This European Union General Data Protection Regulation Policy (the “GDPR Policy”) is incorporated into the End User Subscription Agreement between the parties (the “Agreement”), and details the additional terms and conditions that apply to Blueshift Technology, Inc. (“Blueshift”) processing of Personal Data as required by Article 28 of the General Data Protection Regulation. All capitalized terms not defined in this GDPR Policy will have the meanings set forth in the Agreement. This GDPR Policy is effective as of the effective date of the Agreement (“Effective Date”).

 1. Definitions:

• • “General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• • “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• • “Subprocessor” means other processors used by Blueshift to process data.
• • The terms “data subject”, “processing”, “processor”, and “supervisory authority” as used herein have the meanings given in the GDPR.

 2. Processing of Personal Data.

• • For purposes of this GDPR Policy, Customer and Blueshift agree that Customer is the controller of Personal Data and Blueshift is the processor of such data, except when Customer acts as a processor of Personal Data, in which case Blueshift is a subprocessor to Customer. This GDPR Policy applies to the processing of Personal Data, within the scope of the GDPR, by Blueshift on behalf of Customer. The GDPR Policy does not limit or reduce any data protection commitments Blueshift makes to Customer in the Agreement between Blueshift and Customer. The GDPR Policy does not apply where Blueshift is a controller of Personal Data.

 3. Relevant GDPR Obligations: Articles 28, 32, and 33.

• • • Blueshift may engage Subprocessors to provide certain services on its behalf. As applicable, Blueshift will provide advanced notice of the name and location of such Subprocessor. If Customer continues on to utilize such services after receipt of such notice, or does not object to such Subprocessor within 30 days of the notice, Customer will be deemed to approve of the sub-processing by the Subprocessor. By executing the Agreement, Customer consents to (i) Blueshift’s use of the Subprocessors detailed in the current (as of the Effective Date of this GDPR Addendum) Third Party Subprocessors’ List , and (ii) Blueshift engaging its controlled subsidiaries as Subprocessors (list available upon request) at its discretion (together, referred to as “Approved Subprocessors”).
  • • Processing by Blueshift shall be governed by this GDPR Policy under European Union (hereafter “Union”) or Member State laws binding on Blueshift with regard to Customer. The Personal Data processing details are:
      • The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
      • The duration of the processing shall be for the duration of the Customer’s right to use the Products and until all Personal Data is deleted or returned in accordance with Customer instructions or the terms of the Agreement;
      • The nature and purpose of the processing shall be to provide the applicable Product(s) pursuant to the Agreement;
      • The types of Personal Data processed may include elements listed in the Documentation; and
      • The categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers.
  • •  Blueshift Shall:
      • process the Personal Data only on documented instructions from Customer (which includes those instructions specified in the Agreement), unless required to do so by Union or Member State law to which Blueshift is subject; in such a case, Blueshift shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
      • ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      • take all measures required pursuant to Article 32 of the GDPR;
      • taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR. If Blueshift receives a request from Customer’s data subject to exercise their rights under the GDPR, Blueshift will redirect the data subject to make such request directly to Customer;
      • assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Blueshift;
      • delete or, upon Customer’s request, return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. Blueshift may retain contact details, being names, e-mail addresses, mail addresses, and telephone numbers, exchanged by the parties and other administrative information related to the provision of the Services for the purposes of administering the terminated business relationship as per Blueshift’s records retention schedule.
      • make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
  • •  Blueshift shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
  • • Where Blueshift engages a Subprocessor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in the GDPR Policy shall be imposed on that Subprocessor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfill its data protection obligations, Blueshift shall remain fully liable to the Customer for the performance of that other processor’s obligations.
  • • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Blueshift shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
      • the pseudonymization and encryption of Personal Data;
      • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  • •  In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
  • • Customer and Blueshift shall take steps to ensure that any natural person acting under the authority of Customer or Blueshift who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law.
  • • Blueshift shall notify Customer without undue delay after becoming aware of a personal data breach. Such notification will include that information a processor must provide to a controller under GDPR Article 33(3) to the extent such information is available to Blueshift.
  • • Blueshift may transfer and process Personal Data in the United States or any other country where Blueshift or its controlled subsidiaries or Subprocessors operate. Customer appoints Blueshift to perform any such transfer of Personal Data in compliance with GDPR. Blueshift represents that it is EU-U.S. and Swiss-U.S. Privacy Shield Framework certified (Certification available at https://www.privacyshield.gov/participant?id=a2zt0000000TRgHAAW&status=Active) and complies with onward transfer provisions. In case the EU-U.S. and/or Swiss-U.S. Privacy Shield framework ceases to exist or Blueshift is no longer certified, Blueshift shall execute other available data transfer mechanism, such as the EU Standard Contractual Clauses.