPA by this reference and completed as follows:

1. Module 2 (Controller to Processor) will apply where Customer is a controller of Protected Data and Processor is a processor of Protected Data; Module 3 (Processor to Processor) will apply where Customer is a processor of Protected Data and Processor is a processor of Protected Data. For each Module, where applicable:
2. in Clause 7, the optional docking clause will apply;
3. in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5 of this DPA;
4. in Clause 11, the optional language will not apply;
5. in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Terms of Service. In no event shall any party limit its liability with respect to any data subject rights under the EU SCCs.
6. in Clause 17, Option 1 will apply, will be governed by Australian law;
7. in Clause 18(b), disputes shall be resolved before the courts of Melbourne, Victoria, Australia;
8. Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule I to this DPA; and
9. Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule II to this DPA.

Nothing in the interpretations in this Section 7 is intended to conflict with either Party's rights or responsibilities under the EU SCCs or UK Addendum and, in the event of any such conflict, the EU SCCs or the EU SCCs with UK Addendum (as applicable) shall prevail.

To the extent any export from or processing of Protected Data outside the United Kingdom is subject to UK Data Protection Laws, then Processor shall comply with the EU SCCs and the UK Addendum which shall be entered into and incorporated into this DPA by this reference. The EU SCCs shall be completed as set out above in Section 7b (i)-(ix) of this DPA and shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Protected Data. Tables 1-3 of Part One of the UK Addendum shall be deemed completed with the information set out in Schedule I and Schedule II to this DPA. For the purposes of Table 4 of Part One of the UK Addendum, Processor may end the UK Addendum when it changes. If neither the EU SCCs or the UK Addendum with EU SCCs applies, then the Parties shall cooperate in good faith to implement appropriate safeguards for transfers of such Protected Data as required or permitted by the UK Data Protection Laws without undue delay.

In respect of any Personal Data Breach involving Protected Data, Processor shall without undue delay and in any event within 48 hours of becoming aware of the Personal Data Breach:

1. notify Customer of the Personal Data Breach; and
2. so far a possible without prejudicing the continued security of the Protected Data or any investigation into the Personal Data Breach, provide Customer with details of the Personal Data Breach.

Customer may extract the Protected Data via the Service prior to termination.

Upon termination Processor will destroy any Protected Data remaining on the Service.

If after termination continued storage by Processor of any Protected Data is required by Applicable Law, Processor shall inform Customer of any such requirement and the period during which it is required to be stored. Processor shall not process such Protected Data except to the extent required by Applicable Law. Such Protected Data shall remain subject to the terms of this DPA.

If a party receives a compensation claim from a person (including but not limited to a Data Subject) relating to processing of Protected Data processed by Processor under the Contract, it shall promptly provide the other party with notice and full details of such claim. Customer shall make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of Processor.

This clause 10 does not affect the liability of Processor to any Data Subject or Supervisory Authority pursuant to a claim made directly against Processor by either of them.

As between Processor and Customer liability for all loss, damage, claims, fines or penalties ("Losses") arising out of any breach of this DPA including for any Losses arising out of a Personal Data Breach, shall be governed by the limitations of liability and remedies for loss of data as set out in the Agreement.

The Parties acknowledge and agree that, by executing this DPA, Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorised Affiliates, in which case each Authorised Affiliate agrees to be bound by the Customer's obligations under this DPA, if and to the extent that Processor Processes Personal Data on the behalf of such Authorised Affiliates, thus qualifying them as the "Controller" with respect to the Personal Data Processed on their behalf. All access to and use of the Services by Authorised Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorised Affiliate shall be deemed a violation by Customer.

11.2 Communication.

Customer shall remain responsible for coordinating all communication with Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorised Affiliates. Nature and Purpose of Processing

1. Providing the Services to Customer;

2. Performing the Agreement, this DPA and/or other contracts executed by and between the Parties;

3. Acting upon Customer's instructions, where such instructions are consistent with the terms of the Agreement;

4. Sharing Personal Data with third parties in accordance with Customer's instructions and/or pursuant to Customer's use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Services and such third party services);

5. Rendering Personal Data to be Anonymous Information;

6. Complying with applicable laws and regulations;

7. All tasks related to any of the above.

Type of Personal Data

Customer may submit Personal Data to the Services, the type and extent of which is determined and controlled by Customer in its sole discretion.

Duration of Processing

Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data for the duration of the Agreement and provision of the Services thereunder, unless otherwise agreed upon in writing.

Categories of Data Subjects

The Categories of Data Subjects relating to the Personal Data that will be processed by Processor are dependent on the Customer, and may include, but are not limited to, any of the following categories:

1. Employees, agents, advisors, freelancers of Customer (who are natural persons)

2. Prospects, customers, business partners and vendors of Customer (who are natural persons)

3. Employees or contact persons of Customer's prospects, customers, business partners and vendors

4. Any other third party individual whose Personal Data is Processed by the Services.

Details of the security measures can be found here: Security.