1. SUBJECT MATTER AND PURPOSE

This Data Processing Agreement (the "DPA") governs the terms under which Trivity Tech, S.L. ("Trivity") processes personal data on behalf of the Provider, as data processor, in accordance with Regulation (EU) 2016/679 of 27 April, the General Data Protection Regulation (GDPR), and other applicable regulations.

This DPA forms an integral part of Trivity's Terms and Conditions for Providers (the "Legal Terms") and is incorporated into them by reference. In the event of any contradiction between this DPA and the Legal Terms, the provisions of this DPA shall prevail exclusively in matters of personal data protection.

2. IDENTIFICATION OF THE PARTIES AND ROLES

For the purposes of the GDPR:

The Provider acts as data controller with respect to the personal data of end users or clients who book or participate in its activities.

Trivity acts as data processor when it processes such personal data on behalf of the Provider in the context of the Services.

Trivity acts as data controller with respect to personal data processed for its own purposes (Platform users, such as identifying data of activity Providers or Agents and prescribers, billing, support, compliance, security, etc.), which are outside the scope of this DPA. In such cases, Trivity autonomously determines the purposes and means of processing, acting as an independent controller.

3. TRIVITY STATEMENT

Trivity, as data processor, represents and warrants that it provides sufficient guarantees to implement appropriate technical and organizational measures so that processing complies with the requirements of the GDPR, as well as Directive (EU) 2016/943 of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, and its Spanish transposition, Law 1/2019 of 20 February on Trade Secrets. These measures are intended to protect the rights of data subjects and any business or confidential information of the client company accessed during the provision of the main service, all generically referred to as data or information.

Specifically, the data Processor represents and warrants that it substantially complies, and undertakes to continue substantially complying throughout the term of the Main Agreement, with all applicable laws and regulations relating to data protection, privacy and information security.

The data Processor also represents and warrants that it has, and will continue to maintain, a complete written security program that meets applicable information protection requirements.

4. DESCRIPTION OF PROCESSING

Nature of processing

Processing of personal data necessary for the provision of technology services for the management, marketing and distribution of activities, including, among others:

• booking management;
• customer management;
• operational communications;
• data management and export tools;
• technical support linked to the Services.

Purpose

Exclusively the provision of the Services in accordance with the General and Specific Terms and the Provider's documented instructions.

Categories of data subjects

End users or clients of the Provider of the activity published on the Trivity Platform.

Categories of data

These may include, among others:

• identification data (name, surname);
• contact details (email address, telephone number);
• booking data (date, activity, participants);
• operational data necessary for activity management.

Custom questions configured by the Provider

The Provider may configure, under its sole responsibility, custom fields or additional questions addressed to end users during the booking process, in order to collect information necessary for the proper provision of the activity.

Trivity does not define, decide or control the content, purpose, proportionality, mandatory nature or legal basis of such questions, acting exclusively as the provider of a technology infrastructure that enables their configuration and technical processing.

With respect to personal data collected through such custom fields, the Provider acts as data controller and Trivity acts as data processor, processing such data solely on behalf of the Provider and in accordance with its documented instructions.

The Provider is solely responsible for ensuring that the configured questions comply with applicable data protection regulations, that there is a valid legal basis for processing and, where required, that the explicit consent of the end user is obtained.

Processing of Special Categories of Data

The Provider acknowledges that the Platform is made available as a neutral technology infrastructure tool. If the Provider decides, under its sole responsibility, to capture or process special categories of data (such as allergies, health conditions, disabilities or biometric data) through custom fields or any other functionality, the Provider guarantees that it has an additional enabling legal basis under Article 9 of the GDPR (such as the explicit consent of the data subject or compliance with health and safety obligations).

Trivity does not supervise or validate the lawfulness of such data collection, acting only as the provider of technical support for its storage on behalf of the Provider.

Business information

Relevant and/or confidential business information, as well as information relating to trade secrets, refers to information provided in confidence or under a duty of confidentiality between the Parties, as well as trade secrets relating to the Provider's business in its capacity as data controller. This includes, without limitation, information and secrets relating to:

• Corporate and marketing strategy, business plans and development, sales reports and research results.
• Business methods and procedures, technical information and know-how relating to the respective businesses that is not available to the general public, including inventions, designs, programs, techniques, database systems, formulas and ideas, whether or not registered as trademarks, patents, drawings, models or industrial designs.
• Business contacts, customer, user and supplier lists or details of contracts entered into with them.
• Sales levels, expenditure levels and purchasing and pricing policies.
• Budgets, management accounts, commercial reports and other financial reports, as well as, where applicable, unpublished pricing information relating to shares or funds listed on any official securities market.
• Any document considered by the Parties to be "confidential", as well as attached Material.

Duration

This agreement has the same duration as the main contract or agreement into which it is integrated, taking into account the Processor's obligations regarding deletion or return of data, as well as the prohibition on subsequent use.

With respect to the duty of confidentiality over trade secrets, it shall extend for as long as the information retains its confidential or trade secret nature and, in any event, for a minimum period of five (5) years after termination of the contractual relationship between the Parties, unless applicable law requires a longer period.

5. PROVIDER INSTRUCTIONS

Trivity will process personal data only in accordance with the Provider's documented instructions, including those arising from the normal use of the Platform and the Services.

If Trivity considers that an instruction infringes the GDPR or other applicable regulations, it will notify the Provider without undue delay.

6. TRIVITY'S OBLIGATIONS AS PROCESSOR

For the processing of data, Trivity, as data processor, must:

• Process the data only following documented instructions from the data Controller, including with respect to transfers of data to third countries or international organizations, unless required to do so by law. In such case, the data Processor shall inform the data Controller of that legal requirement before processing, unless the law prohibits such communication for important reasons of public interest.
• Ensure that persons authorized to process data have committed themselves to confidentiality or are subject to a statutory confidentiality obligation.
• Take all necessary measures pursuant to section 8 on Security Measures.
• Assist the data Controller, taking into account the nature of the processing, through appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests to exercise data subject rights.
• Help the data Controller ensure compliance with obligations related to data security, taking into account the nature of the processing and the information available to the data processor.
• At the choice of the data Controller, delete or return all data to the data Controller after the end of the provision of services relating to processing, and delete existing copies unless data retention is required by law.
• Make available to the data Controller all information necessary to demonstrate compliance with the obligations established in the GDPR and allow and contribute to audits, including inspections, carried out by the data Controller or another auditor authorized by the data Controller. In this regard, the data Processor must promptly inform the data Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.
• Provide assistance to the data Controller during any privacy impact assessment (Privacy Impact Assessment, "PIA") that the data Controller needs to carry out, in accordance with Article 35 of the GDPR.
• Provide assistance to the data Controller during any prior consultation with the supervisory authority that the data Controller wishes to carry out, in accordance with Article 36 of the GDPR.
• Refrain from determining the purpose and means of processing. If the data Processor infringes the GDPR by determining the purpose and means of processing, it shall be considered data controller with respect to such processing.

7. PROCESSOR PERSONNEL

The data Processor must take the necessary measures to ensure the reliability of employees or authorized third parties who may access the data. In particular, it must ensure that access to the data is strictly limited to individuals who genuinely need it and that all such individuals are subject to legal or professional confidentiality obligations.

8. SECURITY MEASURES

Trivity will implement appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, disclosure or unauthorized access, taking into account the state of the art, implementation costs and the nature of the processing.

Such measures will include, among others:

• access control;
• encryption in transit where appropriate;
• backup copies;
• logical and organizational security measures consistent with a professional SaaS service.

Trivity does not guarantee the absolute invulnerability of systems. In this regard, Trivity undertakes to apply measures consistent with the state of the art and the nature of the service; however, given the nature of the digital environment and the evolution of threat vectors, it cannot guarantee the absolute invulnerability of its systems or the absence of harmful elements introduced by third parties outside its control. Trivity declines any liability for damages arising from denial-of-service attacks (DoS/DDoS), malicious code injection or any other form of cyberattack that exceeds the standard of professional due diligence.

9. SUB-PROCESSORS

The Provider expressly authorizes Trivity to use sub-processors for the proper provision of the Services, including cloud infrastructure providers, email, communications, payments and technical support providers.

Trivity will ensure that such sub-processors are subject to contractual data protection obligations equivalent to those established in this DPA by means of a contract, especially with regard to providing sufficient guarantees for the implementation of appropriate technical and organizational measures so that processing complies with the requirements of the GDPR.

Information about the sub-processors used by Trivity may be made available to the Provider in updated form through the Platform or enabled information channels.

If such sub-processor fails to comply with its data protection obligations, the data Processor shall remain solely liable to the data Controller for the performance of that sub-processor's obligations.

The Provider may object, on reasoned grounds, to the incorporation of a new sub-processor where there are justified reasons related to the protection of personal data. In such case, the Parties shall seek a reasonable solution in good faith. The objection must be communicated within a reasonable period from notification of the new sub-processor.

10. INTERNATIONAL TRANSFERS

As a general rule, the data Processor will not process or transfer personal data outside the EEA ("International Transfer") unless (i) it is absolutely necessary for the provision of services under the Main Agreement, (ii) the data Controller is duly informed and (iii) such International Transfer is managed in accordance with this clause.

Where it is absolutely necessary to carry out an International Transfer of data for the provision of services under the Main Agreement:

If the International Transfer is carried out to a territory that ensures an adequate level of protection, no specific authorization is required, but the data Controller must be informed without delay.

If the International Transfer is carried out to a territory that does not ensure an adequate level of protection, the data Processor shall provide appropriate safeguards and provided that enforceable data subject rights and effective legal remedies are available. Such safeguards shall be provided by accepting the standard data protection clauses adopted by the European Commission.

11. OBLIGATIONS OF THE DATA CONTROLLER

The data controller is responsible for:

• a) Providing the processor with the data referred to in this document that are necessary for the performance of the main agreement.
• b) Carrying out a data protection impact assessment of the processing operations to be performed by the processor.
• c) Carrying out any prior consultations that may be required.
• d) Ensuring, before and throughout the processing, the Processor's compliance with the GDPR.
• e) Supervising the processing, including inspections and audits under the terms set out in this DPA.

Audits or inspections must be carried out with reasonable prior notice, during working hours and in a manner that does not unjustifiably interfere with Trivity's activity, limited to the information strictly necessary to verify compliance with this DPA. Under no circumstances shall they involve direct access to systems, source code, databases of other clients or confidential information of Trivity or third parties, unless required by mandatory law or expressly agreed in writing between the Parties.

12. RIGHTS OF DATA SUBJECTS

When Trivity directly receives a request to exercise rights from a data subject whose data it processes on behalf of the Provider, it will act as data processor and cooperate with the Provider, in its capacity as data controller, to the extent necessary to ensure that the rights of data subjects are respected and duly exercised. Such request will be brought to the attention of the Provider or its Data Protection Officer ("DPO") without undue delay and within a reasonable period from receipt, together with the relevant information and documentation available.

Under no circumstances will Trivity respond directly to the data subject unless expressly instructed by the Provider or required by law.

13. PERSONAL DATA BREACH

Trivity will notify the data Controller without undue delay of any personal data breach of which it becomes aware, together with all relevant information and documentation, at:

• Email address: admin@trivityapp.com
• Telephone number: +34 681278113

Such notification must include at least:

• A description of the nature of the personal data breach, the categories and numbers of data subjects affected and the categories and numbers of data records affected;
• The name and contact details of the Processor's DPO or other competent contact person who can provide additional information;
• A description of the possible consequences of the personal data breach;
• A description of the measures taken or proposed to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible adverse effects.

Trivity will collaborate and cooperate with the data Controller to the extent necessary to investigate, mitigate and remedy such personal data breach.

14. RETENTION, RETURN AND DELETION OF DATA

Once provision of the Services has ended:

• the Provider may, for a reasonable period of not less than 30 days, export the available data through the enabled functionalities;
• Trivity will delete or anonymize personal data processed as processor, except for data that must be retained due to legal obligations;
• backup copies may be retained for the necessary technical periods, subject to applicable security measures.

Once the data has been exported, the Provider will be solely responsible for its subsequent processing.

15. LIABILITY

Each Party shall be liable for sanctions, damages or losses arising from direct breaches attributable to its own area of responsibility under the GDPR and the Legal Terms.

Nothing in this DPA extends Trivity's liability beyond what is provided in the Legal Terms and the GDPR.

16. APPLICABLE LAW AND JURISDICTION

This DPA and all obligations arising from or relating to the processing of data shall be governed by Spanish law.

With respect to disputes or claims that may arise under this DPA, the parties hereby submit to the jurisdiction of the courts of Barcelona (Spain).

This DPA is incorporated into the Legal Terms and will be binding from its electronic acceptance by the Provider, without the need for handwritten signature, to the extent permitted by applicable law.

17. ENTRY INTO FORCE

This DPA will enter into force on the date of acceptance of the Legal Terms by the Provider and will remain in force while Trivity processes personal data on behalf of the Provider.