Global DPA

1.1 "Affiliate" means an entity that owns or controls, is owned or controlled by or is under common control or ownership with either Customer or MASIN AI, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity.

1.2 "Customer Personal Data" means any Personal Data provided by or made available by Customer to MASIN AI, or collected by MASIN AI on behalf of Customer, which is Processed by MASIN AI to perform the Services. Customer Personal Data does not include system-generated technical or usage data (such as device identifiers, IP addresses, event logs, cookies, or telemetry) unless such data forms part of the content uploaded or submitted by Customer.

1.3 "Controller to Processor SCCs" means the standard contractual clauses for cross-border transfers published by the European Commission on 4 June 2021 governing the transfer of Personal Data to Third Countries, including any successor clauses thereto.

1.4 "Data Protection Law" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) ("GDPR").

1.5 "Security Incident" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data being Processed by MASIN AI.

1.6 "Services" means the services to be supplied by MASIN AI to Customer or Customer's Affiliates pursuant to the Agreement.

1.7 "Third Country" means countries that have not received an adequacy decision from the European Commission relating to cross-border transfers of Personal Data.

1.8 "Personal Data" means any information that identifies or can be used to identify a living individual, whether directly (such as a name) or indirectly (such as an identification number, location data, or online identifier). This includes system-generated technical or usage data where such data can be linked to an identifiable individual.

1.9 "Agreement" means the MASIN AI Terms and Conditions, as amended from time to time.

3.1 The Parties acknowledge and agree that, with regard to the Processing of Customer Personal Data: (a) Customer acts as Controller; (b) MASIN AI acts as Processor; and (c) MASIN AI Processes Customer Personal Data solely on behalf of, and under the documented instructions of, Customer.

3.2 Nothing in this Addendum or the Agreement shall be construed to create a joint controllership arrangement between the Parties within the meaning of Article 26 of the GDPR.

3.3 MASIN AI shall not Process Customer Personal Data for any purpose other than as set out in this Addendum and the Agreement. MASIN AI shall have no rights to use Customer Personal Data for its own purposes.

3.4 Customer Responsibilities. Customer acknowledges and agrees that: (a) Customer is solely responsible for ensuring the lawfulness of the Processing of Customer Personal Data, including establishing a valid legal basis under Articles 6 and (where applicable) 9 of the GDPR; (b) Customer shall provide all required notices to, and obtain all required consents or authorisations from, Data Subjects; (c) Customer shall ensure that its instructions to MASIN AI are lawful and do not cause MASIN AI to violate applicable Data Protection Laws; (d) MASIN AI shall have no liability arising from Customer's failure to comply with its obligations under this Section 3.4; and (e) Customer shall indemnify and hold harmless MASIN AI against any claims, damages, losses, or expenses arising from Customer's breach of its obligations under this Section 3.4.

5.1 Processing Instructions. MASIN AI shall Process Customer Personal Data for the purposes of the Agreement and for the specific purposes set out in Annex 1, and otherwise solely on the documented instructions of Customer.

5.2 Confidentiality. MASIN AI shall implement and maintain measures designed to ensure that MASIN AI personnel authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures. MASIN AI shall implement and maintain reasonable technical and organisational measures designed to ensure a level of security appropriate to the risk of the Processing of Customer Personal Data, including pseudonymisation and encryption where appropriate.

5.4 Sub-processors. Customer hereby authorises MASIN AI to engage and appoint sub-processors, including those listed in Annex 2. MASIN AI shall use reasonable efforts to notify Customer of any material changes or additions to sub-processors. MASIN AI shall include data protection obligations in its contracts with sub-processors that are consistent with the requirements of Data Protection Laws.

5.5 Sub-processor Objections. Where MASIN AI notifies Customer of a proposed new sub-processor, Customer may raise any reasonable objection on data protection grounds within thirty (30) days. If MASIN AI determines that it requires the proposed sub-processor to provide the Services, and the Parties cannot agree on an alternative arrangement, MASIN AI may proceed with engagement of the sub-processor. Customer's continued use of the Services following such engagement shall constitute acceptance.

5.6 Government Access. MASIN AI shall not disclose Customer Personal Data to any governmental authority unless legally compelled by valid legal process, and then only to the minimum extent required. Upon receipt of any governmental request, MASIN AI shall (to the extent legally permitted): (i) promptly notify Customer; (ii) limit any compelled disclosure to the greatest extent possible.

5.7 Data Subject Requests. MASIN AI shall notify Customer if it receives any request from a Data Subject to exercise rights under Chapter III of the EU GDPR in respect of Customer Personal Data. MASIN AI shall not respond to any Data Subject Request directly unless Customer provides prior written authorisation, or unless MASIN AI is required by applicable Data Protection Laws to respond.

5.8 Security Incident Notification. MASIN AI shall notify Customer without undue delay and in any event no later than seventy-two (72) hours after becoming aware of a Security Incident. Such notice shall include: (i) a description of the nature of the Security Incident; (ii) the categories and approximate number of Data Subjects affected; (iii) the likely consequences; and (iv) measures taken or proposed to address the Security Incident. Customer acknowledges that notification is not an acknowledgement by MASIN AI of fault or liability.

5.9 Assistance. To the extent required by Data Protection Laws, MASIN AI shall provide reasonable assistance to Customer with its obligations pursuant to Articles 32 to 36 of the GDPR. Customer agrees to pay MASIN AI for time and out-of-pocket expenses incurred in connection with any such assistance.

5.10 Data Retention and Deletion. Upon termination or expiry of the Agreement, MASIN AI shall, at Customer's choice, delete or return all Customer Personal Data within thirty (30) days of termination. Personal Data may remain in encrypted backup systems for a maximum period of one hundred and eighty (180) days. MASIN AI shall provide written certification of data deletion within thirty (30) days of completing the deletion process.

5.11 Records of Processing. MASIN AI shall maintain records in support of demonstrating compliance with its obligations for the processing of Customer Personal Data on behalf of Customer.

5.12 Audits. Upon Customer's written request no more than once in any twelve (12) month period, MASIN AI will make available summaries of third-party audit reports and certifications that MASIN AI generally makes available to its customers.

5.13 Prohibition on Use for AI Training. MASIN AI shall not use Customer Personal Data to train, develop, or improve any artificial intelligence models or machine learning algorithms without Customer's prior explicit written consent.

5.14 Cookies and Technical Data. MASIN AI's use of cookies and similar technologies is governed by the Cookie Policy and Terms and Conditions. Any Personal Data collected through such technologies is processed by MASIN AI as an independent controller, unless it forms part of Customer Personal Data.

The Parties agree that when the transfer of Customer Personal Data from Customer and/or any of its Affiliates to MASIN AI is a Restricted Transfer and EU Area Law applies, the transfer shall be subject to the appropriate Controller to Processor SCCs, which shall be deemed incorporated into and form part of this Addendum.

6.1 Standard Contractual Clauses. For transfers of Customer Personal Data protected by the EU GDPR from Customer (located in the EU/EEA) to MASIN AI (located in India), the Parties agree to be bound by the European Commission's Standard Contractual Clauses adopted on 4 June 2021 (Commission Implementing Decision (EU) 2021/914).

6.1.1 Module Two (Controller to Processor) applies. Customer acts as Controller and MASIN AI acts as Processor. MASIN AI may only process the data as instructed by Customer and for the purposes set out in this Addendum. Customer remains responsible for ensuring there is a lawful basis for processing the data.

6.1.2 Docking Clause. The Parties have agreed to apply the docking clause. Customer's affiliated companies can join this Addendum later by completing and signing an accession document.

6.1.3 Sub-processors (General Authorisation). The Parties have selected Option 2 (General Authorisation). MASIN AI must give Customer at least 30 days' written notice before engaging any new sub-processor. During that period, Customer may object to the proposed sub-processor if Customer has reasonable data protection concerns.

6.4 Transfer Impact Assessment. Prior to any Restricted Transfer, MASIN AI shall conduct and document an assessment of the laws and practices of the destination country. For transfers to India, this assessment shall specifically consider the Information Technology Act 2000, the Digital Personal Data Protection Act 2023, and any regulations or orders issued thereunder.

6.5 Supplementary Measures. Where required to ensure compliance with applicable Data Protection Laws in respect of international transfers, MASIN AI may implement supplementary technical, contractual, or organisational measures as agreed between Parties.

6.7 US-Based Sub-processors. Each US-based sub-processor has entered into appropriate Standard Contractual Clauses or other valid transfer mechanisms with MASIN AI in compliance with EU Area Law.

6.8 AWS India Hosting. Customer acknowledges that MASIN AI hosts Customer Personal Data using Amazon Web Services (AWS) data centers located in India. AWS has entered into appropriate Standard Contractual Clauses with MASIN AI and implements technical and organisational security measures that meet the requirements of Article 32 of the EU GDPR, including encryption at rest and in transit.

7.1 The Customer shall defend, indemnify, and hold harmless MASIN AI and its affiliates from any and all claims, damages, losses, liabilities, penalties, fines, costs, and expenses (including attorneys' fees) arising out of or relating to: (i) the Customer's Personal Data; (ii) any use of the Software in violation of this Addendum, law, or third-party rights; or (iii) any cyber-attack, security breach, malicious code, or unauthorized access to the Services or MASIN AI's systems caused or facilitated by the Customer.

7.2 These obligations apply regardless of any contributory negligence of the MASIN AI and shall survive termination of this Addendum.

7.3 MASIN AI's total liability under this Addendum is limited to £1,000. MASIN AI will not be liable for any indirect or consequential losses. However, there shall be no limitation on the Customer's liability arising out of any breach under this Addendum by the Customer.

10.1 This Addendum is governed by the laws of India or UAE as determined by the principal place of business of the MASIN AI entity with which Customer has entered into the agreement, without regard to conflict of law principles. Subject to the arbitration clause below, the courts at Delhi, India or Dubai, UAE shall have exclusive jurisdiction.

10.2 If a dispute arises, Customer agrees to first notify MASIN AI at support@masin.ai and engage in good-faith discussions to resolve the dispute within thirty (30) working days of MASIN AI's receipt of Customer's notice.

10.3 Any dispute not resolved within that period shall be finally resolved by arbitration in accordance with the Arbitration and Conciliation Act, 1996. The tribunal shall consist of a sole arbitrator. The seat and venue of arbitration shall be either Delhi, India or Dubai, UAE, as determined by the principal place of business of the MASIN AI entity. The language shall be English. The arbitral award shall be final and binding.

Categories of data subjects: Customer's authorized users of the Services.

Categories of personal data transferred: Names, Email IDs; and where provided by Customer in connection with audit services: address, date of birth, past employment details.

Sensitive personal data transferred: None.

Frequency of transfer: Continuous.

Nature of processing: Provision of Services to Customer, including querying, cleansing, standardising, and storing information.

Purpose: To facilitate the performance of the Services as described in the Agreement.

Retention period: As described in the Agreement and this Addendum.

1. Pseudonymisation and Encryption: MASIN AI implements encryption technologies for data in transit (HTTPS/TLS) and at rest to ensure the security and confidentiality of Customer Personal Data.

2. Confidentiality, Integrity, Availability and Resilience: MASIN AI maintains access management processes limiting access to Customer Personal Data to properly authorised personnel on a need-to-know basis, following the principle of least privilege. Access is controlled using unique user IDs, strong passwords, and multi-factor authentication. Personnel are required to execute confidentiality agreements. MASIN AI uses AWS Security Groups for its production environment.

3. Restore Availability and Access: MASIN AI replicates data over multiple systems (Multi Availability Zones on AWS) and maintains disaster recovery programmes to restore availability and access to Customer Personal Data in a timely manner following a physical or technical incident.

4. Testing, Assessing and Evaluating Effectiveness: MASIN AI performs regular vulnerability scans on infrastructure components and maintains incident management policies and procedures, including security incident escalation procedures.