Data Processing Agreement (DPA)¶

This Data Processing Agreement ("DPA"), hereinafter referred to as "the Agreement," aims to outline the arrangements between Guance Information Technology Co., Limited ("we" or "Guance") and the Customer regarding the processing of personal data. This Agreement is incorporated into the main subscription agreement ("Agreement") between Guance and the Customer, or any other electronically or jointly signed written agreement referencing this DPA, to ensure that we, as a data processor, comply with applicable data protection laws and regulations.

1. Introduction

This DPA is intended to ensure that Guance, as a data processor, follows applicable data protection laws and regulations when processing customer's personal data, and to clearly outline the rights and obligations of both parties in regards to data processing.

1. Definitions

The following definitions apply to this DPA:

“Customer Data” means data from Customer's Environment that are submitted for Processing by the Services. Through Customer's configuration and use of the Services, Customer has control over the types and amounts of Customer Data.

"Customer Personal Data" refers to customer data that includes personal data.

"Personal Data Breach" refers to a security breach that occurs during the transmission, storage, or other processing of customer personal data by Guance, resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to customer personal data.

"Account Data" refers to customer information provided by the customer to Guance that is related to the creation or management of their Guance account, such as the first and last names of authorized users or billing contacts, usernames, and email addresses.

"Data Subject": refers to the natural person to whom personal data belongs.

"Processing": refers to any operation performed on personal data, including but not limited to collection, recording, storage, use, transmission, and deletion.

"Data Processor": refers to the party processing personal data under this Agreement, namely Guance.

"Controller": refers to the party that determines the purposes and means of the processing of personal data, namely the Customer.

“Subprocessor” means any Processor engaged by Guance or a Guance Affiliate to Process Customer Personal Data onGuance's or its Affiliate's behalf while providing the Services.

"Guance" refers to Guance Information Technology Co., Limited, the contracting party of this DPA.

"Data Protection Laws" refer to the data protection or privacy laws and regulations directly applicable to the parties' processing of personal data, including European data protection laws.

“GDPR”means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC.

“SCCs”means the standard contractual clauses for international transfers annexed to the European Commission's commission implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, published on June 4, 2021, including as incorporated into the UK Transfer Addendum, if applicable.

1. Roles of the Parties

3.1 Both parties agree that Guance acts as a data processor when processing customer personal data in the course of providing services. Guance will process customer personal data solely in accordance with the Agreement, this DPA (including Appendix A), and Orders (as defined in the "Written Instructions").

3.2 As the data controller, the Customer is responsible for ensuring that it has the legal rights to provide personal data to Guance and that its instructions and requests provided comply with applicable laws.

1. Data Security

4.1 Security Measures. Taking into account the existing state of technology, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying risks to the rights and freedoms of individuals, Guance has implemented and shall maintain appropriate technical and organizational measures to ensure a level of security that matches the risk level associated with processing personal data. The Customer agrees that the security measures implemented by Guance (listed in Appendix B) are sufficient to fulfill its obligations under this DPA. Notwithstanding the foregoing, the Customer acknowledges and agrees to be responsible for the secure use of the products on its part.

4.2 Personal Data Breach. In the event of a personal data breach, Guance shall promptly notify the Customer without undue delay upon becoming aware of such breach. The notification sent by Guance to the Customer shall include (a) the nature of the personal data breach, including categories and approximate numbers of data subjects and personal data records involved; (b) measures taken or planned by Guance to address and mitigate the personal data breach; (c) any suggestions provided by Guance to the Customer for mitigating the effects of the personal data breach. Guance's obligation to notify or respond to a personal data breach under this provision does not imply any acknowledgment or admission of fault or liability on the part of Guance concerning the personal data breach.

1. Subprocessors

5.1 Customer Authorization for Subprocessors. The Customer authorizes Guance to engage subprocessors for the processing of personal data on behalf of Guance. The Customer agrees to the use of subprocessors listed in the subprocessor list. Guance shall update the subprocessor list with at least 30 days' notice prior to designating new subprocessors and shall provide the User with a mechanism to receive notifications of updates to the subprocessor list, which mechanism is currently available through the subprocessor list.

5.2 Contracts with Subprocessors. Guance shall enter into contracts with subprocessors that include data protection obligations equivalent to those set out in this DPA to ensure compliance with applicable data protection laws.

5.3 Liability of Subprocessors. Guance shall be liable for the acts and omissions of its subprocessors in connection with the performance of obligations under this DPA to the same extent Guance would be liable if performing the services directly. Guance shall take reasonable measures to ensure that these subprocessors provide adequate safeguards for the security of personal data.

1. Rights Of Data Subject

6.1 Guance shall assist the Customer in fulfilling the rights of data subjects, including but not limited to access, rectification, erasure, and restriction of processing. If a data subject contacts Guance to exercise their rights and such request is applicable to the Customer, Guance will make reasonable efforts to forward the request to the Customer.

1. Data Transfer and Deletion

7.1 Upon termination or expiration of the Agreement, personal data will be deleted within 30 days upon a written request from the Customer.

7.2 Unless required by applicable law, any Customer Personal Data archived in backups will be isolated and protected against further processing. Notwithstanding the above, within the scope of applicable legal requirements for retaining all or part of Customer Personal Data, Guance is not obligated to delete retained Customer Personal Data, and this DPA shall continue to apply to retained Customer Personal Data.

1. Audit

8.1 Guance's Audit Reports. Upon Customer's request and subject to the confidentiality provisions of the Agreement, Guance will provide the Customer with copies or excerpts of Guance's audit reports related to service security, including, for example, its ISO 27001 certification and SOC 2 reports.

1. Data Transfers

9.1 Customer authorizes Guance and its subprocessors to transfer Customer Data across borders, including, but not limited to, transfers from the European Economic Area and the United Kingdom. To protect the transfer of personal data from the European Economic Area and the United Kingdom, both parties agree to enter into Standard Contractual Clauses ("SCCs") and the UK Transfer Appendix. The signing of this DPA or the Agreement constitutes the signing of the SCCs and any associated appendices.

9.2 Specific application of the Standard Contractual Clauses:

（1）Module Two will apply;

（2）In Clause 7 (Docking), the optional docking clause will apply;

（3）In Clause 9(a) (Use by subprocessor), Option 2 for the subprocessor's "general written authorization" clause shall apply, and the prior notice period for subprocessor changes shall be as stated in Section 5.1 of this DPA;

（4）In Clause 11 (Redress), the optional language shall not apply;

（5）In Clause 13 (Supervision), the supervisory authority shall be the German supervisory authority.

（6）In Clause 17 (Governing Law), the SCCs shall be governed by German law;

（7）In Clause 18(b) (Choice of Forum and Jurisdiction), both parties agree that disputes shall be submitted to German courts;

（8）Annex I of the SCCs shall be supplemented with the information in Appendix A of this DPA;

（9）Annex II of the SCCs shall be supplemented with the information in Annex B of this DPA.

9.3 To the extent Guance's provision of the Products involves the transfer of Customer Personal Data from the United Kingdom to a third country that has not been designated as providing an adequate level of protection for Customer Personal Data, the Standard Contractual Clauses shall be used and completed as set forth in section 9.2

1. Conflict

In case of any conflict or inconsistency among this DPA, the SCC, and the Agreement, the priority order shall be: (1) Standard Contractual Clauses (SCC); (2) this DPA; (3) the Agreement.

1. Amendment of the Agreement

11.1 Guance may make changes to this DPA under the following circumstances: (a) when changes are required to comply with applicable laws; (b) changes that are commercially reasonable, do not substantially decrease the security of the services, do not alter the scope of Guance's processing of Customer Personal Data, and do not have a material adverse impact on Customer's rights under this DPA.

ANNEX A Details of Data Transfers

1. LIST OF PARTIES

1.1 Data Exporter(s):

Name: Customer. Address: 【 】 Contact person's name：【 】,Position:【 】,Contact details：【 】 Activities relevant to the data transferred under these Clauses: Processing Customer Personal Data and Account Data for the purpose of providing, supporting, and improving the Services. Signature and date: The parties agree that execution of the Agreement constitutes execution of this Appendix A by both parties. Role (controller/processor): Processor or Controller with respect to Customer Personal Data; Controller with respect to Account Data.

1.2 Data importer(s):

Name: Guance Information Technology Co., Limited Address: RM 1903, 19/F LEE GARDEN ONE 33 HYSAN AVENUE CAUSEWAY BAY, HONG KONG Contact person's name：【...】,position:【...】,contact details：【...】 Activities relevant to the data transferred under these Clauses: Processing Customer Personal Data and Account Data for the purpose of providing, supporting, and improving the Services. Signature and date: The parties agree that execution of the Agreement constitutes execution of this Appendix A by both parties. Role (controller/processor): Processor with respect to Customer Personal Data; Controller with respect to Account Data.

1. DESCRIPTION OF TRANSFER

2.1 Categories of data subjects whose personal data is transferred

（1）Account Data: the data subjects may include Customer's employees.

（2）Customer Personal Data：the data subjects may comprise Customer's employees, patrons, suppliers, and end-users.

2.2 Categories of personal data transferred

（1）With respect to Account Data: the Personal Data that is sent to Guance by Customer for the purpose of using the Services.

（2）With respect to Customer Personal Data: the Personal Data that is sent to Guance by Customer for the purpose of using the Services.

2.3 Sensitive data

No sensitive data is transferred.

2.4 The frequency of the transfer (whether the data is transferred on a one-off or continuous basis).

The Personal Data is transferred on a continuous basis.

2.5 Nature of the processing

With respect to Account Data: general account management and other activities as outlined in Guance's public Privacy Policy,

With respect to Customer Personal Data: analysis, storage, and other Services as described in the Agreement, Order(s), DPA, and Documentation.

2.6 Purpose(s) of the data transfer and further processing

To enable Guance to provide the Products to Customer and exercise its rights and obligations under the Agreement.

2.7 The period for which the personal data will be retained,

With respect to Account Data: Personal Data is retained to manage Customer's accounts in accordance with Guance's Privacy Policy. With respect to Customer Personal Data: Personal Data is retained in accordance with either Customer's configuration of the Services or the retention schedules outlined in the Documentation.

ANNEX B Technical and Organizational Measures

Guance, will implement, at least, the technical and organizational security measures described below in respect of the Customer Personal Data it Processes on behalf of the Customer.

1. Encryption and Key Management

1.1 Guance maintains policies and procedures for the management of encryption mechanisms and cryptographic keys in Guance's cryptosystem.

1.2 Guance enlists encryption at rest and in transit between public networks, as applicable, according to industry-standard practice.

1. Compliance Audit

2.1 Guance will maintain SSAE 18 SOC 2 certification, or comparable certification, for the term of the Agreement. This certification will be renewed on an annual basis. Upon Customer's request, Guance will provide a summary of its most recent SOC 2 report once every 12 months of the term of the Agreement.

2.2 Guance follows guidelines from ISO 27001and other industry-standard practices.

1. Access Control

3.1 Only Authorized Users shall have access to Data, including when stored on any electronic or portable media or when transmitted. Authorized Users shall have authorized access only to those data and resources necessary for them to perform their duties.

3.2 Guance maintains user access controls that address timely provisioning and de-provisioning of user accounts.

1. Business Continuity

4.1 Guance maintains business continuity, backup, and disaster recovery plans (“BC/DR Plans”) in order to minimize the loss of service and comply with Applicable Laws.

4.2 The BC/DR Plans address threats to the Services and any dependencies, and have an established procedure for resuming access to, and use of, the Services. The BC/DR Plans are tested at regular intervals.

1. Change Control

5.1 Guance maintains policies and procedures for applying changes to the Services, including underlying infrastructure and system components, to ensure quality standards are being met.

5.2 Guance undergoes a penetration test of its network and Services on an annual basis. Any vulnerabilities found during this testing will be remediated in accordance with Guance's Vulnerability Management Policies and Procedures, and will be assessed on the basis of Guance's Risk Management Framework.

5.3 Guance regularly performs vulnerability scans of its network and any vulnerabilities found will be addressed in accordance with Guance's Vulnerability Management Policies and Procedures, and will be assessed on the basis of Guance's Risk Management Framework.

5.4 Security patches are applied in accordance with Guance's patching schedule.

1. Data Security

6.1 Guance maintains technical safeguards and other security measures to ensure the security and confidentiality of Customer Personal Data.

6.2 Guance logically segregates Customer Personal Data in the production environment.

1. Governance and Risk Management

7.1 Guance maintains an information security program that is reviewed at least annually.

7.2 Guance maintains a risk management program, with risk assessments conducted at least annually.

1. Administrative Controls

8.1 Guance uses a third-party to conduct employee background verifications for all Guance personnel with access to Customer Personal Data.

8.2 Guance employees are required to complete initial (at-hire) and annual security awareness training