This DATA PROCESSING AGREEMENT (this "DPA") is entered into between:

1. The customer agreeing to these terms ("Customer"); and

2. ZERO TECHNOLOGIES OY (3451848-1), a private limited company incorporated under the laws of Finland with address at PO Box 1188, FI-00101 Helsinki, Finland ("Supplier").

(1) and (2) hereinafter referred to individually as a "Party" and collectively as the "Parties".

1. Background

1.1 The Parties have entered into an agreement regarding the Supplier's provision of the Service (as specified in the Terms of Service) (the "Main Agreement"). The Service will include processing of Customer's Data by the Supplier on behalf of the Customer.

1.2 This DPA governs the Customer's rights and obligations as a controller and the Supplier's rights and obligations as a processor when the Supplier processes personal data on behalf of the Customer.

1.3 This DPA shall be deemed to form part of the Main Agreement. In the event of inconsistencies between the provisions of the Main Agreement and this DPA, this DPA shall prevail with respect to data protection matters.

2. Definitions

2.1 Unless otherwise stated, terms and expressions in this DPA shall be interpreted in accordance with the EU General Data Protection Regulation (2016/679) ("GDPR").

2.2 Terms and expressions used in this DPA, but not defined herein, shall be defined in accordance with the Main Agreement.

3. Processing of Personal Data

3.1 The Supplier undertakes to process personal data only in accordance with documented instructions from the Customer and applicable data protection legislation. The Supplier's obligations regarding the processing activities are set out in Appendix 1.

3.2 The Supplier shall implement appropriate technical and organizational security measures as specified in www.zero.inc/security to protect personal data processed under this DPA.

3.3 The Supplier shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Sub-processors and International Transfers

4.1 The Customer authorizes the Supplier to engage sub-processors for the processing of personal data. The current list of sub-processors is available in Appendix 2 of this DPA.

4.2 The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving the Customer the opportunity to object to such changes.

4.3 The Supplier shall ensure that its sub-processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.

4.4 For transfers of personal data outside the EU/EEA, the Supplier shall ensure appropriate safeguards in accordance with GDPR Chapter V, including where applicable:

• EU Standard Contractual Clauses

• Adequacy decisions by the European Commission

• Other legally recognized transfer mechanisms

5. Security and Data Breaches

5.1 The Supplier shall notify the Customer without undue delay after becoming aware of a personal data breach.

5.2 The Supplier shall provide reasonable assistance to the Customer in:

• Ensuring compliance with security obligations

• Documenting and notifying personal data breaches

• Conducting data protection impact assessments

• Prior consultations with supervisory authorities

6. Audit Rights

6.1 The Customer shall have the right to audit the Supplier's compliance with this DPA, including by conducting inspections, with reasonable notice.

6.2 The Supplier shall contribute to audits by providing available documentation and reasonable assistance, subject to confidentiality obligations.

7. Term and Termination

7.1 This DPA shall remain in effect as long as the Supplier processes personal data on behalf of the Customer.

7.2 Upon termination of processing services, the Supplier shall, at the Customer's choice, delete or return all personal data and delete existing copies unless legally required to retain such data.

8. Liability

8.1 Each Party's liability under this DPA shall be subject to the limitations set forth in the Main Agreement.

9. Governing Law and Jurisdiction

9.1 This DPA shall be governed by the laws of Finland.

9.2 Any disputes shall be resolved in accordance with the dispute resolution provisions of the Main Agreement.

Appendix 1: Details of Processing

Nature and Purpose of Processing

• Processing customer relationship management data as part of providing the Service

• Analytics and service improvement

• Technical support and problem resolution

• Service administration

Categories of Data Subjects

• Customer's employees

• Customer's clients and prospects

• Customer's business partners

Types of Personal Data

• Basic contact information (names, email addresses, phone numbers)

• Business relationship data

• Communication history

• Other data submitted by the Customer through the Service

Duration of Processing

• For the duration of the Main Agreement plus any additional period required by law or as needed to fulfill the purposes specified above

Appendix 2: Sub-processors

Zero Technologies uses the following sub-processors to provide the Service:

Changes to this sub-processor list will be notified to Customers in accordance with Section 4.2 of this DPA.