Data Processing Addendum

1. Purpose And Scope

This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Service between VICOM SOLUTION LTD, a company incorporated under the laws of Cyprus ("Processor"), and the customer using the Services ("Controller").

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with the provision of the Services.

The purpose of this DPA is to ensure compliance with Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR") and other applicable data protection laws.

In the event of any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall prevail.

2. Definitions

For purposes of this DPA, the terms "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority", "Personal Data Breach" and "Subprocessor" shall have the meanings assigned to them under GDPR.

Capitalized terms not defined herein shall have the meaning assigned to them in the Terms of Service.

3. Roles Of The Parties

The parties acknowledge and agree that the Controller determines the purposes and means of Processing Personal Data submitted to the Services.

The Processor processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions, the Terms of Service and this DPA.

The Controller is responsible for ensuring that it has a lawful basis for Processing Personal Data and for providing all required notices to Data Subjects.

4. Processing Of Personal Data

The Processor shall Process Personal Data solely for the purpose of providing the Services and performing its obligations under the Terms of Service.

The Processor shall not sell, rent or otherwise disclose Personal Data except as permitted by this DPA, required by law or authorized by the Controller.

The Processor shall not Process Personal Data for its own independent marketing purposes.

5. Nature And Purpose Of Processing

Processing activities may include collection, storage, organization, structuring, hosting, analysis, retrieval, consultation, transmission, reporting, artificial intelligence-assisted processing, deletion and destruction of Personal Data.

Processing is performed solely to provide social media analytics, reporting, artificial intelligence functionality, team collaboration, account administration, subscription management and related Services.

6. Categories Of Personal Data

Depending on the Controller's use of the Services, Personal Data processed by the Processor may include names, email addresses, usernames, account identifiers, social media account information, profile information, analytics information, uploaded documents, reports, datasets, communication records, technical identifiers and other Personal Data submitted through the Services.

7. Categories Of Data Subjects

Data Subjects may include the Controller's employees, contractors, customers, prospects, social media followers, website visitors, marketing contacts, business partners and other individuals whose Personal Data is submitted to the Services by the Controller.

8. Confidentiality

The Processor shall ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations and receive appropriate training regarding data protection and security.

The Processor shall ensure that access to Personal Data is limited to personnel who require such access for the performance of their duties.

9. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access.

Such measures may include access controls, authentication mechanisms, encryption, network security controls, logging, monitoring, backup procedures, incident response procedures and vendor management controls.

The Processor may update security measures from time to time provided that such updates do not materially reduce the level of protection.

10. Subprocessors

The Controller authorizes the Processor to engage Subprocessors for the provision of the Services.

Current Subprocessors may include providers of cloud infrastructure, payment processing, artificial intelligence services, analytics services, communication services and customer support services.

Such Subprocessors may include Google Cloud, Stripe, OpenAI, Google Gemini and other service providers used in connection with the Services.

The Processor shall ensure that Subprocessors are subject to contractual obligations providing a level of protection substantially equivalent to that required under this DPA.

The Processor remains responsible for the performance of its Subprocessors to the extent required by applicable law.

11. International Transfers

The Controller acknowledges that Personal Data may be transferred to countries outside the European Economic Area.

Where such transfers occur, the Processor shall implement appropriate safeguards, including Standard Contractual Clauses, adequacy decisions or other lawful transfer mechanisms recognized under GDPR.

12. Assistance To The Controller

Taking into account the nature of Processing, the Processor shall provide reasonable assistance to the Controller in responding to requests from Data Subjects and complying with obligations relating to data protection impact assessments, consultations with supervisory authorities, security obligations and other requirements under GDPR.

13. Personal Data Breaches

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed on behalf of the Controller.

Such notification shall include available information reasonably necessary for the Controller to meet its obligations under applicable data protection laws.

14. Audits

Upon reasonable written request and subject to appropriate confidentiality obligations, the Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.

Any audit shall be conducted in a manner that minimizes disruption to the Processor's business operations and protects the confidentiality and security of other customers.

15. Data Retention And Deletion

The Processor shall retain Personal Data only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes and enforce contractual rights.

Upon termination of the Services or upon written request of the Controller, the Processor shall delete or return Personal Data unless retention is required by law.

Further information regarding deletion practices is available in the Data Deletion Policy.

16. Liability

The liability of each party arising under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service, except where such limitations are prohibited by applicable law.

Nothing in this DPA shall exclude liability that cannot be excluded under GDPR or other applicable law.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Cyprus.

18. Contact Information

Questions regarding this DPA may be submitted through the contact details published on the SocialMetricHub website.

Email: support@socialmetrichub.com

This DPA is issued by VICOM SOLUTION LTD, a company incorporated under the laws of Cyprus under registration number HE 449671, with VAT number 60023179A and registered office at Arch. Makarios III House Proteas 155, 5th Floor, 3026 Limassol, Cyprus.