DATA PROCESSING AGREEMENT

GENERAL DATA PROCESSING TERMS:

1. DEFINITIONS:

   1. Agreement: means the Agreement between 42Gears and the Customer whether in any written or electronic form to provide Service to the Customers.
   2. Data Controller: means the natural or legal person, entity, public authority, agency, or other body which, alone or jointly with others, determine the purposes and means for processing of personal data.
   3. Data Processor: means any natural or legal entity who processes the Personal Data on behalf of the Data Controller.
   4. Security Breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored, or otherwise processed in connection with the provision of services by 42Gears. A Security Incident shall exclude any unsuccessful attempt or activity that does not pose a threat to the security of customer data. This includes, but is not limited to, actions such as pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not lead to access beyond header information), and similar occurrences.
   5. Personal Data: means any information, including personal information, relating to an identified or identifiable natural person (“Data Subject”) or as defined in and subject to applicable data protection legislation.
   6. Customer Data: means any data including Personal Data that 42Gears access or receive or that Customer send or upload for storage or processing in order for 42Gears to perform Services.
   7. Services: any cloud services or Customer support provided by 42Gears to the Customers pursuant to this Agreement.
   8. Sub-Processor: means any third-party service provider that 42Gears or its Affiliates engaged or may engage to process Personal Data of its Customers pursuant to this Agreement. Sub-processors may include third parties or 42Gears Affiliates but shall exclude 42Gears employees, contractors or consultants.
   9. ISO 27001 Certification: means ISO/IEC 27001:2019 certification or a comparable certification for the Processor Services.
   10. Security Incident: means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by 42Gears.
   11. Sensitive Data: means (a) social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" under applicable data protection laws.
   12. California Privacy Rights Act, 2023 Or “CPRA”: means Assembly Bill 375 of California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018.
   13. Standard Contractual Clauses: means ANNEXURE 1, attached to and forming part of this DPA pursuant to 2021 SCCs issued under GDPR (Regulation (EU) 2016/679) Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. OBJECTIVES OF DATA PROCESSING:

   1. 42Gears undertakes to process Personal Data on behalf of the Customer in accordance with the conditions laid down in this DPA. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
      
   2. 42Gears shall refrain from making use of the Personal Data for any purpose other than as specified by the Customer. The Customer will inform 42Gears of any such purposes which are not contemplated in this DPA.
   3. All Personal Data processed on behalf of the Customer shall remain the property of the Customer and/or the relevant Data subjects.
   4. 42Gears shall not, on its behalf, make any unilateral decisions regarding the processing of the Personal Data other than the purpose as set out in the Agreement.
   5. The Parties shall at all times comply with the applicable data protection legislation and privacy laws, including without limitation the EU Privacy Directive and the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act/California Privacy Rights Act, 2023 (“CCPA/CPRA”), DPDP Act (Digital Personal Data Protection Act 2023). The Parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Data Controller (or Business under CCPA/CPRA) and 42Gears is the Data Processor (or Service Provider under CCPA/CPRA).
   6. Processor and Controller will timely provide each other with all necessary information regarding the processing of Personal Data to enable compliance with the relevant Data Protection Laws and Regulations.
   7. 42Gears will not be held responsible for any Data Protection Losses that occur as a result of or in association with processing carried out in compliance with the Controller's instructions.
   8. Regardless of the foregoing prohibitions, the Parties agree that 42Gears may, and Controller instructs 42Gears to, process personal data for the following activities that are necessary to support the Services: detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and provide, maintain, or improve the quality of the services.

3. OBLIGATIONS:

   1. Customer Obligations:
      1. Customer shall comply with the Agreement, applicable Privacy Laws, and its obligations under this DPA. Prior to any Processing of Customer Personal Data by 42Gears and its Software, and in accordance with applicable Privacy Laws, Customer is responsible for providing appropriate information and obtaining any required consent from all Data Subjects whose Personal Information is Processed by 42Gears under the Agreement.
      2. Under applicable Privacy Laws, individuals may have certain rights in relation to their personal data. These rights may include the right to access, correct, update, disclose, delete, and/or port personal data, and/or to withdraw consent to processing, opt-out of communications, restrict processing of Personal Data, and/or make claims/complaints in relation to the exercise of such rights. As Controller and responsible entity under applicable Privacy Laws, Customer (or Rockwell Automation where applicable), is responsible for responding to any request by an individual to exercise such rights (“Data Subject Request”).
      3. In the event Customer is subject to additional industry or data specific legal or regulatory restrictions (including jurisdictional requirements as set forth in section 1.11 below) based on its area of business, jurisdiction, and/or categories of data it collects and maintains, including Customer Personal Data beyond those covered in this DPA, such as data localization or record specific retention requirements, Customer is responsible for notifying 42Gears of all such restrictions that may impact 42Gears’s processing activities and will be responsible for any additional costs incurred by 42Gears to meet this additional restriction.
      4. Customer represents and warrants that it has express consent and/or a legal basis to process the relevant Personal Data. Furthermore, the Customer represents and warrants that the contents are not unlawful and do not infringe. This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third-party without the prior written consent of 42Gears. In this context, the Customer indemnifies 42Gears of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this DPA.
      5. The Customer will not provide (or cause to be provided) any Sensitive Data to 42Gears for processing under this Agreement, and 42Gears will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
   2. 42Gears Obligations:
      

      In accordance with this Agreement and subject to applicable Privacy Laws, 42Gears will:

      1. process the Customer Personal Data only on and in accordance with the Customer’s documented written instructions, or as set out in this DPA and the Agreement (“Processing Instructions”);
      2. notify the Customer of any such requirement before processing the Customer Personal Data (unless applicable law prohibits such information on important grounds of public interest); and
      3. shall inform the Customer if 42Gears becomes aware of a Processing Instruction that, in 42Gears reasonable opinion, infringes Applicable Data Privacy Law, provided that, to the maximum extent permitted by mandatory law, 42Gears shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Privacy Losses) arising from or in connection with any processing in accordance with the Customer's Processing Instructions.

4. SUB-PROCESSORS:

   1. 42Gears is authorized within the framework of the Agreement to engage Sub- processors mentioned in the Annex 4 (which may be updated from time to time) to provide certain services on its behalf.
   2. 42Gears shall in any event ensure that the Sub-processor will be obliged to agree in writing to the similar substantial duties that are agreed between the Customer and 42Gears as set out in this DPA.
   3. 42Gears agrees (i) to provide at least 10 days prior notice to Customer of any new appointment or a replacement of an existing Sub- Processor to process personal data and (ii) if Customer objects to a new Sub-processor on reasonable data protection grounds within thirty (30) days of receiving the notice, to discuss the Customer those concerns in good faith with a view to achieve a resolution. In the event that the Parties are unable to find such a solution, Customer may terminate the Agreement at no additional cost.
   4. Processor shall not subcontract any of its processing operations regarding Controller’s Personal Data without the express prior written consent of Controller whose consent shall not be withheld in case of a reasonable request.
   5. Processor shall only subcontract its processing operations regarding the personal data by way of a written agreement signed between the Processor and the Sub-processor which is in accordance with the obligations and restrictions imposed on the Processor by the applicable Data Protection Laws and Regulations and the principles set forth in this Data Processing Agreement.

5. DUTY TO REPORT SECURITY INCIDENT:

   1. If the Processor becomes aware of any incident involving the accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of or access to Controller’s Personal Data, the Processor shall notify the Controller without undue delay within and, where feasible, not later than 72 hours after becoming aware, about the Data Security Breach or Security incident related to the processing of Personal Data under this Data Processing Agreement and the 42Gears Terms. Further, 42Gears shall investigate and provide the Controller with sufficient information related to the Data Security Breach in order to meet any legal obligation to report or inform Data Subjects or the Supervisory Authority of the Data Security Breach under the applicable Data Protection Laws and Regulations. 42Gears will endeavor that the furnished information is complete, correct, and accurate.
   2. In case of a Security incident Processor will promptly take adequate measures to mitigate the consequences of the incident and to prevent future incidents. Processor will ensure reasonable cooperation in order to enable the Controller to comply with its legal obligation to notify of Data Security Breaches and to inform Data Subjects and the Supervisory Authority within the time frame provided in the applicable Data Protection Laws and Regulations.
   3. Under the GDPR or under any applicable law and/or regulation, 42Gears shall cooperate in notifying the relevant authorities and/or Data subjects. However, 42Gears obligation to notify or respond is not an acknowledgment by 42Gears of any fault or liability with respect to the Security incident.
   4. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means 42Gears selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on 42Gears SureMDM console and secure transmission at all times.
   5. The obligations contained in Section 6 should not apply to security incidents that are caused by Customer or Customer’s users. However, 42Gears may notify Customers promptly upon becoming aware of any such Security incident.

6. SECURITY:

   1. 42Gears will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of Personal Data) in connection with the processing of personal data mentioned under Annex 2 of this DPA and our Trust Center Page available https://www.42gears.com/trust-center/.
   2. 42Gears will endeavor to ensure that the security measures are of a reasonable level, having regard to the sensitivity of the Personal Data and the costs related to the security measures.
   3. The Customer will solely assure its own security measures for secure transfer of Personal Data to 42Gears. 42Gears will adopt appropriate security measures to ensure data security while transferring the Personal Data back to the Customer including (a) the security measures mentioned in ANNEX 2, (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up Customer Data.
   4. To evaluate and ensure the continued effectiveness of the security measures, 42Gears will maintain the ISO-27001 Certification and restricts its personnel from processing personal data without authorization (unless required to so by applicable law) and will ensure that any person authorized by 42Gears to Process personal data is subject to an obligation of confidentiality.
   5. Customer acknowledges that the security measures are subject to technical progress and development and that 42Gears may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

7. RESPONSE TO DATA SUBJECTS:

   Where a Data Subject submits a request to 42Gears to exercise any of its rights under the GDPR or any applicable law/regulation, 42Gears, taking into account the nature of processing, will use commercially reasonable efforts to forward such request to the Customer and the request will then be dealt with by the Customer, 42Gears will not respond directly to such request without obtaining the prior approval of the Customer. If 42Gears is required to respond to the Data Subject Request directly, it will promptly notify the Customer of such request, unless 42Gears is prohibited to do so under any applicable law/regulation. To the extent legally permitted, Customer shall be responsible for any costs arising from 42Gears provision of such assistance.

8. DATA CENTER AND INTERNATIONAL TRANSFER:

   1. 42Gears uses reputed cloud service providers such as AWS, GCP etc. to host the services. Information about the locations of the datacenter is available at our privacy policy: https://www.42gears.com/trust-center/privacy/privacy-policy/.
   2. Subject to Section 9.3, Customer acknowledges that 42Gears may transfer and process Customer Data to and in the United States and anywhere else in the world where 42Gears, its Affiliates or its Sub-processors maintain data processing operations. 42Gears shall at all times ensure that such transfers are made in compliance with the requirements of applicable data protection laws and this DPA.
   3. European Data transfers. To the extent that 42Gears is a recipient of Customer Data protected by EU Data Protection Laws ("EU Data") in a country outside of Europe that is not recognized as providing an adequate level of protection for Personal Data (as described in applicable EU Data Protection Law), the Parties agree to the following:
      1. SCCs: 42Gears agrees to abide by and process EU Data in compliance with the SCCs in the form set out in this Agreement. For the purposes of the descriptions in the SCCs, 42Gears agrees that it is the "data importer" and Customer is the "data exporter" (notwithstanding that Customer may itself be an entity located outside Europe).
   4. Alternative transfer mechanism. To the extent 42Gears adopts an alternative data export mechanism (including any new version of or successor to the SCCs ) for the transfer of EU Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable EU Data Protection Law and extends to the countries to which EU Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer EU Data (within the meaning of applicable EU Data Protection Law), 42Gears may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of EU Data.
   5. Jurisdiction-Specific Transfers. Where required by local data protection laws (such as the Australian Privacy Law, South Africa’s POPIA, or others), 42Gears will ensure that transfers are conducted using appropriate safeguards in accordance with applicable Privacy Laws and as further set forth in the obligations set out in the Jurisdiction-Specific Terms (Schedules).
   6. If however, at any time during the execution of this Data Processing Agreement and the 42Gears Terms, Processor establishes that Controller’s instructions appear in any way to be unlawful or non-compliant with the applicable legislation, Processor shall without undue delay notify this to Controller and wait for further instructions.
   7. Processor shall not perform cross-border Transfers outside the EEA, disclose or otherwise permit access to the personal data to any third-party for any purpose, without Controller’s prior written consent, unless the Transfer, the disclosure or the access permission are strictly necessary in order to comply with a legal obligation or for the performance of the Services and Processor’s compliance with the terms of this Data Processing Agreement and the 42Gears Terms. Notwithstanding the above, for the processing of Personal Data outside the EEA, Processor will provide Controller with an overview of the countries in which the Personal Data is Processed or transferred to. Upon signing this Data Processing Agreement, Controller gives its consent for the processing of Personal Data by the Processor or its Sub-processors in the countries as per this Agreement.

9. AUDIT:

   Customer agrees its right to audit 42Gears may be satisfied by 42Gears presenting the valid certifications, reports or extracts from independent bodies, including external or internal auditors, IT security department, data protection or quality auditors or others mutually agreed to third parties or certification by way of an IT security or data protection audit.

   1. To the extent it is not possible to satisfy an audit obligation mandated by applicable Data Protection Laws and Regulations through such attestations, reports or extracts, the Customer may conduct an audit by assigning an independent third-party who shall be obliged to observe confidentiality in this regard. Any such audit will follow 42Gears reasonable security requirements and will not interfere unreasonably with 42Gears business activities.
   2. Customers shall bear all the audit cost and not audit 42Gears process more than once annually.
   3. 42Gears may object to any third-party audit, if the auditor is, in 42Gears's reasonable opinion, not suitably qualified or independent, a competitor of 42Gears or otherwise manifestly unsuitable. Any such objection by 42Gears will require the Customer to appoint another auditor or conduct the audit itself. Nothing in this Data Protection Agreement will require 42Gears either to disclose Customer or its third-party auditor or to allow Customer or its third-party auditor to access:
      1. any data of any other Customer of 42Gears and its any entity
      2. 42Gears internal accounting or financial information.
      3. any trade secret of 42Gears
      4. Any information that, in 42Gears reasonable opinion, could (A) compromise the security of any 42Gears systems or premises or (B) cause 42Gears to breach any of its obligations under the Data Protection Legislation or its security and/or privacy obligations to Customer or any third-party; or
      5. Any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer's obligations under the Data Protection Legislation.
   4. Processor undertakes to cooperate with Controller in its dealings with national data protection authorities and with any audit requests received from national data protection authorities. The Controller shall be entitled to disclose this Data Processing Agreement or any other documents (including contracts with subcontractors) that relate to the performance of its obligations under this Data Processing Agreement (commercial information may be removed).
   5. Customers acknowledge that 42Gears operates a shared cloud environment. Accordingly, 42Gears shall have the right to reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other 42Gears Customers’ and users' information. You shall promptly provide 42Gears with the full report and complete results of any On-Site Audit.

10. DURATION AND TERMINATION:

    1. This DPA may only be amended by the Parties subject to mutual consent.
    2. This DPA shall remain in force for the duration of the Service Agreement between the Customer and 42Gears. Upon termination or expiry of the Service Agreement, 42Gears shall, at the choice of the Customer, delete or return all Customer Personal Data in its possession, unless retention is required by applicable law.
    3. 42Gears shall ensure the secure deletion of Customer Personal Data in accordance with its internal data retention and deletion policies, unless otherwise agreed in writing or required under applicable law.

11. LIMITATION OF LIABILITY:

    1. Each Party’s and all of its Affiliate’s liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and 42Gears, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
    2. Any claims made against 42Gears or its Affiliates under or in connection with this DPA (including, where applicable, the SCC’s) shall be brought solely by the Customer entity that is party to the Agreement.
    3. Controller shall indemnify and hold Processor harmless from any liability, losses, claims, penalties, damages, costs and expenses of whatever nature, imposed by the Supervisory Authority on Processor and arising out of any claims, actions, proceedings or settlements, resulting from the breach or non-compliance of Controller with the terms and conditions of this Data Processing Agreement and/or with the applicable Data Protection Laws and Regulations.
       Processor shall:
       1. promptly notify Controller of any claim, investigation or other circumstances that come to its attention and that may lead to such liability, losses, claims, penalties, damages, costs and expenses to be imposed by the authorities
       2. act and communicate with the authority and cooperate as may be reasonably required by the Controller at Controller’s cost in settling the claim.
       3. Except as specifically provided in the EU Standard Contractual Clauses, 42Gears and all of its Affiliates and subsidiaries' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability or any indemnification provision, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
    4. For the avoidance of doubt, 42Gears and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.

12. CUSTOMER REQUESTS:

    42Gears shall comply with the applicable data protection laws and regulations. For the avoidance of doubt, we will:

    1. Provide support to Customer at their request to assess the impact of our services on their privacy (for example, through assisting Customer with a Data Protection Impact Assessment at Customer’s cost);
    2. Provide support to Customers in responding to requests from data subjects to exercise their rights under the EU GDPR.
    3. Processor shall promptly notify Controller if it receives a request from a Data Subject to exercise its rights of access to, rectification, amendment, restriction of processing or deletion (“right to be forgotten”), data portability, objection to the processing of that person’s personal data or any other Data Subject Request, under any of the applicable Data Protection Laws and Regulations. Processor will not respond to any such Data Subject Request without Controller’s prior written consent and in accordance with Controller’s instructions, except to confirm that the request relates to Controller.
    4. Processor shall provide Controller with all reasonable cooperation and assistance in order to enable Controller to comply with its legal obligations in relation to the handling of Data Subject Requests, within the statutory time limits, to the extent that the Processor is legally permitted to do so and provided that such Data Subject Requests are exercised in accordance with the applicable Data Protection Laws and Regulations.

13. RETURN OR DELETION OF DATA:

    1. Processor will retain the personal data for a duration as instructed by the Controller, and consistent with the retention periods as applicable by law. Processor warrants to return or, to the extent allowed by the applicable laws and in accordance with Controller’s instructions and the terms of this Data Processing Agreement, delete and destroy all personal data and any copies of such data after the retention period has lapsed.
    2. Upon Controller’s request, expiration or earlier termination of this Data Processing Agreement, Processor shall promptly and in any event within thirty (30) days of the date of cessation of any Services involving the Processing of Controller’s Personal Data, return to Controller or delete and procure a certification of destruction of all copies of Controller’s Personal Data that might be in their possession. The return of Controller’s Personal Data and all its copies in Processor’s possession shall be completed by secure file transfer in such format as is reasonably requested by Controller to Processor. The Parties agree that the Controller will bear all reasonable costs involved in the return or the deletion of the personal data.
    3. The Processor may retain Controller’s Personal Data to the extent required by the applicable laws and for such period as required by the applicable laws. Notwithstanding the above, when retaining Controller’s Personal Data Processor shall ensure the confidentiality of all such personal data and shall ensure that such Personal Data is Processed only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

14. UPDATES TO DPA:

    42Gears reserves the right to amend this DPA by posting an updated DPA on its website.

15. MISCELLANEOUS:

    1. If any provision of this Data Processing Agreement is found by any court or administrative body of competent jurisdiction to be void, invalid, illegal, or otherwise unenforceable, all other terms and provisions of this Data Processing Agreement shall nevertheless remain in full force and effect, and the invalidity or unenforceability of such provision will not adversely affect the enforceability of any other provision of this Data Processing Agreement.
    2. Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.
    3. Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR or UK-GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR or UK-GDPR.