To execute the Subscription, PARANOIHACK (hereinafter referred to as "the Subprocessor") will process personal data based on the purposes and means determined by the Client (hereinafter referred to as "the Data Controller") and therefore acts as a personal data subprocessor.

This Annex defines the conditions under which the Subprocessor will carry out the Personal Data Processing operations on behalf of the Data Controller as part of providing the Solution.

Article 1. Definitions

For the purposes of interpreting this Annex, it is specified that all terms used with a capital letter have the meaning assigned to them in this Annex, or if not defined herein, as per the definitions contained in the GTC to which this Annex is attached.

Personal Data: refers to any information relating to an identified or identifiable individual processed by the Subprocessor on behalf of the Data Controller as part of the obligations under the Subscription.

Processing: refers to any operation or set of operations defined as processing under the applicable Regulation, carried out by the Subprocessor on the Personal Data.

Regulation: refers to data protection regulations applicable to the concerned Party. It is specified that the Subprocessor is an entity subject to Swiss law, and therefore governed by Swiss Regulation, including the Federal Data Protection Act (nLPD) of September 25, 2020, and its implementing Ordinance (OLPD/DPO), to the exclusion of any other legal regimes, except as otherwise imperatively stipulated.

Article 2. Description of Processing Subject to Subprocessing

As part of the Subscription, the Subprocessor must process Personal Data on behalf of the Data Controller necessary for executing the Subscription and providing the Services.

The Processing modalities are defined as follows:

Article 3. Obligations of the Subprocessor towards the Data Controller

3.1 The Subprocessor commits to:

• Process Personal Data strictly in accordance with the documented instructions of the Data Controller, unless required to do so under the Regulation applicable to the Subprocessor;

• Execute the instructions of the Data Controller, provided these do not exceed the scope of the Subscription, do not create obligations beyond those specified in the Subscription, and are lawful.

If the Subprocessor considers that an instruction from the Data Controller constitutes a violation of the Regulation applicable to the Subprocessor or any other data protection-related provision, (i) the Subprocessor will immediately notify the Data Controller, and (ii) may refuse to follow such instructions without incurring liability. The same applies if the Data Controller's instructions exceed the scope of the Subscription and would extend the Subprocessor's obligations under the Subscription.

If the Subprocessor is compelled to process Personal Data under a mandatory provision of the Regulation to which it is subject, the Subprocessor shall inform the Data Controller of this legal obligation before processing the Personal Data, unless the applicable law prohibits such notification. The Data Controller may not object to this Personal Data processing.

3.2 The Subprocessor also commits to ensuring that individuals authorized to process Personal Data under the Subscription and this Annex are bound to confidentiality, either by legal or contractual obligation.

3.3 The Subprocessor will assist, when applicable, the Data Controller in conducting data protection impact assessments the Data Controller decides to carry out, as well as with any prior consultation with the data protection authority following the completion of such an impact assessment. Assistance from the Subprocessor must be requested by the Data Controller sufficiently in advance and will incur additional charges.

3.4 Additional Subprocessing

The Data Controller grants a general authorization to the Subprocessor to use additional subprocessors. The list of subprocessors as of the Subscription start date is accessible at the following link; https://cxtunemaster.com/subprocessors.html.

The Subprocessor commits to keeping this list updated and notifying the Data Controller of any planned changes concerning the addition or replacement of subprocessors, thereby allowing the Data Controller to be informed of such changes and to object if necessary.

The Data Controller agrees to consult the said list regularly.

The Data Controller has a one-month period from the date of the update to submit written objections to the Subprocessor.

The Data Controller acknowledges and agrees that failure to object within this period constitutes acceptance of the additional subprocessor. In case of objection, the Subprocessor may provide any necessary response to the Data Controller. If the Data Controller maintains objections that are reasonable and justified, the Parties commit to meeting and negotiating in good faith to determine how to continue their relationship.

When the Subprocessor uses an additional subprocessor to carry out specific processing activities (on behalf of the Data Controller), it does so under a contract or other legal act that imposes similar data protection obligations on the additional subprocessor as those imposed on the Subprocessor under this Annex.

The Subprocessor remains fully liable to the Data Controller for the performance of the additional subprocessor's obligations in terms of personal data protection, under the contract or other legal act to which the additional subprocessor is subject.

3.5 Transfer of Personal Data

The Subprocessor is located in Switzerland. It is noted that Switzerland is recognized by the European Commission as a country ensuring an adequate level of protection under Article 45 of Regulation (EU) 2016/679 (GDPR).

The Subprocessor commits to ensuring that, throughout the Subscription duration, Personal Data is preferably hosted and processed in Switzerland, the European Union, in the European Economic Area (hereinafter referred to as "EEA"), or in any country providing an adequate level of protection for the rights and freedoms of data subjects concerning the Processing of Personal Data, as determined by the FDPIC.

The Data Controller authorizes the Subprocessor to transfer Personal Data outside the European Union to a country that does not provide an adequate level of protection according to the GDPR or the FADP, provided that the Subprocessor implements the appropriate safeguards specified by the FADP, such as the EU Standard Contractual Clauses (SCC) adapted to Swiss law or any other instrument approved by the FDPIC.

3.6 Right to Information of Data Subjects

The Data Controller is responsible for providing the information required by the Regulation to data subjects regarding the Processing operations.

3.7 Data Subjects' Rights

As the Data Controller, the Client remains responsible for responding to requests from data subjects exercising their rights, and the Subprocessor commits not to respond to such requests.

If data subjects submit requests to the Subprocessor to exercise their rights, the Subprocessor must forward these requests to the Data Controller after acknowledging them.

Unless expressly instructed otherwise by the Data Controller and subject to additional charges, the Subprocessor will neither respond to nor process the data subjects’ requests directly.

3.8 Notification of Personal Data Breaches

A Personal Data Breach is defined as a breach of security leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.

The Subprocessor shall notify the Data Controller of any Personal Data Breach as soon as it becomes aware of it.

The Data Controller may request the Subprocessor to include any useful documentation in its possession with this notification, to enable the Data Controller, if necessary, to report the breach to the competent supervisory authority as required under the Regulation. The Data Controller must be as precise as possible in formulating its requests. This communication may take place in stages.

Only the Data Controller may notify the competent supervisory authority of the Personal Data Breach and communicate information about this breach to the data subjects.

Any assistance requested by the Data Controller from the Subprocessor in this context will be subject to additional charges.

3.9 Security Measures

The Subprocessor implements the technical and organizational measures required under Article 8 of the FADP and described in the Subscription, noting that these measures may be updated during the execution of the Subscription.

In the event of changes to the means ensuring the security of Personal Data Processing, the Subprocessor will endeavor to replace them with means achieving performance standards at least in line with recommendations of the Swiss Federal Council.

The Data Controller is reminded that it is the Data Controller's responsibility to take all necessary precautions to safeguard against the risk of losing Personal Data transmitted and processed by the Data Controller. The Data Controller must create backups before transmitting or processing data through the Subprocessor. The Subprocessor provides no guarantee regarding the retention of Personal Data.

In all circumstances, the Subprocessor's obligations under this clause are obligations of means.

3.10 Disposal of Personal Data

Upon the termination of the Subscription, the Subprocessor commits, at the choice of the Data Controller, to delete all Personal Data or to return it to the Data Controller at the end of the service relating to the Processing operations.

In any case, the Subprocessor will destroy existing copies of the Personal Data unless the Regulation applicable to it requires the retention of the Personal Data.

Article 4. Documentation – Audit

At the Data Controller's request, the Subprocessor shall send by email any document strictly necessary to demonstrate compliance with its obligations as a subprocessor under the Subscription. Any other method of transmitting these documents will be at the Data Controller's expense. The Data Controller may request additional explanations from the Subprocessor if the documents provided are insufficient to verify the Subprocessor’s compliance. The Subprocessor commits to responding to the Data Controller as promptly as possible.

Unless the audit is required by the supervisory authority, no on-site audit shall take place.

The Data Controller must submit their audit plan to the Subprocessor in advance for validation while observing the notice period stipulated below.

A notice period of at least forty-five (45) days must be observed for any document-based or on-site audit request, and all costs of the audit will be borne by the Data Controller. The audit must not disrupt the activities of the Subprocessor or its subsequent subprocessors. The Data Controller must appoint an independent auditor who will conduct the on-site audit under a confidentiality agreement to be negotiated upon the start of the notice period. This agreement shall cover all information collected during the audit, regardless of the mode of acquisition. The external auditor must be approved in advance by the Subprocessor and must under no circumstances be a direct or indirect competitor of the Subprocessor.

The audit scope will be agreed upon in advance by the Parties. Furthermore, as the Subprocessor’s system security relies on restricted access, the audit scope must strictly limit itself to elements necessary to verify compliance of the Solution and Associated Services with the Regulation. The Subprocessor reserves the right to withhold access to any data it deems confidential.

The audit report will be communicated to the Subprocessor before finalization, and the Subprocessor may provide comments that must be taken into account in the final report.

Article 5. Obligation of the Data Controller towards the Subprocessor

The Data Controller commits to:

• Documenting any written instruction relating to the Processing of Personal Data by the Subprocessor;

• Ensuring, before and during the Processing, compliance with the obligations under the Regulation applicable to its role as the Data Controller;

• Not issuing any instruction that exceeds the scope of the Subscription;

• Supervising the Processing(s).

The Data Controller guarantees to the Subprocessor that it will use the Solution or request Services only within the limits of the Processing it is authorized to perform itself and that no legal or contractual obligation of confidentiality prevents it from doing so.

Article 6. Cooperation in Case of Supervision

In the event of an inspection by a competent authority, the Parties agree to cooperate with each other and with the supervisory authority.

If a competent authority inspects the Data Controller or Subprocessor concerning the Processing carried out under the Subscription, they shall mutually cooperate and provide all useful or necessary information to respond to the demands of the supervisory authority.

Article 7. Assistance from the Subprocessor

Any support, assistance, or cooperative actions by the Subprocessor in response to Regulation requirements (e.g., impact assessments) must be requested in writing by the Data Controller and may incur additional charges.

Article 8. Applicable Regulation

The Subprocessor commits to complying with the FADP.

In the event of changes to the Regulation, other applicable legal or regulatory provisions, case law, or positions of supervisory authorities, the Subprocessor may amend the Annex with simple notification to the Client before such changes enter into effect. Any other changes to the Annex during the Subscription term shall be subject to written notification to the Client (including by email). If no objections are raised by the Client within 30 days, the proposed changes will take effect at the end of this period.

The Subprocessor is expressly not required to comply with foreign data protection regulations, including Regulation (EU) 2016/679 (GDPR), unless imperatively provided otherwise or directed explicitly in writing by the Data Controller and accepted by the Subprocessor.

The Data Controller remains solely responsible for ensuring its compliance with the applicable regulation, including the GDPR, where applicable.

In cases of conflict between the requirements of the GDPR and the FADP, the obligations of the Subprocessor shall be interpreted and executed exclusively under Swiss law, notwithstanding the contractual agreements between the Parties in this Annex.