DATA PROCESSOR AGREEMENT

(Revised June 3, 2024)

Standard contractual clauses pursuant to Article 28(3) of Regulation 2016/679 (the GDPR) for
the purposes of the processor's processing of personal data

between
[Your Company]
[Insert address]
[Insert potal code and city]
[Insert country]
- hereinafter "the controller" -


and
Meedio ApS
CVR.: 41 52 70 72
Europaplads 2, 7.
8000 Aarhus C
Denmark
- hereinafter "the data processor” -
- each of which is a "Party" and together constitute the “Parties" -

HAVE AGREED upon the following standard contractual clauses (the Clauses) in order to
comply with the GDPR and to ensure the protection of the privacy and fundamental rights and
freedoms of natural persons.

1. Preamble

1.1 These Rules set out the rights and obligations of the processor when it carries out
processing of personal data on behalf of the controller.


1.2 These Provisions are designed for the Parties' compliance with Article 28(3) of
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and
on the free movement of such data and repealing Directive 95/46/EC (GDPR).


1.3 In the context of the provision of the MEEDIO application, the data processor processes
personal data on behalf of the controller in accordance with these Provisions.


1.4 The Provisions shall prevail over any corresponding provisions in other agreements
between the Parties.


1.5 There are four annexes to these Provisions and the annexes form an integral part of the
Provisions.


1.6 Annex A contains details of the processing of personal data, including the purposes and
nature of the processing, the type of personal data, the categories of data subjects and
the duration of the processing.


1.7 Annex B contains the controller's conditions for the processor's use of sub- processors
and a list of sub-processors whose use has been approved by the controller.


1.8 Annex C contains the controller's instructions as regards the processor's processing of
personal data, a description of the minimum security measures to be implemented by
the processor and how the processor and any sub-processors are supervised.


1.9 Annex D contains provisions relating to other activities not covered by the Provisions.


1.10 The Provisions and their Annexes shall be kept in writing, including electronically, by
both Parties.


1.11 These Rules do not relieve the processor of any obligations imposed on it by the GDPR
or any other legislation.

2. Rights and obligations of the controller

2.1 The controller is responsible for ensuring that the processing of personal data is carried
out in accordance with the GDPR (see Article 24 of the GDPR), data protection
provisions of other EU or Member States' national law and these Rules.


2.2 The controller has the right and the obligation to decide for which purpose(s) and by
which means personal data may be processed.


2.3 The controller is responsible for, inter alia, ensuring that there is a processing basis for
the processing of personal data that the processor is instructed to carry out.

3. The processor acts on instructions

3.1 The processor shall process personal data only on the basis of a documented instruction
from the controller, unless required to do so by EU or Member State law to which the
processor is subject. Such instructions shall be specified in Annexes A and C.
Subsequent instructions may also be given by the controller while personal data are
being processed, but the instructions shall always be documented and kept in writing,
including electronically, together with these Rules.


3.2 The processor shall inform the controller without delay if it considers that an instruction is
contrary to this Regulation or to data protection provisions of other Union or Member
State law.

4. Privacy

4.1 The processor shall provide access to personal data processed on behalf of the
controller only to persons who are subject to the processor's powers of instruction, who
have given an undertaking of confidentiality or who are subject to an appropriate legal
obligation of confidentiality, and only to the extent necessary. The list of persons to
whom access has been granted shall be kept under review. On the basis of this review,
access to personal data may be closed if access is no longer necessary and the
personal data shall then no longer be accessible to those persons.


4.2 The processor must be able to demonstrate, at the request of the controller, that the
persons concerned, who are subject to the processor's powers of instruction, are subject
to the aforementioned obligation of professional secrecy.

5. Treatment safety

5.1 Article 32 of the Data Protection Regulation states that the controller and the processor
shall implement appropriate technical and organisational measures to ensure a level of
protection appropriate to the risks represented, taking into account the state of the art,
the cost of implementation and the nature, scope, context and purposes of the
processing involved, as well as the risks of varying degrees of probability and severity to
the rights and freedoms of natural persons.
The controller shall assess the risks to the rights and freedoms of natural persons posed
by the processing and implement measures to address those risks. Depending on their
relevance, this may include:


(a) Pseudonymisation and encryption of personal data


(b) Ability to ensure the continued confidentiality, integrity, availability and
resilience of processing systems and services


(c) The ability to restore the availability of and access to personal data in a
timely manner in the event of a physical or technical incident


(d) A procedure for regular testing, assessment and evaluation of the
effectiveness of the technical and organisational measures to ensure the
security of processing.


5.2 Article 32 of the Regulation also requires the processor - independently of the controller -
to assess the risks to the rights of individuals posed by the processing and to implement
measures to address those risks. For the purposes of this assessment, the controller
must provide the necessary information to the processor to enable it to identify and
assess such risks.


5.3 In addition, the processor shall assist the controller in complying with the controller's
obligation under Article 32 of the Regulation by, inter alia, providing the controller with
the necessary information regarding the technical and organisational security measures
already implemented by the controller pursuant to Article 32 of the Regulation and any
other information necessary for the controller to comply with its obligation under Article
32 of the Regulation.
If, in the controller's assessment, addressing the identified risks requires the
implementation of additional measures to those already implemented by the
processor, thecontroller shall specify the additional measures to be implemented in
Annex C.

6. Use of sub-processors

6.1 The processor must meet the conditions set out in Article 28(2) and (4) of the Data
Protection Regulation in order to make use of another processor (a sub- processor).


6.2 Thus, the processor may not make use of a sub-processor for the purposes of these
Provisions without the prior general written consent of the controller.
The processor has the general approval of the controller for the use of sub-processors.
The processor shall notify the controller in writing of any planned changes regarding the
addition or replacement of sub-processors with at least 14 days' notice, thereby giving
the controller the opportunity to object to such changes prior to the use of the sub-
processor(s) in question. Longer notice periods for notification of specific processing
operations may be specified in Annex B. The list of sub-processors already authorised
by the controller is set out in Annex B.


6.3 Where the processor makes use of a sub-processor for the performance of specific
processing activities on behalf of the controller, the processor shall, by means of a
contract or other legal document under Union or Member State law, impose on the sub-
processor the same data protection obligations as those laid down in these Provisions,
in particular providing the necessary guarantees that the sub-processor will implement
the technical and organisational measures in such a way that the processing will comply
with the requirements of these Provisions and the GDPR.
The processor is therefore responsible for requiring that the sub-processor complies at
least with the processor's obligations under these Rules and the GDPR.


6.4 Copies of the sub-processor agreement(s) and any subsequent amendments thereto
shall, upon request by the controller, be sent to the controller, who shall thereby have
the opportunity to ensure that equivalent data protection obligations resulting from these
Provisions are imposed on the sub-processor. Provisions on commercial terms which do
not affect the data protection content of the sub- processor agreement shall not be sent
to the controller.


6.5 It is not possible to favour third parties, as the data are encrypted and anonymised and it
would therefore require additional information about the users to ensure the possibility of
accessing these data, which compromises the level of security of the solution. In case of
bankruptcy of the data processor, the data will be automatically deleted.


6.6 If the sub-processor does not fulfil its data protection obligations, the data processor
remains fully liable to the controller for the fulfilment of the sub- processor's obligations.
This is without prejudice to the rights of data subjects under the Data Protection
Regulation, in particular Articles 79 and 82 thereof, against the controller and the
processor, including the sub-processor.

7. Transfer to third countries or international organisations

7.1 Any transfer of personal data to third countries or international organisations may only
be made by the processor on the basis of a documented instruction to that effect from
the controller and must always be made in accordance with Chapter V of the Data
Protection Regulation.


7.2 Where the transfer of personal data to third countries or international organisations,
which the processor has not been instructed to carry out by the controller, is required by
Union or Member State law to which the processor is subject, the processor shall notify
the controller of this legal requirement prior to processing, unless such law prohibits
such notification on grounds of important public interests.


7.3 Thus, without a documented instruction from the controller, the processor cannot within
the framework of these Provisions:


(a) Transfer personal data to a controller or processor in a third country or an
international organisation


(b) Entrust the processing of personal data to a sub-processor in a third
country


(c) Process the personal data in a third country


7.4 The controller's instructions regarding the transfer of personal data to a third country,
including the transfer basis, if any, in Chapter V of the Data Protection Regulation on
which the transfer is based, shall be set out in Annex C.6.


7.5 These Provisions are not to be confused with standard contractual clauses within the
meaning of Article 46 (2) (c) and (d) of the Data Protection Regulation and these
Provisions cannot constitute a basis for the transfer of personal data within the meaning
of Chapter V of the Data Protection Regulation.

8. Assistance to the controller

8.1 The processor shall, as far as possible and having regard to the nature of the
processing,assist the controller by appropriate technical and organisational measures in
complying with the controller's obligation to respond to requests to exercise the rights of
data subjects as laid down in Chapter III of the Data Protection Regulation.
This implies that the processor shall, as far as possible, assist the controller in ensuring
compliance with:


(a) The obligation to provide information when collecting personal data from
the data subject


(b) The information obligation where personal data have not been collected
from the data subject


(c) The right of access


(d) The right of rectification


(e) The right to erasure ('right to be forgotten')


(f) The right to restriction of processing


(g) The obligation to provide information in relation to the rectification or
erasure of personal data or the restriction of processing


(h) The right to data portability


(i) The right to object


(j) The right not to be subject to a decision based solely on automated
processing, including profiling


8.2 In addition to the obligation of the processor to assist the controller pursuant to Clause
6.3, the processor shall, taking into account the nature of the processing and the
information available to the processor, further assist the controller with:


(a) The obligation of the controller to notify, without undue delay and where
possible within 72 hours of becoming aware of it, the personal data breach to
the competent supervisory authority, the Data Protection Supervisor, unless the
personal data breach is unlikely to pose a risk to the rights or freedoms of
natural persons


(b) The obligation for the controller to notify the data subject of a personal data
breach without undue delay where the breach is likely to result in a high risk to
the rights and freedoms of natural persons


(c) The obligation for the controller to carry out, prior to processing, an analysis of
the impact of the envisaged processing activities on the protection of
personal data (an impact assessment)


(d) The obligation for the controller to consult the competent supervisory authority,
the Data Protection Authority, prior to processing if a data protection impact
assessment shows that the processing would result in a high risk in the
absence of measures taken by the controller to mitigate the risk.


8.3 The parties shall specify in Annex C the necessary technical and organisational
measures by which the processor shall assist the controller and the extent and scope of
such assistance. This applies to the obligations arising from Clauses 9.1 and 9.2.

9. Personal data breach notification

9.1 The processor shall notify the controller without undue delay after becoming aware that
a personal data breach has occurred.


9.2 The processor shall notify the controller, where possible, within 24 hours of the controller
becoming aware of the breach, so as to enable the controller to comply with its
obligation to notify the competent supervisory authority of the personal data breach in
accordance with Article 33 of the GDPR.


9.3 In accordance with Provision 9.2.a, the processor shall assist the controller in notifying
the breach to the competent supervisory authority. This means that the processor must
assist in providing the following information, which Article 33(3) requires to be included in
the controller's notification of the breach to the competent supervisory authority:


(a) The nature of the personal data breach, including, where possible, the
categories and approximate number of data subjects concerned and the
categories and approximate number of records of personal data concerned


(b) The likely consequences of the personal data breach


(c) The measures taken or proposed to be taken by the controller to address the
personal data breach, including, where appropriate, measures to mitigate its
possible adverse effects.


9.4 The parties shall specify in Annex C the information to be provided by the processor in
assisting the controller in its obligation to notify the competent supervisory authority of a
personal data breach.

10. Erasure and return of data

10.1 Upon termination of the personal data processing services, the data processor shall be
obliged to delete all personal data that have been processed on behalf of the controller
and to confirm to the controller that the data have been deleted, unless EU or Member
State national law provides for the retention of the personal data.
The processor undertakes to process the personal data only for the purpose(s), for the
period and under the conditions set out in these rules.

11. Audit, including inspection

11.1 The Processor shall make available to the Controller all information necessary to
demonstrate compliance with Article 28 of the Data Protection Regulation and these
Rules and shall allow and contribute to audits, including inspections, carried out by the
Controller or another auditor authorised by the Controller.


11.2 The procedures for the Controller's audits, including inspections, with the Processor and
Sub-processors are detailed in Annexes C.7. and C.8.


11.3 The processor shall be obliged to allow supervisory authorities which have access to the
controller's or processor's facilities under applicable law, or representatives acting on
behalf of the supervisory authority, access to the processor's physical facilities upon
proper identification.

12. Agreement of the parties on other matters

12.1 The Parties may agree on other provisions relating to the service concerning the
processing of personal data, such as liability, as long as these other provisions
do not directly or indirectly conflict with the Provisions or impair the fundamental rights
and freedoms of the data subject as they result from the GDPR.

13. Entry into force and termination

13.1 The provisions shall enter into force on the date of signature thereof by both Parties.


13.2 Either party may require the Provisions to be renegotiated if changes in the law or
inappropriateness of the Provisions so require.


13.3 The Provisions shall remain in force for the duration of the service relating to the
processing of personal data. During this period, the Terms may not be terminated
unless other provisions governing the provision of the personal data processing service
are agreed between the parties.


13.4 If the provision of the Personal Data Processing Services is terminated and the Personal
Data has been deleted or returned to the Controller in accordance with Clause 11.1 and
Annex C.4, the Clauses may be terminated by either party upon written notice.

14. Signature

On behalf of the Controller:
Name: [Insert your name]
Position: [Insert your position]
Telephone: [Insert you phone number]
E-mail: [Insert yopur email]
Signature:


On behalf of the data processor:
Name: Runi Hammer
Position: CEO
Telephone: (+45) 42 80 81 00
E-mail runi@meedio.me
Signature:

Contacts at the controller and processor
The parties may contact each other via the contact persons below.
The parties are obliged to keep each other informed of changes regarding contact persons.
Name: [Insert]
Position: [Insert]
Telephone: [Insert]
E-mail: [Insert]


Name: Runi Hammer
Position: CEO
Telephone: (+45) 42 80 81 00
E-mail: runi@meedio.me

ANNEX A:
INFORMATION ON PROCESSING

A.1 Purpose of processing of personal data by the processor on behalf of the
controller

(a) The purpose of the processing is to provide the service to the controller and its users in
accordance with the contract.


(b) Meedio is a video communication and messaging platform that can be used as a stand-
alone solution or integrated into third party software, allowing users of the third party
software (e.g. employees of an organisation) to have video meetings, consultations, or
messaging with other employees, citizens, patients, etc. directly in the third party
software or in Meedio’s applications (including web browsers).


(c) As a stand-alone solution, a Meedio user logs into his/hers account on a website (or
mobile application, or desktop client). Here the user will be able to access different
Meedio services, for example Meetings, Messenger, Consultations, Rooms, Boards, and
Queues. Video meetings are generated by creating a link (dynamic or stationary) and
sending it to one or more participants. The participants can click on the link and join a
video meeting. The Meedio platform opens in the browser of users' computers and/or
mobile phones. Initially, users encounter a pre-meeting screen where they can turn
video and audio on/off, as well as enter their name and view their own video feed. After
users click on "join meeting" they are sent from the pre-meeting screen to the actual
video meeting.


(d) When integrated into third party software, Meedio works in the same way as the stand-
alone solution, but is embedded into the third party software. This can for example be
done via Meedio’s Public API.


(e) The video meeting are end-to-end encrypted and runs on Meedio's own WebRTC cloud
infrastructure. In the video meeting, participants can access a variety of features, which
for example could be as messaging, invite users, mute, turn off video, and more. It is
possible to turn several of these features on and off again according to the customisation
of the solution in question.


(f) The Messenger require log in from all users. It can be used as a stand-alone or
integrated. Through the Messenger, chats can be exchanged, groups created and files
shared. All messages are end-to-end encrypted.


(g) Meedio Consultations for medical physicians and the Telematic Infrastructure
Messenger for the German healthcare market are special user cases of Meedio’s
products.

A.2 The processing of personal data by the processor on behalf of the controller
mainly relates to (nature of processing)

(a) In the context of the provision of the service, user data is used:
To establish video meetings
To create accounts and provide login details
To provide and maintain our Service
To notify users about changes to our Service
To provide customer support
To gather analysis or valuable information so that we can improve our Service
To track activities and monitor the usage of our Service
To detect, prevent and address technical issues
To detect, prevent address fraudulent usage and other illegal activities

A.3 The processing covers the following types of personal data of the data subjects

(a) These are general personal data covered by Article 6 of the Regulation:
Name
Email
IP-address
Cookies
Usage Data

A.4 The processing covers the following categories of data subjects

(a) Customer’s users

A.5 Processing of personal data by the processor on behalf of the controller may start
after the entry into force of these Rules. The duration of the processing shall be as
follows

(a) The processing shall continue until the cooperation is terminated or the user requests
erasure.

ANNEX B: SUB-PROCESSORS

B.1. Approved sub-processors

(a) Upon entry into force of the Rules, the controller has authorised the use of the following
sub-processors:
NAME ADDRESS DESCRIPTION OF PROCESSING
Hetzner
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen, Deutschland
Tel.: +49 (0)9831 505-0
E-Mail: info@hetzner.com
Data Center Park Nuremberg, Germany,
Data Center Park, Falkenstein,
Germany
• Datacenter
• User-data
• Logs
• Establishment of call
SendInBlue • Two-Factor Authentication


(b) Upon entry into force of the Rules, the controller has authorised the use of the above
mentioned sub-processors for the processing activity described.


(c) The processor may not - without the written consent of the controller - make use of a
sub-processor for a processing operation other than that described and agreed, or make
use of another sub- processor for that processing operation.

ANNEX C: INSTRUCTIONS ON THE
PROCESSING OF PERSONAL DATA

C.1 Subject of the processing/instruction

(a) The processing of personal data by the processor on behalf of the controller shall be
carried out by the processor as follows:


(b) Providing demo system for users to use for demo meetings and saving users who want
to set up.

C.2 Security of processing

(a) The level of security shall reflect the large amount of data covered by Article 6 of the
Regulation, which includes "general data", therefore a medium level of security should
be established.


(b) The data processor is then entitled and obliged to decide on the technical and
organisational security measures to be implemented in order to establish the
necessary (and agreed) level of security.


(c) However, the processor must - in any case and as a minimum - implement the following
measures agreed with the controller:
All data is secured by password with two-factor authorization. In addition, all information
is encrypted, including data sent over secured connections.
All applications are designed according to privacy by design principles and all
subcontractors are selected according to best-in-class privacy practices.

C.3 Assistance to the controller

(a) The Processor shall, to the extent possible - within the scope and extent set out below -
assist the Controller in accordance with Clauses 9.1 and 9.2 by implementing the
following technical and organisational measures:
The Controller may at any time contact the Processor, who shall assist in fulfilling the
Controller's obligations or indicate the possibility of performing the task himself in the
application.This shall be done free of charge.

C.4 Retention period/last routine

(a) The data are kept until the controller requests deletion and the system offers an
automatic deletion function.

C.5 Location of processing

(a) Processing of the personal data covered by the Provisions may not take place without
the prior written consent of the controller in locations other than the following:
Hetzner Data Center Park Nuremberg, Germany,
Hetzner Data Center Park, Falkenstein, Germany

C.6 Instruction regarding transfer of personal data to third countries

(a) The Controller authorises processing in third countries as described below:
No data processing will be carried out in third countries.

C.7 Procedures for controller audits, including inspections, of processing of personal
data entrusted to the processor

(a) The processor shall provide annually, at the request of the controller, a self -audit
statement regarding the processor's compliance with the GDPR, data protection
provisions of other EU law or Member States' national law and these Rules.


(b) Based on the results of the declarations, the controller is entitled to request the
implementation of additional measures to ensure compliance with the GDPR,
data protection provisions of other Union law or national law of the Member States and
these Rules.The processor shall be entitled to invoice for time and costs incurred.


(c) In addition, the controller or a representative of the controller shall have the right to carry
out inspections, including physical inspections, of the premises from which the processor
carries out the processing of personal data, including physical premises and systems
used for or in connection with the processing. Such inspections may be carried out
whenever the controller deems it necessary.


(d) Any costs incurred by the controller in carrying out a physical inspection shall be borne
by the controller. The processor shall be entitled to invoice for the time and costs
incurred in carrying out any inspection.

C.8 Procedures for audits, including inspections, of processing of personal data
entrusted to sub-processors

(a) The processor shall regularly check sub-processors by means of recognised
declarations and shall, at the request of the controller, provide declarations from the
current sub-processors regarding compliance with the GDPR, data protection provisions
of other EU law or Member States' national law and these Rules. This shall be done at
the processor's expense.


(b) Based on the results of the declarations, the data processor shall be entitled to request
the implementation of further measures to ensure compliance with the GDPR, data
protection provisions of other Union law or national law of the Member States and these
Rules.


(c) In addition, the processor or a representative of the processor shall have the right to
conduct inspections, including physical inspections, of the premises from which the sub-
processor carries out the processing of personal data, including physical premises and
systems used for or in connection with the processing. Such inspections may be carried
out whenever the processor (or controller) deems it necessary.


(d) Documentation of such inspections shall be provided to the controller for information
without undue delay. The controller may challenge the framework and/or methodology of
the inspection and may in such cases request a new inspection to be carried out under a
different framework and/or using a different methodology.


(e) The controller may - if deemed necessary - choose to initiate and participate in a
physical inspection of the sub-processor. This may be the case if the controller
considers that the processor's inspection of the sub-processor has not provided the
controller with sufficient assurances that the processing by the sub-processor is carried
out in accordance with the Data Protection Regulation, data protection provisions of
other EU or Member States' national law and these Rules.


(f) Any participation by the controller in an inspection of the sub-processor shall not affect
the fact that the processor shall remain fully responsible for the compliance of the sub-
processor with the GDPR, other EU or national data protection provisions and these
Rules.