Terms not defined herein have the meanings set forth in the Agreement. The following words in this Schedule have the following meanings:

“Agreement” means the Reseller Program Terms.

“Controller” means a legal entity that, alone or jointly with others, determines the purposes and means of the Processing of the Personal Data.

“GDPR” means the General Data Protection Regulation (EU) 2016/679.

“Model Clauses” means EU-approved standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as they may be amended or replaced from time to time.

“Personal Data” means any information relating to an identified or identifiable natural person which is processed by the Vendor in the performance of the Agreement.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or otherwise processed under this Schedule.

“Privacy Laws” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the performance of the Agreement, including, where applicable, GDPR.

“Processing” means any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a legal entity that processes the Personal Data on behalf of the Controller.

“Subprocessor” means any Processor engaged by the Vendor for the performance of the Agreement.

Roles of the Parties. The Vendor may process the Personal Data under the Agreement as the Processor acting on behalf of the Reseller who acts as the Controller.

Instructions. The Vendor will process the Personal Data in accordance with the Reseller’s documented instructions. The Reseller agrees that this Schedule and the Agreement comprise the Reseller’s complete instructions to the Vendor regarding the Processing of the Personal Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. The Vendor is not responsible for determining if the Reseller’s instructions are compliant with applicable law. However, if the Vendor is of the opinion that a Reseller instruction infringes applicable Privacy Laws, the Vendor shall notify the Reseller as soon as reasonably practicable and shall not be required to comply with such infringing instruction.

Details of the Processing. Details of the subject matter of the Processing, its duration, nature, and purpose, and the type of the Personal Data and data subjects are set out in Annex 1 to this Schedule.

Compliance. The Reseller and the Vendor agree to comply with their respective obligations under Privacy Laws applicable to the Personal Data that is processed in connection with the Agreement. The Reseller has sole responsibility for complying with Privacy Laws regarding the lawfulness of the Processing of the Personal Data prior to disclosing, transferring, or otherwise making available, any Personal Data to the Vendor.

Use of Subprocessors. The Reseller agrees that the Vendor may appoint and use Subprocessors to process the Personal Data in connection with the Agreement provided that the Vendor makes sure that at least equivalent data protection obligations, as set out in this Schedule, are imposed on all Subprocessors, by way of a contract or another legal act, in particular providing sufficient guarantees to implement appropriate technical and organizational measures. The Subprocessors may include third parties or any of Vendor affiliates. Where a Subprocessor fails to fulfil its data protection obligations as specified above, the Vendor shall be liable to the Reseller for the performance of the Subprocessor’s obligations.

List of Subprocessors. The Vendor will provide a list of Subprocessors that it engages to support the performance of the Reseller Program upon written request by the Reseller. The Vendor shall notify the Reseller of any changes to its list of Subprocessors. If the Reseller legitimately objects to the addition or removal of a Subprocessor on data protection grounds and the Vendor cannot reasonably accommodate the Reseller’s objection, the parties will discuss the Reseller’s concerns in good faith with a view to resolving the matter.

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Vendor shall, in relation to the Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

The Vendor will notify the Reseller without undue delay after becoming aware of a Personal Data Breach in relation to the products or services provided by the Vendor under the Agreement and will use reasonable efforts to assist the Reseller in mitigating, where possible, the adverse effects of any Personal Data Breach.

The Vendor is authorized, in connection with the performance of the Reseller Program or in the normal course of business, to make worldwide transfers of the Personal Data to its affiliates and/or Subprocessors. If the Vendor transfers the Personal Data from a country within the European Economic Area to a country outside the European Economic Area, such transfers shall be subject to (i) the terms of the Model Clauses or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the Privacy Laws.

Upon termination of the Agreement (for any reason) or upon fulfillment of the purpose whereby no further Processing is required and if requested by the Reseller in writing, the Vendor shall, as soon as reasonably practicable, return or delete the Personal Data on Vendor systems unless applicable law requires storage of the Personal Data. The Vendor may defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or copies thereof cannot reasonably and practically be expunged from the Vendor’s systems. For such retention, the provisions of this Schedule shall continue to apply to such Personal Data. The Vendor reserves the right to charge the Reseller for any reasonable costs and expenses incurred by the Vendor in deleting the Personal Data pursuant to this clause.

Data subject requests. The Vendor shall promptly inform the Reseller of any requests from natural persons exercising their data subject rights under Privacy Laws. The Reseller is responsible for responding to such requests. The Vendor will reasonably assist the Reseller to respond to data subject requests to the extent that the Reseller is unable to access the relevant Personal Data in the use of the Vendor products or services. To the extent permitted by applicable law, the Vendor reserves the right to charge the Reseller for such assistance if the cost of assisting exceeds a nominal amount.

Third-party requests. If the Vendor receives any requests from third parties or an order of any court, tribunal, regulator, or government agency with competent jurisdiction to which the Vendor is subject relating to the Processing of the Personal Data under the Agreement, the Vendor will promptly redirect the request to the Reseller. The Vendor will not respond to such requests without the Reseller’s prior authorization unless legally compelled to do so. The Vendor will, unless legally prohibited from doing so, inform the Reseller in advance of making any disclosure of the Personal Data and will reasonably cooperate with the Reseller to limit the scope of such disclosure to what is legally required.

Privacy impact assessment and prior consultation. To the extent required by Privacy Laws, the Vendor shall provide reasonable assistance to the Reseller to carry out a data protection impact assessment in relation to the Processing of the Personal Data undertaken by the Vendor and/or any required prior consultation(s) with supervisory authorities. To the extent permitted by applicable law, the Vendor reserves the right to charge the Reseller a reasonable fee for the provision of such assistance.

The Vendor shall, upon reasonable prior written request from the Reseller and subject to the confidentiality obligations set forth in the Agreement, provide to the Reseller such information as may be reasonably necessary to demonstrate compliance with the Vendor’s obligations under this Schedule and allow for and contribute to audits, including inspections, conducted by the Reseller or another auditor mandated by the Reseller.

This Schedule will be effective for as long as the Reseller participates in the Reseller Program and will automatically terminate upon the termination or expiration of the Agreement except as otherwise stated herein.

The Vendor’s liability under or in connection with this Schedule (including under the Model Clauses) is subject to the limitations on liability contained in the Agreement.

This Schedule and any dispute or claim arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws applicable to the Agreement of which this Schedule forms a part.

1. Subject matter and duration of the Processing

   The subject matter of the Processing shall be according to the Agreement. The Vendor will process the Personal Data for the duration of the Agreement or upon fulfillment of the purpose whereby no further Processing is required, unless otherwise agreed upon in writing or required/allowed by applicable law.

2. Nature and purpose of the Processing

   The Vendor will process the Personal Data for the purposes of providing the Vendor products or services to the Reseller in accordance with the Agreement.

3. Categories of data subjects

   Data relating to natural persons provided to the Vendor via the Reseller Program, by (or at the direction of) the Reseller. Such data may include, without limitation, the following categories of data subjects: End Users and the Reseller’s employees, agents, advisors, or representatives.

4. Types/categories of the Personal Data

   The types/categories of the Personal Data that may be submitted by the Reseller are:

   • Contact details: which may include a name, address, email address, job title, phone numbers, other contact details, and associated local time zone information.
   • Information about the End User’s purchases and activations of products: preference categories and other types of product preference-related information.
   • Information about browsers and devices: this information may include the IP address and other geolocation data, browser type and version, operating system and system language, referring website, time of access, and other data.
   • Other: any other Personal Data submitted by the Reseller to the Vendor as the Reseller’s Processor.
5. Contact details of the Vendor

   Movavi Software Limited

   Registered address: Office 201, 3 Krinou Street, Agios Athanasios Municipality, 4103 Limassol, Cyprus

   For data protection queries, you can contact us at partners@movavi.com.