This Data Protection Addendum (“Addendum”) forms part of the agreement(s) between Customer ("Company") and Sowl Labs Private Limited d/b/a Score, covering Customer’s use of the Services (as defined below) (“Agreement”) and governs the use of Customer Data (as defined below), and the related processing of Customer Personal Data (as defined below), by Sowl Labs Private Limited.

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

(C) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

   1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

   2. “Agreement” means this Data Processing Agreement and all Schedules;

   3.  “Company Personal Data” and “Personal Data” means any information relating to an identified or identifiable natural person that the Data Processor collects or Processes on behalf of Customers part of providing the Services.

   4. “Contracted Processor” means a Sub-processor;

   5. “Data Protection Laws” shall mean the data protection laws of the country in which the Company is established and any data protection laws applicable to the Company.

   6. “Data Transfer” means:

      1. a transfer of Company Personal Data from the Company to a Contracted Processor; or

      2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

   7. “Services” means the software-as-a-service solution provided by the Data Processor that allows the Company to analyze and manage all their customer interactions.

   8. “Sub-processor” means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the Agreement.

   9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

   10. ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

   
   

2. Processing of Company Personal Data

   1. To provide the Services in accordance with the Agreement, the Data Processor processes Company Personal Data as described in Appendix 1.

   2. Processor shall:

      1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

      2. not Process Company Personal Data other than on the relevant Company’s documented instructions.

   3. The Company instructs the Processor to process Company Personal Data.

      
      

3. Processor Personnel

   1. Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

   
   

4. Security

   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Appendix 2.

   2. In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

      
      

5. Sub-processing

   1. The Company acknowledges and agrees that Data Processor may (i) engage its Affiliates and Sub-Processors listed in Appendix 3 to this Agreement to access and process Personal Data in connection with the Services and (ii) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this Agreement, the Company provides general written authorization to the Data Processor to engage Sub-Processors as necessary to perform the Services.

   2. In the event that the Data Processor engages temporary, contract, or outsourced personnel to perform services related to the processing of Company Personal Data, the Data Processor shall:

      1. Ensure that such personnel are bound by the same confidentiality and data protection obligations as direct employees of the Data Processor;

      2. Conduct thorough background checks and implement appropriate screening processes for all outsourced personnel with potential access to Company Personal Data;

      3. Provide comprehensive data protection training to all outsourced personnel before granting any access to Company Personal Data;

      4. Immediately notify the Company of any incidents involving outsourced personnel that potentially compromise the security or confidentiality of Company Personal Data;

      5. Ensure that outsourced personnel are subject to the same access controls, monitoring, and security measures outlined in Appendix 2 of this Agreement;

   3. The Company reserves the right to:

   4. Request immediate removal of any outsourced personnel deemed a potential security

   5. Suspend Services if adequate safeguards are not maintained

   
   

6. Data Subject Rights

   1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

   2. Processor shall:

      1. promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;

      2. and ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

   
   

7. Personal Data Breach

   1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

   2. Processor shall co-operate with the Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

      
      

8. Data Protection Impact Assessment and Prior Consultation

   1. Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with a supervisory data protection authority or other competent data privacy authorities, which Company reasonably considers to be required by the Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

   2. The Parties agree that the Processor will be entitled to charge the Company additional fees to reimburse the Processor for its staff time, costs and expenses in assisting the Company, when the Company requests the Processor to provide assistance pursuant to this Agreement. In such cases, the Processor will notify the Company of its fees for providing assistance, in advance.

      
      

9. Deletion of Company Personal Data

   1. Subject to this section the Processor shall promptly and in any event within 7 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

   2. Following permanent deletion from the live systems, partial data resides on the Processor’s archival systems for a period of up to 30 days. If requested by the Company, the Processor may be able to assist with the recovery of partial data from these archives during this period.

      
      

10. Audit rights

    1. The Processor shall make available to the Company all information reasonably necessary to demonstrate compliance with its processing obligations and allow for and contribute to audits and inspections. Any audit conducted under this Agreement shall consist of an examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not deemed sufficient in the reasonable opinion of the Company, the Company may at its own expense conduct a more extensive audit which will be: (i) limited in scope to matters specific to the Company and agreed in advance with the Processor; (ii) carried out during Indian business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and (iii) conducted in a way which does not interfere with the Processor’s day-to-day business. The Processor may charge a fee (based on its reasonable time and costs) for assisting with any audit. The Processor will provide the Company with further details of any applicable fee, and the basis of its calculation, in advance of any such audit.

    2. This clause shall not modify or limit the rights of audit of the Company, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.

       
       

11. Data Transfer

    1. Company Personal Data, may be transferred to — and maintained on — computers located outside of the Company’s state, province, country or other governmental jurisdiction where the data protection laws may differ from those from the Company’s jurisdiction.

    2. The Company’s consent to this Agreement followed by the submission of such information represents the Company’s agreement to that transfer.

    3. The Data Processor will take all steps reasonably necessary to ensure that the Company’s data is treated securely and in accordance with this Agreement and no transfer of the Company Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of the Company Personal Data.

       
       

12. General Terms

    1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
       (a) disclosure is required by law;
       (b) the relevant information is already in the public domain.

    2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by email to at such other address as notified from time to time by the Parties changing address.

       
       

13. Governing Law and Jurisdiction

    1. This Agreement is governed by the laws of India.

    2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of India.

       
       

14. Penalties and Remedies

    1. Breach Classification

       1. Minor Breaches: Violations related to administrative requirements, record-keeping, or technical compliance issues. 

       2. Significant Breaches: Violations involving unauthorized data processing, failure to protect personal data, or substantial infringements of data subject rights.

    2. Penalty Structure

       1. For Minor Breaches:

          1. First occurrence: Written warning and 30-day period to remedy

          2. Subsequent occurrences: Penalty of up to 2% of the Data Processor’s total global turnover of the preceding fiscal year

          3. Repeated minor breaches may be escalated to significant breach classification

       2. For Significant Breaches:

          1. Initial penalty of up to 4% of the Data Processor’s total global turnover of the preceding fiscal year

          2. Potential immediate suspension of services

          3. Right of the Company to terminate the Agreement without further obligation

             
             

15. Penalty Assessment

    1. Penalties will be assessed based on:

       1. Nature, gravity, and duration of the infringement

       2. Intentional or negligent character of the infringement

       3. Actions taken to mitigate damage to data subjects

       4. Technical and organizational measures implemented

    
    

16. Remediation

    1. The Data Processor shall have a reasonable opportunity to remedy any breach within a specified time-frame, except in cases of willful misconduct or repeated violations.

    
    

17. Additional Remedies 

    1. The Company reserves the right to seek additional damages beyond the specified penalties if actual damages exceed the penalty amounts.

Appendix

Appendix 1: Types of Company Personal Data Processed

Categories of data subjects

1. Representatives of the Company

2. Customers & clients of the Company

Categories of personal data

The data processed concern the following categories of data:

1. For representatives of the Company:

   1. Contact information: name, e-mail addresses, phone numbers and other ways in which the Data Processor can contact the data subject.

   2. Communications: any communication Company has with the Data Processor, like emails and phone calls.

   3. Information regarding the usage of the Services, like technical connection data (IP address, location, logs, etc.)

   4. Documents, operating procedures and evaluation forms uploaded to the platform for the purpose of improving the capabilities of the Service.

   5. Commercial information: Transaction history, purchase records, payment information, subscription status and preferences, and customer service interactions.

2. For customers & clients of the Company:

   1. The Data Processor allows the Company to optionally integrate with third-party service, process and/or store Company Personal Data as described in the list of third party services on this link: Link.

Appendix 2: Technical and organizational security measures

The following technical and organizational measures have been taken to ensure the safety and security of the personal data.

1. Admission control: Measures to prevent unauthorized persons from gaining access to the data processing equipment used to process personal data.

   1. Access to data is granted based on necessity, ensuring only authorized personnel have access.

2. Access control: Measures and procedures to prevent authorized persons from using the data processing equipment.

   1. Password policy (secure passwords, regular changes, regular reviews).

   2. All personnel with access to services that process or store Personal Data do so with Multi-Factor Authentication (MFA).

   3. Upstream vendors are configured with Role-Based Access Control (RBAC) which prevents access to production systems to all personnel unless granted otherwise in case of emergencies such as incident investigations.

   4. Administrative controls are ONLY accessible by the CTO.

3. Access monitoring: Measures to ensure that those authorized for data processing can only access the personal data subject to their access authorization.

   1. Continuous monitoring and alerting for unusual activities via our infrastructure provider, Amazon Web Services.

   2. Security Logs (ex: unsuccessful and successful authentication attempts).

4. Transfer control: Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission, transport or storage on data carriers.

   1. Encryption during data transmission (network encryption, TLS)

   2. Logging during the transmission of data.

5. Availability control: Measures to ensure that personal data is protected against accidental destruction or loss.

   1. Regular back-ups according to backup plan

   2. Redundant hardware

   3. Protection of systems against database failure, service level agreements with IT service providers

6. Procedures for periodic review and evaluation: Procedures for regular review, evaluation and evaluation of the effectiveness of technical and organizational measures.

7. Incident response management

   1. The Incident Response Team (IRT) currently comprises the CTO and CEO. The roles of investigating technical aspects, containment, and ensuring compliance with legal requirements are that of the CTO, and internal and external communication are that of the CEO.

   2. Immediate acknowledgment of incidents will be notified to our customers via email or private communication channels, such as Slack.

   3. Once the incident has been contained, eradicated, and recovered from, a detailed post-mortem report will be shared on our website for all our customers.

Appendix 3: List of sub-processors

To support our business operations and the delivery of our services, we may engage and use third party companies to process personal data on behalf of the Company (thereafter "Sub-processor"). 

Here we provide important information about the identity, location and role of each Sub-processor: Link