Personal Data Processing Addendum

For Authorized Partners of RSTOR (Global)

This Data Processing Addendum (“DPA”) supplements any agreement (including but not limited to statements of work, attachments, schedules, exhibits) between R-Stor Inc. (“RSTOR”) and PARTNER (“PARTNER”) for the purchase of services, products or other technology solutions from RSTOR to the extent RSTOR Processes Personal Data on behalf of PARTNER (and/or its End-User(s), as the context below may require) (collectively the “Agreement”).

This DPA applies to all activities related to the Agreement and in which employees of RSTOR or third parties commissioned by RSTOR may Process Personal Data on behalf of PARTNER. It contains, in conjunction with the Agreement, the documented instructions for the Processing of Personal Data as well as the subject-matter, duration, nature, purpose of the Processing, and shall govern the rights and obligations of the parties in connection with the Processing of Personal Data.

  1. Definitions
    • 1.1. For the purpose of this DPA (i) “RSTOR” means the RSTOR entity executing the Agreement and/or the respective RSTOR Affiliates Processing Personal Data on behalf of PARTNER as per the Agreement; (ii) “PARTNER” means the PARTNER entity is, but not limited to, an authorized RSTOR Distributor or Reseller, executing the Agreement and/or the respective PARTNER Affiliates on whose behalf RSTOR is Processing Personal Data as per the Agreement; as the context requires, the reference to “PARTNER” in this DPA may include its “End-Users” (as defined in the Agreement); (iii) “Affiliate” means, with respect to either party, an entity that is directly or indirectly controlling, controlled by, or under common control with a signatory of this DPA. For purposes of this definition, “control” means the power to direct the management and policies of such party, directly or indirectly, whether through ownership of voting securities, by contract or otherwise; and the term “controlled” has the meaning correlative to the foregoing. Upon request, each party will provide any other party with a list of all respective Affiliates relevant for this DPA; (iv) “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; (v) “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller; (vi) “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”)or household; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (vii) “Processing”, “Process”, “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (viii) “GDPR” means the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016); (ix) “Sell” means any sharing or disclosure of Personal Data to a third party in exchange for monetary or other valuable
  2. Processing Personal Data on behalf of PARTNER
    • 2.1 Any Processing of Personal Data by RSTOR under this DPA shall occur only:
      • 2.1.1 on behalf of PARTNER; and
      • 2.1.2 in accordance with the Agreement; and
      • 2.1.3 for the purpose of fulfilment of PARTNER’s instructions
    • 2.2 Without limiting the generality of Sections 2.1.1 through 2.1.3, RSTOR agrees that it shall not: (i) Sell the Personal Data; (ii) retain, use, or disclose the Personal Data for any purpose other than for the specific purpose of performing functions under the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than performing functions under the Agreement; (iii) retain, use, or disclose the Personal Data outside of the direct business relationship between RSTOR and PARTNER. RSTOR hereby certifies that it understands the restrictions set forth in this Section 2.2 and will comply with
    • 2.3 PARTNER’s instructions for the Processing of Personal Data shall comply with applicable data protection laws and regulations. PARTNER shall have sole responsibility for the legitimacy, adequacy and accuracy of Personal Data and the means by which PARTNER acquired or collected Personal Data. If RSTOR considers that an instruction of PARTNER may violate applicable data protection regulations, it shall notify PARTNER accordingly without any undue This subsection 2.3 does not create an obligation of RSTOR to actively monitor PARTNER’s instructions for legal compliance.
    • 2.4 This DPA and the Agreement are PARTNER’s complete and final instructions at the time of signature of this DPA to RSTOR for the Processing of Personal Data. However, such instructions may be amended, supplemented or replaced by PARTNER in documented form at any time (new instruction). If such new instructions from PARTNER exceed the scope of the Agreement, they shall be considered as request to amend the Agreement and the parties shall commence good faith negotiations on this change
    • 2.5 If, for any reason, RSTOR is unable to comply with an agreed instruction, RSTOR will inform PARTNER of this fact without undue delay. PARTNER may then suspend the transfer of Personal Data to RSTOR, restrict the access to it, request all Personal Data to be returned to PARTNER and / or terminate the Agreement as per the terms of the
    • 2.6 RSTOR will Process Personal Data as necessary to perform the services and / or deliver products and / or other technology solutions pursuant to the Agreement and as further instructed by PARTNER in its use of the
    • 2.7 RSTOR will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing or required / allowed by applicable law.
    • 2.8 The categories of data subjects affected by the Processing of Personal Data on behalf of PARTNER within the scope of this DPA result from the Agreement and in particular from PARTNER’s individual usage of services / products / or other technology solutions provided by They typically include: employees, agents, advisors, freelancers of PARTNER (who are natural persons), etc.
    • 2.9 The types of Personal Data affected by the Processing on behalf of PARTNER within the scope of this DPA result from the Agreement and in particular from PARTNER’s individual usage of (and input into) the services / products / or other technology solutions provided by RSTOR. They typically include: name, contact information (company, title / position, email address, phone number, physical address), connection data, location data, video / call (recordings) data and metadata derived thereof,
  3. RSTOR’s personnel
    • 3.1 RSTOR shall:
      • 3.1.1 ensure all employees involved in Processing of Personal Data on behalf of PARTNER have committed themselves to confidentiality in writing or are under an appropriate statutory obligation of confidentiality, are prohibited from Processing Personal Data without authorization and have received appropriate training on their responsibilities;
      • 3.1.2 appoint in country / global data protection officer, to the extent required by the applicable law, and publish the contact
  4. Security of processing
    • 4.1 RSTOR has implemented and shall maintain technical and organizational security measures that are appropriate with respect to the Processing of Personal Data that is undertaken on behalf of PARTNER. RSTOR shall ensure a level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons and regularly check their
    • 4.2 RSTOR shall be entitled to modify its technical and organizational measures as long as an at least equivalent level of security appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons is Current technical and organizational measures at RSTOR may be reviewed and accessed via https://www.RSTOR.com/en/privacy-toms-customers-24778. Additional technical and organizational measures and information concerning such measures may be specified in the Agreement.
  5. Sub-processors (sub-contractors) and international Personal Data transfers
    • 5.1 RSTOR may engage sub-processors (sub-contractors) to Process Personal data on behalf of PARTNER and shall comply with any applicable data privacy law regarding the engagement of sub-processors (sub-contractors). RSTOR shall make sure that at least equivalent data protection obligations, as set out in this DPA, are imposed on all sub-processors Processing Personal Data on behalf of European Economic Area or Switzerland (“EEA / CH”) based PARTNERs by way of a contract or other legal act, in particular providing sufficient guarantees to implement appropriate technical and organizational
    • 5.2 Only applicable for EEA / CH based PARTNERs: A list of sub-processors that may be engaged by RSTOR to Process Personal Data on behalf of EEA / CH based PARTNERs can be accessed by emailing legal@rstor.io. At least twenty (20) calendar days before RSTOR engages any new sub-processor, RSTOR will update the directory. PARTNER is entitled to object to the use of new sub- processor(s) for any Processing of Personal Data on its behalf within ten (10) business days after such new sub-processors are listed on the requested list. This objection shall be sent by e-mail to legal@rstor.io (i) referencing the full legal name (and other credentials) of PARTNER and the affected Agreement, (ii) including the copy of the respective purchase order, and (iii) providing the reason for the objection. If PARTNER exercises its right to objection, RSTOR shall at its choice and sole discretion:
      • 5.2.1 refrain from using the objected sub-processor to Process Personal Data on behalf of PARTNER and confirm this to PARTNER in writing, or
      • 5.2.2 contact PARTNER and seek for an agreement on mitigation of the reason for the If an agreement between the parties is reached, PARTNER shall revoke the objection, or
      • 5.2.3 have the right to terminate the Agreement entirely or only with respect to the Processing on behalf of PARTNER for which the objected new sub- processor shall be
    • 5.3 RSTOR shall comply with any applicable data privacy law regarding international transfers of Personal For any transfer of Personal Data from the EEA / CH to a country outside the EEA / CH the requirements of Chapter V GDPR must be fulfilled.
      • 5.3.1 The transfers of Personal Data between RSTOR Affiliates shall be governed by RSTOR’s Binding Corporate Rules. The RSTOR Binding Corporate Rules (Processor) Policy is available by emailing legal@rstor.io and is incorporated herein by reference.
      • 5.3.2 If RSTOR transfers Personal Data originating from the EEA / CH to third party sub-processors (i.e., RSTOR’s sub-contractors that are not RSTOR Affiliates) located in countries outside the EEA / CH that have not received a binding adequacy decision by the European Commission, such transfers shall be subject to (i) the terms of Standard Contractual Clauses (as per European Commission’s Decision 2010/87/EU); or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the
  6. Requests from Data Subjects
    • 6.1 RSTOR shall, in accordance with applicable laws, promptly notify PARTNER if RSTOR receives a request from Data Subject to exercise his rights, such as: right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or right not to be subject to an automated individual decision making, etc. Taking into account the nature of the Processing, RSTOR shall assist PARTNER by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of PARTNER’s obligation to respond to Data Subject request under applicable data protection laws and regulations, including complying with a Personal Data deletion request if required by law. In addition, to the extent PARTNER, in its use of the services and / or products and / or other technology solutions provided by RSTOR, does not have the ability to address Data Subject Request, RSTOR shall upon PARTNER’s request assist PARTNER in responding to such Data Subject request, to the extent RSTOR is legally permitted to do so and the response to such Data Subject request is required under applicable data protection laws and regulations. To the extent legally permitted, PARTNER shall be responsible for any costs arising from RSTOR’s provision of such assistance.
  7. Notification and incidents
    • 7.1 RSTOR shall:
      • 7.1.1 Notify PARTNER of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed (“Personal Data Breach“) without undue delay after becoming aware of it;
      • 7.1.2 Promptly provide PARTNER with full cooperation and assistance in respect of any Personal Data Breach and all information in RSTOR’s possession concerning the Personal Data Breach, including the following: (i) the possible cause and consequences of the breach; (ii) the categories of Personal Data involved; (iii) a summary of the possible consequences for the relevant Data Subjects; (iv) a summary of the unauthorised recipients of Personal Data; and (v) the measures taken by RSTOR to mitigate any related risk and / or loss or damage or (potential loss or damage);
      • 7.1.3 Not make any announcement or publish or otherwise authorise any broadcast of any notice or information about a Personal Data Breach (the “Breach Notice“) without the prior written consent from PARTNER; and prior written approval by PARTNER of the content, media and timing of the Breach Notice unless such Beach Notice is mandatory under the applicable
  8. Assistance to PARTNER
    • 8.1 Upon written request of PARTNER and subject to reasonable remuneration which shall be subject to a separate agreement, RSTOR shall assist PARTNER in ensuring compliance with any obligations applicable to PARTNER as per Articles 32 (Security of processing) 35 (Data protection impact assessment) and 36 (Prior consultation) GDPR, taking into account the nature of processing and the information available to To the extent any other applicable data privacy law requires RSTOR to assist PARTNER in ensuring compliance with such law, RSTOR shall provide the mandatory assistance to PARTNER, subject to a separate agreement.
  9. Return and deletion of PARTNER Personal Data
    • 9.1 Personal Data (including any copy of it) shall not be kept longer than is required for the Processing purposes, unless (i) a longer retention period is required by applicable law or (ii) PARTNER instructs RSTOR in writing (a) to keep certain Personal Data longer and RSTOR agrees to follow such instruction or (b) return or delete certain Personal Data
    • 9.2 The return of any data storage medium provided by PARTNER to RSTOR shall be conducted without undue delay (i) after termination / expiration of the Processing activity or (ii) earlier as instructed by
  10. Audits
    • 10.1 Upon prior written request by PARTNER RSTOR shall supply PARTNER with all information necessary to effectively perform an audit on RSTOR’s compliance with the terms of this DPA.
      • 10.2 Upon prior written notice and within a reasonable term RSTOR shall grant PARTNER access to its data Processing facilities, data files and documentation relevant for the Processing activities during its usual business hours without disturbances to the normal course of operations for the purpose of auditing RSTOR’s compliance with the terms of this DPA. For clarity purposes RSTOR is not under an obligation to provide PARTNER with an access to its systems which Process Personal Data of other RSTOR’s customers / partners (Data Controllers). The engagement of a third- party auditor to conduct the audit on behalf of PARTNER shall be subject to RSTOR’s prior written consent, which may only be refused on due cause, and to an executed written confidentiality agreement between the third-party auditor, PARTNER and RSTOR. PARTNER will provide RSTOR any audit report(s) generated in connection with any audit under this Section 10.2. PARTNER may use the audit report(s) only for the purposes of meeting its regulatory audit requirements and / or confirming compliance with the requirements of this DPA. The audit report(s) shall constitute confidential information of the parties under the terms of the Agreement. This right to audit may be exercised once a year, unless any specific cause requires exceptional further
  11. Miscellaneous
    • 11.1 The term of this DPA corresponds to the term of the The terms which by their nature are intended to survive termination or expiration of this DPA, will continue and survive any termination or expiration of this DPA.
    • 11.2 Notwithstanding anything to the contrary in the Agreement, in the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall