I.           Subject of the Agreement

In the course of the fulfillment of the contract between MindsetMaps International, Inc (the “Processor”) and the AUTHORIZED COACH (the “Controller”, together with the Processor the “Parties”) regarding the provision of the Processor’s webportal, materials and intellectual property to the Controller (the “Contract”), it is possible that the Processor deals with personal data i.e. any information relating to an identified or identifiable natural person (e.g. names, email addresses of persons who are the Controller’s customers), with regard to which the AUTHORIZED COACH acts as a controller pursuant to data protection law (the “Customer Data‟). This agreement (the “Agreement”) specifies the data protection obligations and rights of the Parties in connection with the Processor’s use of Customer Data to render the services under the Contract.

II.         Applicable Law

“Applicable Law(s)” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, security, or the processing of personal data, including without limitation (i) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA” and subsequent California Privacy Rights Act of 2020 “CPRA”), (ii) the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), (iii) in respect of the United Kingdom, the Data Protection Act 2018 (“UK DPA 2018”) and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”). For the avoidance of doubt, if the Processor’s processing activities involving personal data are not within the scope of an Applicable Law, such law is not applicable for purposes of this DPA.

III.      Scope of the Processing

1.          The Processor shall process the Customer Data on behalf and in accordance with the instructions of the Controller within the meaning of Art. 28 GDPR.

2.          The processing of Customer Data by the Processor occurs in the manner and the scope and for the purpose determined in Annex 1 to this Agreement; the processing relates to the types of personal data and categories of data subjects specified therein. The duration of processing corresponds to the term of the Contract.

3.          The Processor reserves the right to anonymize or aggregate the Customer Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of developing and optimizing as well as rendering of the services agreed as per the Contract. The Parties agree that anonymized and aggregated Customer Data are not considered Customer Data for the purposes of this Agreement.

4.          The Processor may process and use the Customer Data for the Processor´s own purposes as controller to the extent legally permitted by data protection law. This Agreement does not apply to such data processing.

5.          The Controller authorizes the Processor to make international transfers of Customer Data in accordance with this DPA and Applicable Law.

IV.       Right of the Controller to Issue Instructions

1.          The Processor processes the Customer Data in accordance with the instructions of the Controller unless the Processor is legally required to do otherwise. In the latter case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.          The instructions of the Controller are in principle conclusively stipulated and documented in the provisions of the Agreement. Individual instructions which deviate from the stipulations of this Agreement or which impose additional requirements shall require the Processor’s consent.

3.          The Processor shall ensure that the Customer Data is processed in accordance with the instructions given by the Controller. If the Processor is of the opinion that an instruction given by the Controller infringes this Agreement or applicable data protection law, the Processor is after correspondingly informing the Controller entitled to suspend the execution of the instruction until the Controller confirms the instruction. The Parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Controller

V.         Legal Responsibility of the Controller

1.          The Controller is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties assert claims against the Processor based on the processing of Customer Data in accordance with this Agreement, the Controller shall indemnify the Processor from all such claims upon first request.

2.          The Controller is responsible to provide the Processor with the Customer Data in time for the rendering of services according to the Contract and the Controller is responsible for the quality of the Customer Data. The Controller shall inform the Processor immediately and completely if during the examination of the Processor’s results the Controller finds errors or irregularities with regard to data protection provisions or instructions of the Controller.

3.          Upon request, the Controller shall provide the Processor with the information specified in Art. 30 para. 2 GDPR, insofar as it is not already available to the Processor.

4.          If the Processor is required to provide information to a governmental body or person on the processing of Customer Data or to cooperate with these bodies in any other way, the Controller is obliged to assist the Processor at first request in providing such information and in fulfilling other appropriate cooperation obligations.

VI.       Requirements for Personnel and Systems

The Processor shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.

VII.     Security of Processing

The Processor takes necessary appropriate technical and organizational measures according to Art. 32 GDPR, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Customer Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection of Customer Data appropriate to the risk. The Controller may have the right to review the technical and organizational measures according to Art. 32 GDPR.

VIII.  Engagement of Further Processors

1.          Controller acknowledges and agrees that the Processor may retain third parties as further processors (“Subprocessors”) to process Customer Data on Processor’s behalf in the fulfilment of the Contract. The Controller grants the Processor the general authorization to engage further processors with regard to the processing of Customer Data. Further processors engaged at the time of conclusion of this Agreement are listed in Annex 2.

2.          The Processor will impose contractual obligations on any Subprocessor it appoints requiring it to protect Customer Data to standards which are no less protective than those set forth under this Agreement.

3.          The Processor remains liable for its Subprocessors’ performance under this Agreement to the same extent it is liable for its own performance.

4.          The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors 10 business days prior to the change taking place.

IX.       Data Subjects’ Rights

1.          The Processor shall support the Controller within reason by virtue of technical and organizational measures in fulfilling the Controller’s obligation to respond to requests for exercising data subjects’ rights.

2.          As far as a data subject submits a request for the exercise of its rights directly to the Processor, the Processor will forward this request to the Controller in a timely manner.

3.          The Processor shall inform the Controller of any information relating to the stored Customer Data, about the recipients of Customer Data to which the Processor may disclose it in accordance with the instructions and about the purpose of storage, as far as the Controller does not have this information at its disposal and as far as the Controller is not able to collect it itself.

4.          The Processor shall, within the bounds of what is reasonable and necessary, enable the Controller to correct, delete or restrict the further processing of Customer Data, or at the instruction of the Controller correct, block or restrict further processing itself, if and to the extent that this is impossible for the Controller.

5.          Insofar as the data subject has a right of data portability vis-à-vis the Controller in respect of the Customer Data pursuant to Art. 20 GDPR, the Processor shall support the Controller within the bounds of what is reasonable and necessary in handing over the Customer Data in a structured, commonly used and machine-readable format, if the Controller is unable to obtain the data elsewhere. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Controller.

X.         Notification and Support Obligations of the Processor

1.          Insofar as the Controller is subject to a statutory notification obligation due to a breach of the security regarding the Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Controller in a timely manner of any reportable events in the Processor´s area of responsibility. The Processor shall assist the Controller in fulfilling the notification obligations at the Controller’s request to the extent reasonable and necessary. In this case, the Processor shall be reimbursed for the expenses and cost incurred by the Processor in this regard and substantiated vis-à-vis the Controller.

2.          The Processor shall assist the Controller to the extent reasonable and necessary with data protection impact assessments to be carried out by the Controller and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR. In this case, the Processor shall be reimbursed for the expenses and costs incurred by the Processor in this regard and substantiated vis-à-vis the Controller.

XI.       International Transfers

Controller acknowledges and agrees that, subject to compliance with Applicable Laws, the Processor processes Customer Personal Data in locations outside of the EU where it maintains processing operations. The Parties agree that when the transfer of Customer Data from Controller (as “data exporter”) to Processor (as “data importer”) requires that certain appropriate safeguards (“Transfer Mechanism(s)”) are put in place, the Parties will be subject to the EU Standard Contractual Clauses which will be deemed incorporated into and form a part of this DPA, as follows:

-       The clauses as set forth in Module Two (controller to processor) will apply only to the extent AUTHORIZED COACH is a controller and MindsetMaps International, Inc is a processor;

-       The “data exporter” is the Controller, and its contact information is set forth in the Contract;

-       The “data importer” is the Processor, and its contact information is set forth Contract;

-       In Clause 7, the optional docking clause will apply;

-       In Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Section VIII of this Agreement;

-       In Clause 11, the optional language will not apply;

-       In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Hungarian law;

-       In Clause 18(b), disputes will be resolved before the courts of Hungary; and

-       Annexes I and II of the Appendix are set forth in the Annexes below.

XII.     Deletion and Return of Customer Data

1.          Upon termination of this Agreement, the Processor shall, in the discretion of the Controller either delete or return the Customer Data; and delete existing copies thereof unless the Processor is obligated by law to further store the Customer Data.

2.          The Processor may keep documentations which serve as evidence of the orderly and accurate processing of Customer Data, also after the termination of this Agreement, however no longer than what is necessary complying to Art.5 GDPR.

XIII.  Evidence and audits

1.          The Processor will allow for and contribute to audits conducted by the Controller (or a third party auditor mutually agreed by both parties (“Auditor”)) of documentation, data, certifications, reports, and records relating to the Processor's processing of Customer Data (“Records”) for the sole purpose of determining the Processor’s compliance with this Agreement subject to the terms of this Section XIII. provided the Agreement remains in effect and such audit is at Controller’s sole expense (an “Audit”).

2.          Controller may request an Audit upon fourteen (14) days’ prior written notice to the Processor, no more than once annually, except, in the event of a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data processed by the Processor and/or its Subprocessors in connection with the fulfilment of the Contract occurring on the Processor’s systems (“Security Incident”), in which case Controller may request an Audit within a reasonable period of time following such incident.

3.          To the extent that the provision of Records does not provide sufficient information to allow Controller to determine the Processor’s compliance with the terms of this Agreement, the Controller may, as necessary: (i) request additional information from the Processor in writing, and the Processor will respond to such written requests in within a reasonable period of time (“Written Requests”); and (ii) only where the Processor's responses to such Written Requests do not provide the necessary level of information required by the Controller, request access to the Processor’s premises, systems and staff, upon twenty one (21) days prior written notice to the Processor (an “Inspection”) subject to the parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an Auditor to conduct the Inspection, (c) the Inspection being carried out only during the Processor's regular business hours, with minimal disruption to the Processor’s business operations, and (d) all costs associated with the Inspection being borne by Controller (including the Processor’s time in connection with facilitating the Inspection, charged at the Processor's then-current rates). Inspections will be permitted no more than once annually, except in the event of a Security Incident.

4.          In connection with any Audit or Inspection conducted in accordance with this Section XIII, the Auditor must be bound by obligations of confidentiality no less protective than those contained in the Contract. Auditors will not be entitled to receive any data or information pertaining to other clients of the Processor or any other confidential information of the Processor that is not directly relevant for the authorized purposes of the Audit or Inspection.

5.          If any material non-compliance is identified by an Audit or Inspection, the Processor will take prompt action to correct such non-compliance.

XIV.   Contract term and termination

The term and termination of this Agreement shall be governed by the term and termination provisions of the Contract. A termination of the Contract automatically results in a cancellation of this Agreement. An isolated termination of this contract is excluded.

XV.     Liability

1.          The Processor’s liability under this Agreement shall be governed by the disclaimers and limitations of liability provided for in the Contract. As far as third parties assert claims against the Processor which are caused by the Controller’s culpable breach of this Agreement or one of the Controller´s obligations in terms of data protection law, the Controller shall upon first request indemnify and hold the Processor harmless from these claims.

2.          The Controller undertakes to indemnify the Processor upon first request against all possible fines imposed on the Processor corresponding to the Controller’s part of responsibility for the infringement sanctioned by the fine.

XVI.   Final provisions

1.          In case individual provisions of this Agreement are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.

2.          In case of conflicts between this Agreement and other arrangements of the Parties, in particular the Contract, the provisions of this Agreement shall prevail.

Annex 1

Further Information on the Processing of Customer Data

Purpose and extent of Data Processing

Administering the creation of report as a service via the Processor’s webportal.

Types of personal data

Name and contact data (email address), contents of reports in so far as they constitute personal data

Categories of data subjects

Customers of AUTHORIZED COACH

Annex 2

Further Processors

Name of the further processor:

Amazon Web Services Inc.,
410 Terry Avenue North, Seattle, WA 98109-5210, USA

Description of processing via this further processor

Secure cloud service platform for database storage