This Data Processing Agreement (the "DPA") sets out the terms and conditions for the processing of Personal Data related to the Services provided by the Dennemeyer entity identified in the Agreement referencing to this DPA to Customer identified in that Agreement.

The terms used in this DPA shall have the same meaning as in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (hereinafter “GDPR”).

1. Purpose of processing; Categories of data subjects; Type of personal data
   1. “Processing Activities” are those related to the provision of the Services including the implementation of the software, the Hosting Services, the maintenance and support services, and post termination support. Customer may provide Personal Data to Dennemeyer to be entered in DIAMS and processed by Dennemeyer for the purpose of providing the Services agreed in the Agreement. If Customer entrusted Dennemeyer with IP Support Services, Dennemeyer additionally enters intellectual property right information in Customer’s DIAMS via a remote connection.
   2. Pursuant to this DPA Dennemeyer processes Personal Data of Users, as defined in Section 2.1.1. of the Agreement, as well as of Data Subjects referenced in intellectual property rights data and matters related to such intellectual property rights managed with DIAMS. The type of Personal Data processed are defined by Customer, and might include name, email address, telephone number, business address, and inventor remuneration information
2. Customer’s obligations
   1. Customer shall be the solely responsible for the assessment of the lawfulness of its own processing activities and for ensuring the rights of the Data Subjects set forth in Sections 12 to 22 of the GDPR.
   2. Customer shall provide all necessary instructions in Writing.
3. Dennemeyer’s obligations
   1. Dennemeyer shall process Personal Data entered into DIAMS in accordance with applicable laws, Customer’s instructions, and other contractual obligations set forth in the Agreement.
   2. Dennemeyer shall inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State’s data protection provisions.
   3. Upon Written request and as far as reasonably possible, Dennemeyer shall provide Customer with the information necessary to demonstrate compliance with Section 28, as well as with Sections 32 to 36 of the GDPR.
   4. Dennemeyer shall assist Customer, insofar as this is possible, for the fulfilment of Customer’s obligations to respond to Data Subjects’ requests for exercising their rights. Dennemeyer shall promptly inform Customer of any such request directly received by the Data Subject.
   5. Dennemeyer shall contribute to Customer audits to check Dennemeyer’s compliance with Section 28 of the GDPR. Customer shall give Dennemeyer fifteen days’ Written notice of its intention to perform an audit. Any audit is performed at Customer’s costs and in compliance with Dennemeyer’s IT security policies. Dennemeyer shall cooperate to the extent possible in compliance with Dennemeyer’s confidentiality and IT security obligations to Third Parties. Customer may appoint Third Parties for the performance of the audit subject to the condition that it is bound by confidentiality obligations not less restrictive than those agreed herein.
   6. Dennemeyer shall limit access to the Personal Data only to authorised and properly trained personnel bound by confidentiality obligations in accordance with this DPA or that is subject to appropriate statutory obligations of confidentiality.
   7. If required by the applicable laws, Dennemeyer shall give notice to Customer of any Personal Data Breach pursuant to Section 33 of the GDPR affecting the Personal Data processed on behalf of Customer without undue delay after having become aware of it.
   8. Dennemeyer shall create and maintain record of processing activities performed in accordance with this Agreement and as required by Section 30 of the GDPR.
   9. Dennemeyer shall return or delete all the Personal Data after the end of the Processing Activities, except if Union or Member State’s law requires further storage of the Personal Data.
4. Appointment of sub processors

   Sub-processors are external processors that process Personal Data on behalf of Dennemeyer in order to carry out certain activities commissioned by Customer. This is done in accordance with Customer´s instructions and in accordance with the terms of a Written contract between Dennemeyer and the sub-processor. Customer acknowledges and herewith provides a general authorization of the use of sub processors. Dennemeyer shall use only sub processors providing sufficient guarantees to implement appropriate technical and organizational measures and ensures that sub processors are bound by the same obligations set out in this DPA. Dennemeyer may change the sub processors from time to time subject to the same conditions of this Section. Customer shall send an email to dataprivacy@dennemeyer.com with the subject “Subscription to Sub Processor Notification” to subscribe to notifications of new sub processors. If Customer subscribes, Dennemeyer will provide notifications of any new sub processor before authorizing such new sub processor to process personal data in connection with this DPA. If Customer has a reasonable basis to object to a new sub processor, Customer shall notify Dennemeyer promptly in Writing, but not later than within 30 days after receipt of Dennemeyer´s notification. In case of objection, the Parties will discuss in good faith v20240514 Dennemeyer — The IP Group • dennemeyer.com • Page 2 / 2 with a view to achieving a commercially reasonable solution. If no such solution can be agreed, Customer´s only remedy is a right to forthwith terminate the Agreement without liability of any kind to either Party.

   Dennemeyer maintains a current list of the names and locations of all sub-processors for the provision of Services. If Customer wants to receive the list of current sub-processors, a request can be sent to dataprivacy@dennemeyer.com at any time.

5. Technical and organizational measures

   Customer has opted for a storage of data on Microsoft Azure, which is a public cloud for which Dennemeyer cannot take responsibility. Microsoft’s security measures are detailed here (Microsoft´s DPIA for the use of Azure can be found here) and Customer hereby declares being satisfied with these measures and will not hold Dennemeyer responsible in case of security breaches affecting Microsoft Azure (unless solely caused by Dennemeyer).

6. Transfer of personal data

   Customer acknowledges and consents, that Dennemeyer transfers Personal Data to sub processors located outside of the European Economic Area. Dennemeyer ensures that such Processing Activities are performed with the same degree of safeguard of Personal Data provided in the European Union by conclusion of standard data protection clauses adopted by the European Commission. Dennemeyer shall ensure compliance with the GDPR and this DPA.

7. Duration of processing activities

   The Processing Activities shall terminate the later of the following events (i) when the termination of the Agreement becomes effective (ii) when Services that are exceptionally provided after the termination are completed, or (iii) when any obligation or any right set forth in the Agreement that require the use of Personal Data is completed or fulfilled.