This GDPR Data Processing Addendum ("DPA") is effective as of the Effective Date and forms part of the Agreement between Technology Optimisation Consultants, Ltd. and its affiliates ("Optimize") and the entity entering the Agreement as a customer of Optimize's Services ("Customer").

This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Optimize processes Personal Data falling within the scope of the GDPR on behalf of Customer in the course of providing the Optimize Services.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions
1.1 For the purposes of this DPA:
2. Applicability of DPA

2.1 Applicability. This DPA will apply from Effective Date onwards and to the extent that Optimize processes Personal Data falling within the scope of the GDPR on behalf of Customer in the course of providing the Optimize Services.

3. Roles and Responsibilities

3.1 Roles of the Parties. As between Optimize and Customer, Customer is the Data Controller of the Personal Data that is provided to Optimize for processing under the Agreement and as described in Annex A and Optimize shall process the Personal Data as a Data Processor on behalf of Customer.

3.2 Customer Processing of Personal Data. Customer shall be responsible for:

3.3 Optimize's processing of Personal Data. Optimize shall process the Personal Data only for the purposes described in the Agreement and in accordance with the lawful, documented instructions of Customer (including the instructions of any users accessing the Optimize Services on Customer's behalf) as set out in the Agreement, this DPA or otherwise in writing.

4. Security

4.1 Security. Optimize shall implement appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (a "Security Incident").

4.2 Confidentiality obligations. Optimize shall ensure that any personnel that it authorizes to process the Personal Data shall be subject to a duty of confidentiality.

4.3 Security Incidents. Upon becoming aware of a Security Incident, Optimize shall notify Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under the GDPR.

5. Sub-processing

5.1 Sub-processors. Customer agrees that Optimize may engage Optimize affiliates and third party sub-processors ("Sub-processors") to process Personal Data on Optimize's behalf provided that:

5.2 Objection to Sub-processors. Customer may object prior to Optimize's appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Optimize, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Optimize Service (without prejudice to any fees incurred by Customer prior to suspension or termination).

6. International Transfers

6.1 Privacy Shield. The parties acknowledge that Optimize is self-certified to the Privacy Shield framework. To the extent that Optimize processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of data protection, such Personal Data shall be deemed to have appropriate safeguards (within the meaning of the GDPR) by virtue of Optimize having self-certified its compliance with the Privacy Shield. To the extent that Optimize processes such Personal Data outside of the EEA, it shall agree to adhere to the Privacy Shield Principles. Where the parties have previously entered into the standard contractual clauses to enable the transfer of Personal Data outside of the EEA, such clauses shall be null and void as of the date of the execution of this DPA.

7. Cooperation

7.1 Data subject rights. Optimize shall provide reasonable assistance to Customer, insofar as this is possible and at Customer's expense, to enable Customer to respond to requests from data subjects seeking to exercise their rights under the GDPR. In the event such request is made directly to Optimize, Optimize shall promptly inform Customer of the same.

7.2 Data protection impact assessments. Optimize shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance needed to fulfil Customer's obligation under the GDPR to carry out data protection impact assessments and prior consultations with supervisory authorities.

7.3 Security reports and provision of information. Customer acknowledges that Optimize will be assessed against industry security frameworks or standards, including, but not limited to ISO 27001 and SOC II standards. Upon request, Optimize shall provide a summary copy of its most recent certified audit report(s) to Customer, which reports shall be subject to Optimize's confidentiality terms.

8. Return/Deletion of Data

8.1 Return or deletion of Personal Data. Upon request by Customer at the termination of the Agreement, Optimize shall delete or return to Customer the Personal Data (including copies) in Optimize's possession. This requirement shall not apply to the extent that Optimize is required by applicable law to retain some or all of the Personal Data or to Personal Data archived on backup systems.

9. Miscellaneous

9.1 Except as amended by this DPA, the Agreement will remain in full force and effect.

9.2 Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement.

9.3 If there is a conflict between this DPA and the Agreement, the DPA will control.

9.4 This DPA shall only become legally binding between Customer and Optimize when the steps set out in the section "How to Execute this DPA" above have been fully completed.

9.5 This DPA shall be governed by, and construed in accordance with, the laws of Ireland and the courts of Dublin, Ireland shall have exclusive jurisdiction to hear any dispute or other issue arising out of, or in connection with, this DPA, except where otherwise required by Applicable Data Protection Law.

By virtue of acceptance of the Terms of Service, the parties' authorized signatories have duly executed this DPA.


Description of Customer

Customer is the legal entity that has executed the Agreement with Optimize for the provision of Optimize's Services.

Nature of Services provided by Optimize

Optimization Toolkit provides a knowledge based set of integrated modules designed for users to optimize various aspects of organisation performance

Type(s) of Personal Data processed

User name, email and phone contact information. Although this is intended to be business information and not Personal Data, it is recognised that some of this data is still sensitive.

Special categories of data (if applicable)

Customer does not intentionally collect or transfer any sensitive personal data in relation to these data subjects.

Categories of Data Subjects

The personal data processed concern Optimization Toolkit users (typically employees of Customer) who interact with the platform.

Nature of Processing Operations

The personal data will be subject to the following basic processing activities: