Data Processing Agreement

This Data Processing Agreement is incorporated in Prewave’s Terms of Service – Free Basic Account and forms an integral part of the Contract concluded with the User.

The DPA is concluded to govern the relation between the User and Prewave, when User acts as a Data Controller and Prewave acts as a Data Processor. The User wishes to contract certain Services according to the Terms of Service, which imply the Processing of Personal Data, to the Data Processor. The nature and purpose of the proposed Processing of Personal Data and the nature of the data and the categories of Data Subjects are set out in Appendix 1 to this Agreement.

This Data Processing Agreement is implemented in order to comply with the requirements of the current legal framework in relation to Data Processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Definitions

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

“Agreement” means this Data Processing Agreement and all its Appendices.
“User Personal Data” means any Personal Data processed by the Data Processor on behalf of the User pursuant to or in connection with the Contract.
“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
“EEA” means the European Economic Area.
“EU Data Protection Laws” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), including laws implementing or supplementing the GDPR.
“GDPR” means EU General Data Protection Regulation 2016/679.
“Data Transfer” means:
- transfer of User Personal Data from the User to the Data Processor; or
- an onward transfer of User Personal Data from the Data Processor to a Subprocessor, or between two establishments of the Data Processor.
“Services” means the Services the Data Processor provides or intends to provide to the User.
“Subprocessor” means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the User in connection with the Agreement.

The terms, “Commission”, “Controller”, “Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processing of User Personal Data

The Data Processor shall comply with all applicable Data Protection Laws in the Processing of User Personal Data.
The Data Processor shall not process User Personal Data other than on the User’s documented instructions. The Data Processor shall immediately inform the User if the Data Processor considers that an instruction issued by the User violates statutory provisions (Art. 28 (3) last sentence GDPR). The Data Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the User after inspection.
The User instructs the Data Processor to process User Personal Data as per the Contract.

Data Processor Personnel

The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the User Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant User Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Data Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Data Processor is not obliged to appoint a Data Protection Officer within the meaning of Art. 37 GDPR. The contact person for data protection at the Data Processor is:

a. Harald Nitschinger

b. Managing Director of Prewave

c. +436641337894

d. privacy@prewave.ai

Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall in relation to the User Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Ar. 32 (1) of the GDPR.
In assessing the appropriate level of security, the Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
The Data Processor’s activity as a business has been TISAX certified on April 15^th, 2022.

Subprocessing

The User authorizes the listed Subprocessors in Appendix 2.
The User shall give its consent to the authorization of a Subprocessor already within the framework of this Data Processing Agreement, provided that the below conditions of this paragraph are met, and the User does not raise any objection in writing to the Data Processor within fourteen (14) days from the notification of any intended change concerning the addition or replacement of a Subprocessor.
Authorization can only be given if the Data Processor informs the User of the name and the intended activity of the Subprocessor(s). In addition, the Data Processor must ensure that the Subprocessor is carefully selected by assessing the suitability of its technical and organizational measures in the meaning of Art. 32 GDPR.
The Data Processor may only order Subprocessors in third countries if the special requirements of Art. 44 et seq. GDPR apply (e.g. Commission adequacy decision, EU approved standard contractual clauses, approved codes of conduct).
The Data Processor shall contractually ensure that the agreed regulations between the User and the Data Processor also apply to the Subprocessors. The contract with the Subprocessor shall specify the details in such a concrete manner that the responsibilities of the Data Processor and its Subprocessor are clearly defined. If several Subprocessors are used, this shall also apply to the responsibilities between them.
The contract with the Subprocessor must be drawn up in writing, which can also be in an electronic format (Art. 28 (4) and (9) GDPR).

Data Subject Rights

Taking into account the nature of the Processing, the Data Processor shall assist the User by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the User’s obligations, as reasonably understood by User, to respond to requests for exercising Data Subject’s rights under the Data Protection Laws.
The Data Processor shall:

a. promptly notify the User if it receives a request from a Data Subject under any Data Protection Law in respect to User Personal Data; and

b. ensure that it does not respond to that request except on the documented instructions of the User or as required by Applicable Laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by Applicable Laws inform the User of that legal requirement before the Data Processor responds to the request.

Personal Data Breach

The Data Processor shall notify the User without undue delay upon the Data Processor becoming aware of a Personal Data Breach affecting User Personal Data, providing the User with sufficient information to allow the User to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
The Data Processor shall cooperate with the User and take reasonable commercial steps as directed by the User to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation

The Data Processor shall provide reasonable assistance to the User with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the User reasonably considers to be required by Art. 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to the Processing of User Personal Data by, and taking into account the nature of the Processing and information available to, the Data Processor.

Support of the User

The Data Processor shall support the User in fulfilling any statutory information and disclosure obligations arising in connection with the Processing on behalf of the User.

Deletion or Return of User Personal Data

The nature of Processing is to fulfil the Contract agreed between the User and the Data Processor.
Unless otherwise provided within this Agreement or the Contract, the Data Processor shall promptly and in any event within ten (10) business days of the date of cessation of the Services involving the Processing of User Personal Data, delete and procure the deletion of all copies of those User Personal Data or return all User Personal Data to the User, with the exception of back-up files which are automatically overwritten or deleted after ninety (90) days.
In case of any right to retain certain information under the Contract, the Data Processor shall, instead of deletion, anonymize the User Personal Data as may be applicable.
The above provisions shall not preclude any legally prescribed retention periods.

Audit Rights

Subject to this section, the Data Processor shall make available to the User on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the User or an auditor mandated by the User in relation to the Processing of the User Personal Data by the Data Processor.
Information and audit rights of the User only arise under Section Audit Rights (1) to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

Data Transfer

The Data Processor may not transfer or authorize the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the User. If Personal Data processed under this Agreement is transferred from a country within the EU or European Economic Area to a country outside the EU or European Economic Area, the Parties shall ensure that the Personal Data is adequately protected. To achieve this, the special legal requirements of Art. 44 et seq. GDPR have to be fulfilled (e.g. by EU approved standard contractual clauses for the transfer of Personal Data).

Supervisory Authorities

The Data Processor is obliged to inform the User immediately of any controls or investigations by Supervisory Authorities or by auditors if these concern User Personal Data.

General Terms

Notices: All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email.
Amendments and Supplements: The Data Processor reserves the right to amend and/or supplement this Data Processing Agreement and all of its Appendices from time to time, make the then valid version available and inform the Data Controller thereof via email to the email address used for initiating the Free Basic Account or as otherwise indicated by User. The contractual relationship thereafter will be subject to the modified Data Processing Agreement, unless agreed otherwise. This provision shall not apply if legal regulations do not permit such action with regard to certain contents of this Agreement (such amendments shall therefore not affect such contents).
Governing Law: This Agreement is governed by the laws of Austria, excluding its conflict of law provisions and the provisions of the UN Convention on Contracts for the International Sale of Goods (CISG).
Jurisdiction: Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Vienna, Austria.

Data Processing Agreement – User

Prewave GmbH, April 2024 (V 1)

Appendix 1 - Description of the Data Transfer


Contracted Services	Software-as-a-Service solution for “Supply Chain Risk and Sustainability Monitoring” within the scope agreed with the Data Processor, in accordance with the Contract. - Registration of User’s employees on the Prewave Platform - User’s employees’ interaction on/usage of Prewave Platform (statement requests, Alert status updates, uploading/sending out questionnaires to User’s Sites, planning/initiating measures and actions, exporting reports from the Prewave Platform etc.)
Categories of Data Subjects whose Personal Data are processed	- User/User’s employees - User’s Sites and contact persons
Categories of Personal Data	User/User’s employees: - Personal master data (name, title, position, form of address, UID-number, password encrypted, etc.) - role of the User's employee on Prewave Platform - objects related to the User’s employee (follows, collections, labels, etc. on Prewave Platform) - Contact data (e-mail) - activities of User’s employees in Prewave Network (usage, features, logins, etc.) - Communication data (IP address, etc.) - Personal data when entering content into the Prewave Platform, as e.g. through Information Requests (name, User, e-mail, potentially content etc.)
Categories of Personal Data	User’s Sites: - Personal master data (name, address, spend, internal Site ID, homepage (URL), DUNS Number, etc.) - Contact data (telephone/e-mail of User’s Site/of User’s contact person at User’s Site)
Extent, type, and purpose of the Processing of data	Extent: As far as necessary to provide contracted Services; continuous processing during the contract term outlined in the Contract + 90 days back-up. Type: Collection, storage, adaptation, use, destruction/erasure, disclosure, and other processing necessary to provide, maintain and improve the Services, all in accordance with the Contract. Purpose: Allowing access to the Prewave Platform in order to provide contracted Services, including the purposes listed under Appendix 2

Appendix 2 - List of Subprocessors

Purpose of Processing	Subprocessor/ Contracting Entity	Categories of Personal Data	Location of Processing	Agreement/ Mechanism for Transfer outside EU (Concluded SCCs, DPF certified)
Communication	Mailgun Technologies, Inc.	- User correspondence	EU	//
Server hosting; Portal for usage of Prewave Services; Master data management	Google Cloud Platform - Google Cloud EMEA Limited	User/User’s employees: - Personal master data (name, title, position, form of address, UID-number, password encrypted, etc.) - Role of User’s employee on Prewave Platform - Objects related to User’s employees (follows, collections, labels, etc. on Prewave Platform) - Contact data (e-mail) - Activities of User’s employees in Prewave Network (usage, features, logins, etc.) - Communication data (IP address, etc.)	EU	//
	Google Cloud Platform - Google Cloud EMEA Limited	User’s Sites: - Personal master data (name, address, spend, internal Site ID, homepage (URL), DUNS Number, etc.) - Contact data (telephone/e-mail of User’s Site/of User’s contact person at User’s Site)	EU	//

Prewave is hosting its Services and data on the Google Cloud Platform (Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland). We are using datacenters located within the EU.

Supply Chain Act Compliance Solutions