This Data Processing Addendum ("DPA") is entered into between OB2.AI Inc., a Delaware corporation with offices at 1401 Pennsylvania Ave, STE 105 Wilmington, DE 19806 on behalf and as agent for its Affiliates (as defined below) ("OB2.AI") and the Customer identified in the relevant Order Form ("Customer") (each a "Party" and together the "Parties"). This DPA is supplemental to, and forms part of, the Customer Terms of Service or other written agreement between OB2.AI and Customer (in either case, the "Agreement"). This DPA has been pre-signed on behalf of OB2.AI and becomes legally binding upon receipt by OB2.AI of the validly completed DPA (the "DPA Effective Date”).

1. Definitions

In this Agreement, the following terms have the following meanings:

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Applicable EU Law means any law of the European Union (or the law of one or more of the Member States of the European Union) (the "EU") and, for the avoidance of doubt, includes Data Protection Laws.
Authorised User has the meaning given to that term in the Agreement.
Controller means the entity which determines the purposes and means of the Processing of Personal Data.
Controller Affiliate means any of the Customer's Affiliate(s) (as that term is defined in the Agreement) that (a) (i) are subject to Data Protection Laws and (ii) permitted to use the Services pursuant to the Agreement between the Customer and OB2.AI, but have not signed their own Order Form and are not a "Customer" as defined under the Agreement, (b) if and to the extent OB2.AI processes Relevant Personal Data for which such Customer Affiliate(s) qualify as the Controller.
Controller to Processor Clauses means the module of the Standard Contractual Clauses that applies to transfers from a controller to a third country processor, which shall be applied as follows:
- for Restricted Transfers subject to European Data Protection Laws, the Controller to Processor Clauses in the EEA SCCs shall apply;
- for Restricted Transfers subject to Swiss Data Protection Laws, the Controller to Processor Clauses in the Swiss SCCs shall apply; and
- for Restricted Transfers subject to UK Data Protection Laws, the Controller to Processor Clauses in the UK SCCs shall apply.
Custom App has the meaning given to that term in the Agreement.
Customer Data has the meaning given to that term in the Agreement.
Data Protection Laws means all data protection and privacy laws applicable to the respective Party in its role in the Processing of Relevant Personal Data under the Agreement, which may include, without limitation, European Data Protection Laws, Swiss Data Protection Laws, US Data Protection Laws, and UK Data Protection Laws.
Data Subject means the identified or identifiable person to whom Personal Data relates.
Data Subject Request means any request from a Data Subject to exercise the rights afforded to the Data Subject under Data Protection Laws in respect of Relevant Personal Data, including, as applicable, the following rights: access, rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or the right to not be subject to an automated individual decision making.
Database means the European Economic Area.
EEA means the European Economic Area.
EEA SCCs means the clauses adopted pursuant to the European Commission's decision (2021/914) of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection pursuant to Regulation (EU) 2016/679.
European Data Protection Laws means all data protection, privacy, and security laws in the EU that are applicable to either Party in its role in the Processing of Relevant Personal Data under the Agreement: (a) the GDPR; (b) the European Union e-Privacy Directive 2002/58/EC as implemented by countries within the EEA; and/or (c) other laws that are similar, equivalent to, successors to, or that are intended to or implement the laws that are identified in (a) and (b) above.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Instructions means any reasonable instructions provided by Customer (e.g., via email or support tickets) under this DPA that are consistent with the terms of the Agreement.
Order Form has the meaning given to that term in the Agreement.
Personal Data means any data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under Data Protection Laws.
Process or Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means the entity that Processes Personal Data on behalf of the Controller.
Processor to Processor Clauses means the module of the Standard Contractual Clauses that applies to transfers from a processor to a third country processor, which shall be applied as follows:
- for Restricted Transfers subject to European Data Protection Laws, the Processor to Processor Clauses in the EEA SCCs shall apply;
- for Restricted Transfers subject to Swiss Data Protection Laws, the Processor to Processor Clauses in the Swiss SCCs shall apply; and
- for Restricted Transfers subject to UK Data Protection Laws, the Processor to Processor Clauses in the UK SCCs shall apply.
Non-OB2.AI Products has the meaning given to that term in the Agreement.
Relevant Personal Data means any Personal Data that is comprised in Customer Data.
Regulator Correspondence means any correspondence or communication received from a Supervisory Authority or other regulatory authority relating to Relevant Personal Data.
Restricted Transfer means: (a) any transfer of Relevant Personal Data Processed under this DPA; (b) from the EU, the EEA, the United Kingdom, or Switzerland; (c) to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws; and (d) subject to Data Protection Laws.
OB2.AI Group means OB2.AI and its Affiliates engaged in the Processing of Relevant Personal Data.
Security Practices Page means OB2.AI’s Security Practices Page, as updated from time to time, and currently accessible at https://docs.ob2.ai/docs/security.
Security Incident means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Relevant Personal Data.
Services has the meaning given to that term in the Agreement.
Standard Contractual Clauses means the EEA SCCs, Swiss SCCs, and UK SCCs.
Sub-processor means any entity engaged by OB2.AI or a member of the OB2.AI Group to Process Relevant Personal Data in connection with the Services.
Sub-processor List has the meaning set out at clause 3.2 of this DPA.
Supervisory Authority means an independent public authority tasked with the regulation and enforcement of Data Protection Laws, including (but not limited to) supervisory authorities established by an EU Member State pursuant to the GDPR, the UK’s Information Commissioner’s Office (the “ICO”), and the Swiss Federal Data Protection and Information Commissioner (the “FDPIC”).
Swiss Data Protection Laws means data protection, privacy, and security laws in Switzerland that are applicable to either Party in its role in the Processing of Relevant Personal Data under the Agreement, which may include, without limitation, the Swiss Civil Code, the Federal Act on Data Protection 1992, and applicable sector-specific data protection and security requirements.
Swiss SCCs means the EEA SCCs, amended as follows:
- General and specific references in the EEA SCCs to Regulation (EU) 2016/679 or “that Regulation” or EU or Member State law have the same meaning as the equivalent reference in Swiss Data Protection Laws;
- The term “Member State” will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EEA SCCs;
- The details of the transfer as those specified in Schedule 1 where Swiss Data Protection Laws apply to the transfer;
- The EEA SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as “Personal Data” under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity; and
- The FDPIC is the competent supervisory authority for the purposes of Clause 13 of the EEA SCCs.
Third Party Request means a written request from any third party for the disclosure of Relevant Personal Data, where compliance with such a request is required or purported to be required by applicable law or regulation.
UK Data Protection Laws means all data protection, privacy, and security laws in the United Kingdom that are applicable to either Party in its role in the Processing of Relevant Personal Data under the Agreement, including, but not limited to:
- The General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) (“UK GDPR”);
- The UK Data Protection Act 2018 (as amended);
- The Privacy and Electronic Communications (EC Directive) Regulations 2003.
UK SCCs means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the ICO in accordance with s119A of the UK Data Protection Act 2018 which came into force on 21 March 2021, on the basis that:
- Table 1 and Table 3 of the UK SCCs are deemed to have been completed with the corresponding details set out in Schedule 1 to this DPA and, for the purposes of Table 1 of the UK SCCs, the "Start Date" is the DPA Effective Date; and the official company registration numbers(where applicable) of the Parties are set out in the Agreement;
- For the purposes of Table 2 of the UK SCCs: (1) the version of the "Approved EU SCCs" is the EEA SCCs; (2) the choices regarding Clause 7 (docking clauses), Clause 11 (option), Clause 9(a) (prior authorisation or general authorisation), and Clause 9(a) (time period) of the EEA SCCs are as set out in Schedule 2 or Schedule 3 to this DPA, as applicable; and
- "Importer" is deemed to have been chosen for the purposes of Table 4 of the UK SCCs.
US Data Protection Laws means all legislation and regulations in the United States relating to the protection of Personal Information, including (but not limited to) the Federal Trade Commission Act, Cal. Civ. Code §§ 1798.99.80 (“2019 CA Data Broker Law”), the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“VCDPA”).
Capitalized terms, or any other terms, used in this DPA that are not defined in this clause 1 (Definitions) shall have the meaning ascribed to them elsewhere in this DPA and/or the Agreement or in Data Protection Laws unless otherwise specified.

2. Processing of relevant personal data

2.1 Customer Obligations

The Customer shall, in its utilization of the Services and issuance of Instructions, handle Relevant Personal Data in compliance with the stipulations of Data Protection Laws. The Customer shall bear sole responsibility for the accuracy, quality, and legality of Relevant Personal Data, as well as the methods through which it acquired such Relevant Personal Data.

2.2 OB2.AI's Processing of Relevant Personal Data

As the Customer's Processor, OB2.AI shall exclusively Process Relevant Personal Data for the following purposes:

Processing in accordance with the Agreement and relevant Order Form(s);
Processing initiated by Authorized Users during their utilization of the Services; and
Processing to adhere to the Instructions. OB2.AI shall promptly notify the Customer if, in OB2.AI’s assessment, the Customer’s Instructions breach Applicable EU Law.

OB2.AI shall ensure that all OB2.AI personnel (inclusive of employees, agents, contractors, and subcontractors) authorized by OB2.AI to Process any Relevant Personal Data have entered into suitable contractually-binding confidentiality obligations.

2.3 Details of the Processing

The Parties acknowledge and agree that Schedule 1 (Description of Processing Activities) to this DPA is an accurate description of the Processing carried out under this DPA.

3. Sub-processors

3.1 Appointment of Sub-processors

The Customer acknowledges and agrees that: OB2.AI's Affiliates may be engaged as Sub-processors through written agreement with OB2.AI; and OB2.AI and its Affiliates may enlist third-party Sub-processors in connection with the provision of the Services. As a prerequisite to allowing a third-party Sub-processor to Process Relevant Personal Data, OB2.AI or an OB2.AI Affiliate will execute a written agreement with each Sub-processor containing data protection obligations that afford at least the same level of protection for Relevant Personal Data as those outlined in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. The Customer agrees that OB2.AI may designate Subprocessors in accordance with clause 3.2 below.

3.2 List of Current Sub-processors and Notification of New Subprocessors

A current roster of Sub-processors for the Services, detailing the identities of those Subprocessors and their country of location, is accessible via https://docs.ob2.ai/subprocessors (the “Data subprocessors”). The Customer hereby grants consent to these Sub-processors, their locations, and Processing activities concerning Relevant Personal Data. The Data sub-processors features a mechanism for subscribing to notifications of new Sub-processors, and if the Customer subscribes, it shall receive notification of new Sub-processor(s) before authorizing such new Subprocessor(s) to Process Relevant Personal Data in connection with the provision of the applicable Services.

3.3 Objection Right for New Sub-processors

The Customer may reasonably object to OB2.AI’s engagement of a new Sub-processor (e.g., if making Relevant Personal Data available to the Sub-processor may contravene Data Protection Laws or weaken the protections for such Relevant Personal Data) by notifying OB2.AI promptly in writing within ten (10) business days after receiving OB2.AI’s notice in accordance with the mechanism outlined in clause 3.2. Such notice shall elucidate the reasonable grounds for the objection. In the event the Customer objects to a new Sub-processor, as allowed in the preceding sentence, OB2.AI will exert commercially reasonable efforts to offer the Customer a change in the Services or propose a commercially reasonable alteration to the Customer’s configuration or use of the Services to prevent Processing of Relevant Personal Data by the objected-to new Subprocessor without unduly burdening the Customer. If OB2.AI is unable to effect such change within a reasonable timeframe, not exceeding thirty (30) days, either party may terminate without penalty the relevant Order Form(s) concerning only those Services which cannot be provided by OB2.AI without the use of the objected-to new Sub-processor by issuing written notice to OB2.AI. OB2.AI will reimburse the Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination concerning such terminated Services, without imposing a penalty for such termination on the Customer.

3.4 Liability

OB2.AI shall be accountable for the actions and omissions of its Sub-processors to the same extent OB2.AI would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.

4. Sub-processors

4.1 Data Subject Requests

OB2.AI shall, to the extent legally permitted, promptly notify the Customer if OB2.AI receives aData Subject Request. Considering the nature of the Processing, OB2.AI shall assist the Customer by employing appropriate technical and organizational measures, to the extent feasible, for fulfilling the Customer’s obligation to respond to a Data Subject Request as mandated by Data Protection Laws. Moreover, if the Customer, in its utilization of the Services, lacks the capability to address a Data Subject Request, OB2.AI shall, upon the Customer’s request, exert commercially reasonable efforts to aid the Customer in responding to such Data Subject Request, to the extent OB2.AI is legally permitted and the response to such Data Subject Request is necessitated under Data Protection Laws. The Customer shall be responsible for any costs arising from OB2.AI’s provision of such assistance, including any fees associated with providing additional functionality, to the extent legally permitted.

4.2 Regulator Correspondence

OB2.AI shall promptly notify the Customer upon receipt of any Regulator Correspondence or Third Party Request, unless prohibited by applicable law. OB2.AI will refrain from disclosing any Relevant Personal Data in response to such Regulator Correspondence or Third Party Request without first consulting with, and obtaining, the Customer’s prior written authorization, unless legally compelled to do so.

5. Security

5.1 Security Measures

OB2.AI shall maintain suitable technical and organizational measures to safeguard the security, confidentiality, and integrity of Relevant Personal Data, as detailed in the Security Practices Page. OB2.AI continuously monitors compliance with these measures and pledges not to materially decrease the overall security of the Services during a subscription term.

5.2 Security Incidents

OB2.AI shall promptly inform the Customer of any Security Incident without undue delay. Such notification shall include pertinent information regarding the nature of the Security Incident, contact details for obtaining further information, and the likely consequences along with measures taken or proposed to address the Security Incident. OB2.AI shall extend commercially reasonable cooperation and assistance in identifying the cause of such Security Incident and shall take commercially reasonable steps to rectify the cause within OB2.AI’s control. The obligations herein shall not apply to incidents caused by the Customer, Authorized Users, and/or any Non-OB2.AI Products, except as required by Data Protection Laws.

6. Record Keeping

6.1 Third-Party Certifications and Audits

OB2.AI has obtained the third-party certifications and audits specified in the Security Practices Page. Upon request, and subject to the confidentiality obligations outlined in the Agreement, OB2.AI shall furnish the Customer (or Customer’s independent, third-party auditor) with information regarding OB2.AI’s compliance with the obligations delineated in this DPA in the form of the third-party certifications and audits mentioned in the Security Practices Page. Additionally, OB2.AI shall allow and contribute to audits of the processing activities covered by this DPA, under reasonable circumstances or as required by a Supervisory Authority or upon indications of noncompliance, as determined by the Customer's reasonable opinion. Before commencing any onsite audit, mutual agreement on the scope, timing, duration, and reimbursement rates shall be reached between the Customer and OB2.AI.

6.2 Data Protection Impact Assessment

Upon the Customer’s request and where applicable, OB2.AI shall provide reasonable cooperation and assistance to facilitate the Customer’s obligation under the GDPR to conduct a data protection impact assessment related to the Customer’s use of the Services, to the extent that the Customer lacks access to relevant information otherwise available to OB2.AI. OB2.AI shall also furnish reasonable assistance to the Customer in cooperation or prior consultation with the Supervisory Authority, as required under the GDPR.

7. Transfers of Relevant Personal Data

7.1 Restricted

To the extent that the Customer initiates a Restricted Transfer, the following transfer mechanisms shall apply and shall be directly enforceable by the Parties:

7.1.1 Controller to Processor Clauses

In cases where the Customer acts as a Controller and a data exporter of Relevant Personal Data, and OB2.AI serves as a Processor and data importer for that Relevant Personal Data, the Parties shall adhere to the Controller to Processor Clauses, subject to the additional terms outlined in Schedule 2 (Additional Transfer Terms).

7.1.2 Processor to Processor Clauses

When the Customer operates as a Processor and a data exporter of Relevant Personal Data, and OB2.AI functions as a Processor and data importer concerning that Relevant Personal Data, the Parties shall comply with the Processor to Processor Clauses, subject to the additional terms specified in Schedule 2 (Additional Transfer Terms).

7.2 Incorporation of Standard Contractual Clauses

In instances where clause 7.1 applies, the Parties agree to be bound by, adhere to, comply with, and execute the Standard Contractual Clauses as if they were expressly set forth in and integrated into this DPA. By entering into and signing this DPA, OB2.AI and the Customer are deemed to have executed and ratified the Appendix to the Standard Contractual Clauses. The Standard Contractual Clauses shall take precedence over this DPA and the Agreement in the event of any conflict or inconsistency.

8. General

8.1 Relationship with the Agreement

Except as provided in clause 7.2, if any conflict arises between this DPA and the Agreement, this DPA shall prevail to the extent that such conflict pertains to the Processing of Personal Data. Notwithstanding any contrary provision in the Agreement or this DPA, the liability of each Party and its Affiliates under this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement. OB2.AI’s and its Affiliates’ total liability for all claims from the Customer arising out of or related to the Agreement and this DPA shall apply cumulatively for all claims under both the Agreement and all DPAs established under the Agreement.

8.2 Return and Deletion of Relevant Personal Data

Upon termination of the Services involving the Processing of Relevant Personal Data by OB2.AI, OB2.AI shall, at the Customer’s request and subject to the limitations delineated in the Agreement and the Security Practices Page, either return all Relevant Personal Data in its possession to the Customer or securely destroy such Relevant Personal Data and demonstrate to the Customer’s satisfaction that it has taken such measures, unless applicable law prevents the return or destruction of all or part of such Relevant Personal Data.

8.3 Liability

The liability of each Party and all of its Affiliates, collectively, arising from or related to this DPA, and all DPAs between Controller Affiliates and OB2.AI, whether in contract, tort, or under any other legal theory, is subject to the limitations and exclusions set forth in the Agreement. Any reference to a Party's liability encompasses the aggregate liability of that Party and all of its Affiliates under the Agreement and all DPAs together. OB2.AI’s and its Affiliates’ total liability for all claims from the Customer and all of its Controller Affiliates arising out of or related to the Agreement and each DPA shall apply cumulatively for all claims under both the Agreement and all DPAs established under the Agreement, including by the Customer and all Controller Affiliates, and shall not be construed to apply individually and severally to the Customer and/or to any Controller Affiliate that is a contractual party to any such DPA.

8.4 Updates to DPA

In the event of changes to Data Protection Laws, including but not limited to amendments, revisions, or introductions of new laws, regulations, or other legally binding requirements applicable to either Party, the Parties agree to review the terms of this DPA and negotiate any necessary updates in good faith, including the addition, amendment, or replacement of any schedules.

8.5 Governing Law

This DPA and any dispute or claim arising from it or its subject matter or formation (including noncontractual disputes or claims) shall be exclusively governed by the internal laws of the State of California, without regard to its conflict of laws principles or the United Nations Convention on the International Sale of Goods. The state and federal courts located in San Francisco County, California shall have exclusive jurisdiction to adjudicate any dispute arising from or related to this DPA. Each Party hereby consents to the exclusive jurisdiction of such courts. Furthermore, each Party waives any right to a jury trial in connection with any action or litigation arising from or related to this Agreement. In any action or proceeding to enforce rights under this Agreement, the prevailing Party shall be entitled to recover its reasonable costs and attorneys’ fees.

Signatures

On behalf of the Customer:

Name: [Customer Full Legal Name]
Signatory Name
Position
Address
Signature

On behalf of OB2.AI:

Name
Position
Address
Signature

Shcedule 1: Description of Processing Activities

Data Subjects

OB2.AI may process Personal Data submitted to the Services, the scope of which is determined and controlled by the Customer. This Personal Data may relate to various categories of data subjects, including but not limited to:

Authorised Users;
Employees of the Customer;
Consultants engaged by the Customer;
Contractors working with the Customer;
Agents acting on behalf of the Customer; and/or
Third parties engaged in business transactions with the Customer.

Categories of Data

The Personal Data transferred may encompass the following categories of data: Any Personal Data contained within Customer Data, as defined in the Agreement. This could comprise, for instance:

CRM objects extracted from a Database;
Order Forms containing billing contact details;
SEO data regarding website visitors; or
HRIS data concerning employees

Special Categories of Data

Customer may submit Personal Data to OB2.AI through the Services, the extent of which is determined and controlled by the Customer in compliance with Data Protection Laws. Such data may pertain to special categories, if any, including:

Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Membership in trade unions;
Genetic or biometric data;
Health information; and
Details regarding sex life.

Processing Operations

The Personal Data transferred will be processed in alignment with the Agreement and any relevant Order Form. It may undergo the following processing operations:

Storage and other necessary processing to deliver, maintain, and update the Services provided to the Customer;
Provision of customer and technical support to the Customer; and
Disclosures as outlined in the Agreement or as required by law.

Schedule 2: Additional Transfer Terms

Section 1: Operative Provisions

For the purposes of the Controller to Processor Clauses and the Processor to Processor Clauses, the Customer acts as the data exporter, and OB2.AI acts as the data importer. The Parties agree to the following terms, which apply to both sets of clauses unless explicitly mentioned otherwise.

1.1 Instructions

The DPA and the Agreement constitute the Customer’s complete and final instructions regarding the Processing of Relevant Personal Data at the time of execution of the DPA. Any additional or alternative instructions must align with the terms of the DPA and the Agreement. The instructions for processing Personal Data are outlined in clause 2.2 of the DPA.

1.2 Docking Clause

The option under Clause 7 of the Standard Contractual Clauses does not apply.

1.3 Security of Processing

Customer is responsible for independently determining whether the technical and organizational measures outlined in the Security Practices Page meet its requirements. Customer agrees that OB2.AI's security measures and policies provide an appropriate level of security for the Relevant Personal Data.

1.4 Notification of New Sub-processors and Objection Right for New Sub-processors

Option 2 under Clause 9 of the Standard Contractual Clauses applies. OB2.AI may engage new Sub-processors as described in clause 3.1 of the DPA. OB2.AI will inform Customer of any changes to Sub-processors following the procedure outlined in clause 3.2 of the DPA.

1.5 Copies of Sub-processor Agreements

OB2.AI may provide copies of Sub-processor agreements with commercial information or clauses unrelated to the Standard Contractual Clauses removed, at its discretion and upon Customer's request.

1.6 Audits of the Standard Contractual Clauses

Audits described in Clause 8.9 of the Standard Contractual Clauses will be conducted in accordance with clause 6.1 of the DPA.

1.7 Requests for Relevant Personal Data

OB2.AI shall inform Customer promptly upon receiving any Data Subject Request, Regulator Correspondence, or Third Party Request regarding Relevant Personal Data, and shall communicate the request to Customer without delay.

1.8 Liability

OB2.AI's liability under Clause 12(b) of the Standard Contractual Clauses is limited to damages caused by its Processing in cases where it has not complied with GDPR obligations specifically directed to Processors or where it has acted contrary to Customer's lawful instructions.

1.9 Certification of Deletion

Certification of deletion of Relevant Personal Data, as described in Clauses 8.5 and 16(d) of theStandard Contractual Clauses, will be provided by OB2.AI to Customer upon Customer's written request.

1.10 Supervision

Clause 13 of the Standard Contractual Clauses applies based on the location and establishment of Customer or its appointed representative

1.11 Notification of Government Access Requests

Notification of government access requests shall be carried out in accordance with clause 4.2 of the DPA, with Customer responsible for promptly notifying Data Subjects as necessary.

1.12 Governing Law

The governing law for the Standard Contractual Clauses is the laws of Ireland.

1.13 Choice of Forum and Jurisdiction

Disputes arising from the Standard Contractual Clauses shall be resolved by the Irish courts.

1.14 Appendix

The Appendix shall be completed as specified, with Customer acting as the Controller or Processor, and OB2.AI as the Processor and data importer. Schedule 1 and the Security Practices Page form part of the Appendix.

1.15 Third Party Beneficiary Rights

OB2.AI's third-party liability to Data Subjects is limited to its own processing operations under the DPA.

1.16 Alternative Transfer Mechanisms

The data export solution identified in clause 7 of the DPA will not apply if Customer adopts an alternative data export solution for Restricted Transfers. OB2.AI will take necessary actions to give effect to the chosen alternative transfer mechanism.

Section 2: Additional Terms for the Processor to Processor Clauses

2.1 Instructions and Notifications

OB2.AI informs the relevant Controller that it acts as a Processor under the Controller's instructions regarding Relevant Personal Data. OB2.AI ensures that its processing instructions, including authorizations for sub-processor appointments, have been authorized by the Controller. OB2.AI is responsible for forwarding any notifications from OB2.AI to the relevant Controller.

2.2 Security of Processing

OB2.AI will promptly notify Customer of any personal data breaches related to Relevant Personal Data processed by OB2.AI.

2.3 Documentation and Compliance

Customer is responsible for providing all inquiries from the relevant Controller to OB2.AI. If OB2.AI receives an inquiry directly from a Controller, it will forward it to Customer, who is solely responsible for responding to such inquiries.

2.4 Data Subject Rights:

OB2.AI will notify Customer of any Data Subject Requests without the obligation to handle them, unless otherwise agreed. OB2.AI will not notify the relevant Controller directly. Customer is solely responsible for cooperating with the relevant Controller to fulfill obligations related to Data Subject Requests.