Data Protection Addendum

Effective: 17th December, 2020

This Data Protection Addendum (“Addendum”) supplements the agreement between Customer and tru.ID into which it is incorporated by reference (“Agreement”).

1. DATA PROTECTION AND INFORMATION SECURITY

1.1. The parties acknowledge that they may be required to share certain End User Data for the Services to function, and to enable the delivery of the Services. The nature of End User Data shared by Customer will ordinarily (but without limitation) be MSISDNs. The nature of End User Data shared by tru.ID will be the Services as outlined in Schedule A, Exhibit 1 (or data connected thereto) which may include the verification of the accuracy of the information as provided to it by Customer.

1.2. All End User Data shared with tru.ID by Customer is Confidential Information and is the exclusive property of Customer. tru.ID will not store, copy, disclose, or otherwise use any End User Data except as permitted under this Agreement.

1.3. All End User Data shared with Customer by tru.ID is Confidential Information and is the exclusive property of tru.ID. Customer will not store, copy, disclose, or otherwise use any End User Data except as permitted under this Agreement.

1.4. It is agreed the parties may process and use End User Data strictly for the following purposes:

     1.4.1. to provide the Services (including improvements thereto);

     1.4.2. to create derivative works;

     1.4.3. for preventing fraud and abuse; and

     1.4.4. as required by Applicable Laws.

1.5. The parties agree:

     1.5.1. to employ administrative, physical and technical safeguards that are designed to prevent the unauthorized collection, access, disclosure, and use of any End User Data shared with them;

     1.5.2. not to disclose any End User Data received from the other party to any third party except as permitted in this Agreement;

     1.5.3. each party’s obligation of confidentiality with respect to End User Data shall last in perpetuity, regardless of termination or expiration of this Agreement;

     1.5.4. they have in place internal controls such as access controls restricting access to End User Data by Employees and Contractors on a “need to access” basis; and

     1.5.5. they have agreements in place with all Employees and Contractors with confidentiality provisions at least as stringent as those contained in this Agreement.

1.6. Each party shall be liable for any proven damage caused to the other party or to any End User arising as a result of: i) the unlawful processing of End User Data by it; and/or ii) where it has not complied with its obligations under this Agreement or Applicable Laws, regulations and international accords or treaties pertaining to End User Data.

1.7. In addition to the Data Protection and Information Security obligations contained in this Section 1, where Services pertain to End User Data from End Users in the European Economic Area, the parties agree to the European Economic Area Data Protection Provisions outlined in Schedule A. In the event of a contradiction between this Section 1 and the European Economic Area Data Protection Provisions, the European Economic Area Data Protection Provisions shall prevail in respect of the End User Data of End Users from within the European Economic Area.

SCHEDULE A

EUROPEAN ECONOMIC AREA DATA PROTECTION PROVISIONS

1. Definitions

1.1. In this Schedule A “European Economic Area Data Protection Provisions”, the terms below shall have the following meanings:

     1.1.1. “Data Protection Legislation” shall mean the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the European Directives 95/46 and 2002/59/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, supplements, replaces, re-enacts or consolidates any of them (including but not limited to the Privacy and Electronic Communication (EC Directive) Regulations 2003), and all other applicable laws relating to the Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by the relevant supervisory authorities); and

     1.1.2. “Binding Corporate Rules”, “Controller”, “Consent”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Third Party” shall have the meanings given in GDPR.

2. Data Protection

2.1. Both parties will comply with all applicable requirements of the Data Protection Legislation. This Section 2.1 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.

2.2. The parties acknowledge that for the purposes of the Data Protection Legislation: i) Customer is the Controller for Personal Data it shares with tru.ID, and tru.ID is the Processor; and ii) to the extent that tru.ID shares Personal Data with Customer in providing the Services, tru.ID is a Processor of the Mobile Network Operator, and Customer is a Third Party Processor. Exhibit 1 to this Schedule A sets out the scope, nature and purpose of Processing by the parties, the duration of the Processing and the types of Personal Data and categories of Data Subject.

2.3. Without prejudice to the generality of Section 2.1., each Party shall ensure it has all necessary appropriate Consent and notices in place to enable the lawful transfer of Personal Data to the other party for the duration and purposes of this Agreement.

2.4. Without prejudice to the generality of Section 2.1., each party shall, in relation to any Personal Data processed or shared in connection with the performance by it of its obligations under this Agreement:

     2.4.1. process that Personal Data only on the written instructions of the Controller unless required to by Applicable Laws to otherwise process that Personal Data;

     2.4.2. ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of Personal Data and to guard against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encryption of Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

     2.4.3. assist a Controller, at its own cost, in responding to any request from a Data Subject (including access requests, and requests for erasure, rectification or to cease Processing activities) and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

     2.4.4. notify the Controller without undue delay on becoming aware of a Personal Data Breach;

     2.4.5. maintain complete and accurate records and information to demonstrate its compliance with this Schedule A;

     2.4.6. ensure that all personnel who have access to and / or process Personal Data are obliged to keep the Personal Data confidential; and

     2.4.7. not transfer or export Personal Data shared with it under this Agreement by Controller to:

           2.4.7.1. any country or territory outside of the European Economic Area;

           2.4.7.2. any country not on the European Union’s approved list of countries and territories identified as providing an adequate protection for the rights and freedoms of Data Subjects (as updated from time to time); and

           2.4.7.3. the United States except in accordance with the Swiss / EU-US Privacy Shield Framework or any update or successor to this framework.

2.5. Notwithstanding Section 2.4.7., a party may transfer or export Personal Data shared with it under this Agreement to a person if it is done so in accordance with the Data Protection Legislation, for example because the data is subject to the standard (model) contractual clauses adopted by the European Commission from time to time, or the party is satisfied that the entity to which it is exporting the Personal Data has in place Binding Corporate Rules.

2.6. The Parties consent to the appointment of Third Party Processors of Personal Data under this Agreement strictly in the nature of: i) infrastructure as service providers, such as cloud storage providers; and ii) Contractors that have contractual obligations related to the protection of Personal Data of End Users substantially similar (and no less stringent) than those set out in in this Agreement. Each Party shall remain fully liable for all acts or omissions of any Third- Party Processor appointed by it pursuant to this Section 2.6.

SCHEDULE A — EXHIBIT 1

EUROPEAN ECONOMIC AREA DATA PROTECTION PROVISIONS

A. Scope

tru.ID is to provide the Services to Customer.

B. Nature

Subject to the selection of the Services made in the Order Form, the nature of the End User Personal Data to be Processed by tru.ID to provide the Services shall be the following:

     a. MSISDN

Subject to the selection of the Services made in the Order Form, the nature of the End User Personal Data to be Processed by Customer to receive the Services shall be the following:

     a. Verification of association of MSISDN to SIM / IMSI;

     b. Date of last IMSI change or time since last IMSI change.

C. Purpose of the Processing

The purposes of any Personal Data Processing (“Purposes”) shall be:

     a. to provide the Services (including improvements thereto);

     b. for preventing fraud and abuse; and

     c. as required by Applicable Laws.

D. Duration of the Processing

The duration of the Processing shall be as long as necessary or required to achieve the Purposes or as required by Applicable Laws.

E. Categories of Data Subject

The categories of Data Subject shall be the End Users.