This DPA applies where, and to the extent that, KTern.AI processes Personal Data on behalf of Customer when providing Services under the Agreement. The parties agree that this DPA shall replace any existing DPA or other data protection provisions the parties may have previously entered into in connection with the Services (as defined in the Agreement). Any capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

Customer and KTern.AI each act as an independent Controller of Participant Data. Each party represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such personal data and, as applicable, it has the right to share such personal data with the other party. In all other circumstances, the Customer is the Controller of Customer Data and KTern.AI is the Processor.

The parties have entered into an agreement for KTern.AI and, where applicable, its Affiliates to provide certain services to the Customer (the “Main Agreement”). This data processing agreement (the “DPA”) sets forth the terms on which the parties will collect and process personal data in connection with the Service and is hereby incorporated into the Main Agreement by reference.

This DPA describes the commitments of KTern.AI and Customer concerning the processing of personal data in connection with the provision of the Services contemplated by the Main Agreement.

This DPA will always apply to the processing of personal data under the Main Agreement and takes effect from the date of the Main Agreement.

The below sets out the subject matter, nature, and purpose, duration of the processing, the type(s) of personal data being processed, and the categories of data subjects that may be processed depending on the nature of the Services and role of each of KTern.AI and Customer:

Data Processing Details

Subject-matter

Processing of data related to the Services as described in the Main Agreement.

Nature and purpose

Processing data for the purpose of managing access to KTern.AI's platform and associated web-based live streaming by Customers and end-users to provide the Services contemplated by the Main Agreement.

Duration and Frequency

Term of the Main Agreement or for as long as KTern.AI is permitted or required to retain the personal data. Data will be transferred continuously where necessary to provide the Services to the Customer.

Types of personal data

“User Data” is data provided by end-users when they create a KTern.AI account to attend an event on the KTern.AI Service including (a) image; (b) contact details and address; (c) first and last name; (d) alias; on the KTern.AI Service.

“System Data” is data provided by end-users when they create an SAP system information in Landscape Management to connect the respective system with the KTern.AI Service including (a) SAP System ID; (b) Application Server; (c) Instance ID; (d) Client ID; on the KTern.AI Service.

“Affiliates” means any entity which directly or indirectly controls, is controlled by or is under common control with the subject entity.

“Applicable Laws” means all applicable data protection and privacy legislation in force from time to time which apply to a Party relating to the use of personal data, including the Data Protection Legislation and the California Consumer Privacy Act of 2018 (AB 375) (CCPA).

“Customer Data” means User Data and System Data.

“KTern.AI Service” means the KTern.AI DXaaS technology platform and services.

1. Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Data to KTern.AI and/or lawful collection or processing of Customer Data by KTern.AI on behalf of Customer for the duration and purposes of this DPA. The customer will not instruct KTern.AI to process any personal data, including Customer Data, in violation of Data Protection Legislation.

2. Customer is responsible for the lawfulness of the processing of Customer Data. If a data subject, regulator, or other third party asserts a claim or brings regulatory action against KTern.AI based on the unlawfulness of processing Customer Data, Customer shall indemnify KTern.AI, its directors, agents, and officers, against any and all costs, expenses, and damages that KTern.AI suffers as a result.

KTern.AI shall, in relation to any personal data processed in connection with the performance by KTern.AI of its obligations under this DPA:

1. process Customer Data only on the documented written instructions of Customer, which include this DPA and the Main Agreement, unless KTern.AI is required by Applicable Laws to otherwise process Customer Data. Without limiting the foregoing, where KTern.AI is relying on Applicable Laws as the basis for processing Customer Data, KTern.AI shall promptly notify Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit KTern.AI from so notifying Customer;

2. ensure that it has in place appropriate technical and organizational measures provided in https://ktern.com/trust-center/security (the “Security Measures”), to protect against unauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, appropriate to: the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Customer Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);

3. ensure that all personnel who have access to and/or process Customer Data are obliged to keep Customer Data confidential;

4. assist Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;

5. notify the Customer without undue delay, and where practicable, within 48 hours, on becoming aware of a personal data breach of Customer Data;

6. at the written direction of the Customer, delete or return Customer Data and copies thereof to the Data Controller on termination of the DPA unless required by Applicable Law to store the Customer Data;

7. maintain complete and accurate records and information to demonstrate its compliance with this DPA and provide the Customer with appropriate evidence at the latter’s reasonable request;

8. allow for audits by the Customer’s designated auditor to be agreed with KTern.AI in advance, only so far as is necessary in order to demonstrate compliance, provided that: the Customer provides KTern.AI with no less than 30 days’ notice of such audit or inspection; is conducted at Customer’s sole expense; and the parties agree to the scope, duration, and purpose of such audit or inspection in advance, including reasonable reimbursement of KTern.AI for time expended by KTern.AI or its sub-processors. The customer’s designated auditor shall conduct its audit in a manner that will result in minimal disruption to KTern.AI's business operations and shall not be entitled to receive or obtain access to any system that also stores the data or information of other clients or customers of KTern.AI or any other confidential information of KTern.AI that is not directly relevant for the authorized purposes of the audit. If the Customer becomes privy to any confidential information of KTern.AI as a result of this Section.

9. the Customer shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Customer acknowledges that KTern.AI shall only be required to use reasonable endeavors to assist the Customer in procuring access to any third-party assets, records, or information as part of any audit; and

10. inform the Customer immediately if, in KTern.AI’s opinion, an instruction from the Customer infringes (or, if acted upon, might cause an infringement of) Data Protection Legislation.