Effective Date: February 6, 2024

This Data Processing Addendum (“DPA”) supplements and forms an integral part of the Creatie Service Agreement (“Agreement”) as concluded between You (“User” or “Controller”) and INTERACTIVE LINK PTE. LTD (“ILP” or “Processor”), and shall continue in full force and effect for the duration of the Agreement. You and ILP are hereinafter collectively also referred to as “Parties” and separately as a “Party”.

By accepting the Agreement of this DPA, You represent that You have the authority to bind Controller to this DPA.

Whereas

• The Parties have agreed that ILP is a Processor for the processing personal data on behalf of Controller as part of the provision of the Services specified in the Agreement; and

• The Parties seek to implement a DPA that complies with the Applicable Privacy Law, and wish to set out their rights and obligations in respect of such processing of personal data in this DPA.

Hereby agree as follows:

1   Definitions

1.1  All capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to such terms in the Agreement. The following terms, whether single or plural, shall have the meaning assigned to them in this Paragraph:

• “Applicable Privacy Law” — any national, federal, European Union, state, provincial or other privacy, data security, or data protection law or regulation, as they apply to the processing of Personal Data under this DPA, and as amended, modified, extended, re-enacted, consolidated or replaced from time to time.

• “Controller Personal Data” — any information related to identified or identifiable natural persons, which is either supplied by Controller to Processor, or which is collected or generated by Processor under instruction from Controller as part of the Services, in both cases in order for Processor to provide its services under the Agreement, and as further described in Appendix 1.

• “Security Incident” — the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data attributable to ILP.

• “EEA” — the European Economic Area.

• “EU GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.

• “UK GDPR” — the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronics Communications (Amendments etc.) (EU Exit) Regulations 2019) (if applicable).

• “GDPR” — the UK GDPR and/or EU GDPR (as applicable), together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).

• “Restricted Transfer” — Controller Personal Data(i) where the EU GDPR applies, a transfer of personal data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the Swiss Federal Act on Data Protection (FADP) applies, a transfer of personal data from Switzerland to any other country which has not been determined to have a legislation that guarantees an adequate level of data protection, and (iii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

• “SCCs” — (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); (ii) where the FADP applies, the EU SCCs with the Swiss amendments as required by the Federal Data Protection and Information Commissioner (FDPIC), and (iii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR as amended or replaced from time to time.

• “UK Addendum” — International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office (ICO) under s.119A(1) of the Data Protection Act 2018 (as may be amended, updated or superseded from time to time by the UK Government or the ICO)

• “Subprocessor(s)” — an authorized third party engaged by Processor to process Controller Personal Data in order to provide parts of the Services and/or related technical support.

1.2  The terms “personal data”, “special categories of personal data”, “data subject”, “processing” or “process”, “controller”, and “processor” as used in this DPA have the meanings given by Applicable Privacy Law or, absent any such meaning or law, by the EU GDPR.

2   Processing Instructions

2.1   This DPA relates to the processing of Controller Personal Data by Processor on behalf of Controller in the course of performing Processor’s obligations under the Agreement. Further details of such processing are set out in Appendix 1.

2.2   Controller warrants, on an ongoing basis, that it has complied and will continue to comply with all Applicable Privacy Law during its use of the Services and provision of instructions. Controller shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which Controller acquires personal data.

2.3   In the course of performing its obligations under the Agreement, Processor shall process Controller Personal Data solely on the instruction of Controller and not use or otherwise process Controller Personal Data for any other purpose, unless required to do so by Applicable Privacy Law.

2.4   By entering into this DPA, Controller hereby authorizes and instructs Processor to process Controller Personal Data for the following purposes: (i) processing in accordance with the Agreement, this DPA, any applicable document between the parties relating to the Services, and any instruction agreed upon by the parties; (ii) as otherwise permitted or required by Controller’s use of the Services and/or its requests; (iii) as otherwise initiated or required by the Controller’s end-users; and (iv) as further documented in any other written instructions that Controller reasonably gives to Processor.

2.5   Processor will, unless legally prohibited from doing so, inform Controller in writing if it reasonably believes that there is a conflict between Controller’s instructions and applicable law or otherwise seeks to Process Controller Personal Data in a manner that is inconsistent with Controller’s instruction.

2.6   Controller will not share any special category of personal data with Processor. Controller further acknowledges that Processor does not request or require any special category of personal data to provide the Services and does not wish to receive or store any special category of personal data.

3   Confidentiality of Controller Personal Data

3.1    Processor shall ensure that all of its employees, contractors and other personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in respect of Controller Personal Data.

4   Security

4.1   Processor shall, taking into account the nature of Controller Personal Data and the risks involved in the processing of Controller Personal Data, implement appropriate technical and organizational measures to protect Controller Personal Data against any accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access (“Security Measures”).

4.2   In assessing the appropriate level of the Security Measures, Processor shall regard to the state of the art, the cost of implementation, and the nature, scope, context and purposes of the processing, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.3   The Security Measures adopted by Processor will include, but not be limited to: i) using pseudonymisation and encryption technology; ii) employing trusted protection mechanisms to prevent malicious attacks; iii) deploying access control mechanisms to ensure that only authorized personnel can access Controller Personal Data; and iv) organizing security and privacy protection training courses to enhance employees' awareness of the importance of protecting personal data.

4.4   Controller agrees that it is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in relation to Controller Personal Data; (ii) securing any account authentication credentials, systems, and devices it uses to access the Services; and (iii) backing up all Controller Personal Data. Controller understands and agrees that Processor has no obligation to protect Controller Personal Data that Controller elects to store or transfer outside of Processor’s or any Subprocessors’ systems (e.g. offline or on-premise storage). Controller is solely responsible for evaluating whether the Services and Processor’s commitments under this DPA meet its needs, including with respect to Controller’s compliance with any of its security obligations under the GDPR and/or Applicable Privacy Law.

4.5   Processor agrees to provide information reasonably necessary to demonstrate compliance with this DPA upon Controller’s reasonable request in accordance with Applicable Privacy Law.

5   Subprocessors

5.1   Controller provides a general authorization for Processor to appoint Subprocessors in accordance with this Section.

5.2   Controller agrees that Processor may continue to use those Subprocessors already engaged by Processor as at the date of this DPA.

5.3   With respect to each Subprocessor, Processor shall ensure that the arrangement between Processor and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Controller Personal Data as those set out in this DPA, as well as the SCCs (where applicable).

5.4   Processor shall remain liable to Controller for the acts and omissions of each Subprocessor in respect of Controller Personal Data.

6   Data Subject Rights

6.1   Where required by Applicable Privacy Law, Processor shall provide Controller with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights in Controller Personal Data granted to them under Applicable Privacy Law in cases where Controller cannot reasonably fulfill such requests independently by using the self-service functionality of the Services.

6.2   Processor shall:

a.   Promptly notify Controller if Processor receives a Data Subject Request; and

b.   Not respond to any Data Subject Request except on the written instructions of Controller (and in such circumstances, at Controller’s cost) or as required by Applicable Privacy Law.

7   Security Incidents

7.1   Upon becoming aware of a Security Incident, ILP agrees to provide written notice without undue delay and within the time frame required under Applicable Privacy Law to Controller. A delay in giving such notice requested by law enforcement and/or in light of ILP’s legitimate needs to investigate or remediate the matter before providing notice shall not constitute an undue delay. Where possible, such notice will include all available details required under Applicable Privacy Law for Controller to comply with its own notification obligations to supervisory authorities or individuals affected by the Security Incident.

7.2   Controller is solely responsible for complying with any Security Incident notification requirements that may apply to Controller. ILP’s notification of or response to a Security Incident will not be construed as an acknowledgement by ILP of any fault or liability with respect to the Security Incident.

7.3   ILP shall provide commercially reasonable cooperation and assistance in identifying the cause of such Security Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within ILP’s control. Controller shall have sole discretion to control the timing, content and manner of any notices provided under such remediation plan.

8   Data Protection Impact Assessments, Prior consultation and Audits

8.1   Where required by GDPR and/or Applicable Privacy Law, this section will apply.

8.2   Processor shall provide reasonable assistance to Controller, at Controller’s cost, with any data protection impact assessment and prior consultations with supervisory authorities, which Controller reasonably considers to be required of it by Article 35 or Article 36 of the GDPR, in each case solely in relation to the processing of Controller Personal Data by, and taking into account the nature of the processing by and information available to, Processor.

8.3   Processor shall make available to Controller on request such information as Processor (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. Subject to Article 8.4 and 8.5 of this DPA, in the event that Controller (acting reasonably) is able to provide documentary evidence that the information made available by Processor pursuant to this Paragraph is not sufficient in the circumstances to demonstrate Processor’s compliance with this DPA, Processor shall allow for and contribute to audits, including on premise inspections, by Controller or an auditor mandated by Controller in relation to the processing of Controller Personal Data by Processor.

8.4   Controller shall give Processor reasonable notice of any audit or inspection to be conducted (which shall in no event be less than thirty (30) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing any damage, injury or disruption to Processor’s premises, equipment, personnel, data and business (including any interference with the confidentiality or security of the data of Processor’s other customers, or the availability of Processor’s services to such other customers).

8.5   Any audit shall be limited to once per year, unless an audit is carried out at the direction of a supervisory authority having proper jurisdiction.

8.6   Controller shall bear any third party costs in connection with any inspection or audit and reimburse Processor for all costs incurred by Processor in connection with any such inspection or audit.

9   Cross-Border Transfers of Personal Data (EEA, UK & SWITZERLAND Specific Provisions)

9.1   Controller authorizes Processor and its Subprocessors to transfer Controller Personal Data across international borders. Controller agrees that the Processor and its Subprocessors may make Restricted Transfers of Controller Personal Data for the purpose of providing the Services to the Controller in accordance with the Agreement. Processor confirms that such Subprocessors: (i) are located in a third country or territory recognised by the EU Commission or a Supervisory Authority, as applicable, to have an adequate level of protection; or (ii) have entered into the applicable SCCs with the Processor; or (iii) have other legally recognised appropriate safeguards in place.

9.2   To the extent that the transfer of Controller Personal Data from Controller to Processor or from Processor to Subprocessor constitutes a Restricted Transfer, Parties agree that such transfers shall be subject to the appropriate SCCs as follows:

a.   Where the EU GDPR applies, the EU SCCs shall be deemed entered into and completed as follows:

(i)   Module 2 shall apply for Controller to Processor transfers;

(ii)   Module 3 shall apply for Processor to Subprocessor transfers;

(iii)   Annex I of the EU SCCs shall be deemed completed with the information set out in Appendix I of this DPA;

(iv)   Annex II of the EU SCCs shall be deemed completed with the information provided in the Agreement and DPA, and will be supplemented upon Controller’s request.

b.   Where the FADP applies, the EU SCCs completed above shall be adjusted as set out below:

(i)   References to “Regulation (EU) 2016/679” or “that Regulation” are to be interpreted as references to the FADP to the extent applicable;

(ii)   References to "Regulation (EU) 2018/1725" are removed;

(iii)   References to “Union”, “EU”, and “EU Member State” shall be interpreted to mean Switzerland;

(iv)   The FDPIC shall be the competent supervisory authority insofar as the transfers are governed by the FADP;

(v)   Clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by the FADP”;

(vi)   Clause 18 is replaced to state: “Any dispute arising from these Clauses relating to the FADP shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which they have their habitual residence. The parties agree to submit themselves to the jurisdiction of such courts”.

c.   Where the UK GDPR applies, the EU SCCs completed above shall apply, and shall be modified by the UK Addendum, which shall be completed as follows:

(i)   Tables 1 to 3 of the UK Addendum shall be deemed completed with the relevant information from the EU SCCs, completed as set out above;

(ii)   In Table 4 of the UK Addendum, both the importer and the exporter may end the UK Addendum in accordance with the terms of the UK Addendum;

(iii)   The start date of the UK Addendum (as set out in table 1) shall be the date of this DPA.

9.3   In the event that any provision of this DPA contradicts, directly or indirectly, the SCCs, the SCCs shall prevail.

10   Deletion of Controller Personal Data

10.1   Upon the date of cessation of any Services involving the processing of Controller Personal Data, Processor shall immediately cease all processing of Controller Personal Data for any purpose other than for storage.

10.2   Controller hereby acknowledges and agrees that, due to the nature of the Services and Controller Personal Data processed by Processor, return (as opposed to deletion) of Controller Personal Data is not a reasonably practicable option in the circumstances. Considering this, Controller agrees that it is hereby deemed to have irrevocably selected deletion, in preference of return, of Controller Personal Data. Controller Personal Data stored in backup and disaster recovery repositories may be retained for a longer duration provided that it remains subject to this DPA until deleted.

10.3   Processor and any Subprocessor may retain Controller Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Processor and any such Subprocessor shall ensure:

a.   The confidentiality of such Controller Personal Data; and

b.   That such Controller Personal Data is only processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

11   Notifications

11.1   All notices given by Processor to Controller under or in connection with this DPA shall be sent to Controller’s email address associated to their Creatie account or in other written form, and any notice given by Controller to Processor shall be sent to support@Creatie.ai or to Privacy Protection Center, INTERACTIVE LINK PTE. LTD, 6 Shenton Way #37-03 Oue Downtown Singapore 068809.

12   Term and Termination

12.1   This DPA will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of the DPA.

13   Miscellaneous

13.1   In the event of any inconsistency relating to the processing of Controller Personal Data between a provision of this DPA and the Agreement, the provision of this DPA will prevail. Notwithstanding the foregoing, this DPA shall be subject to the limitations of liability and indemnity terms set forth in the Agreement, except to the extent prohibited by applicable laws, and any reference to the liability of a Party means that Party and its affiliates in the aggregate.

13.2   Processor may update the provisions of this DPA where the changes (i) are required to comply with Applicable Privacy Law, applicable regulation, a court order, or guidance issued by a regulator or agency; or (ii) do not have a material adverse impact on Controller’s rights under the DPA. Processor shall provide thirty (30) days’ notice prior to making any material change to the provisions of this DPA. If the Controller objects, the Controller has the right to terminate the affected Services within thirty (30) days of receiving written notice of the changes.

13.3   If Applicable Privacy Law require that this DPA be amended, either Party may propose an amendment and the Parties will enter into negotiations in good faith to reach an agreement ensuring the continued compliance of the DPA with Applicable Privacy Law.

13.4   If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

Appendix 1   Data Processing Description

This Appendix 1 forms part of the Agreement and describes the processing that the Processor will perform on behalf of the Controller.

A. LIST OF PARTIES

Controller(s) / Data exporter(s):