This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written agreement between General Translation and Customer for the provision of the Services (“Agreement”). Unless otherwise defined in this DPA, capitalized terms used in this DPA will have the meaning given to them in the Agreement. In the event of a conflict between the terms of this DPA and the Agreement, the terms of this DPA will control to the extent of such conflict.

1. Scope

1.1. Roles of Parties

Customer is the “controller” and “business” (as such terms are defined under applicable privacy and data protection law (“Data Protection Law”) and General Translation is the “processor” and “service provider” (as such terms are defined under applicable Data Protection Law) for any Processing of Customer Personal Data. Each Party will comply with its respective obligations under applicable Data Protection Law in connection with the Services and Customer Personal Data.

1.2. Scope of Processing

The subject matter, nature and purpose of General Translation’s Processing of Customer Personal Data, the types of Customer Personal Data Processed by General Translation, and categories of applicable data subjects are set out in Schedule I to DPA.

2. Customer Personal Data

2.1. Customer Personal Data Processing

General Translation will only Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions, which are set forth in this DPA, the Agreement, or otherwise provided by Customer to General Translation in writing (“Documented Instructions”). Unless prohibited by applicable Law, General Translation will inform Customer if General Translation is subject to a legal obligation that requires General Translation to Process Customer Personal Data in contravention of Customer’s Documented Instructions.

2.2. General Translation Responsibilities

General Translation will not (a) “sell” or “share” (as such terms are defined in the California Consumer Privacy Act (“CCPA”)) Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than in accordance with the Documented Instructions, (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and General Translation, nor (d) except as otherwise permitted under applicable Data Protection Law, combine Customer Personal Data with personal data that General Translation receives from or on behalf of any third party.

3. Subprocessors

3.1. Authorization

Customer provides general authorization for General Translation to engage the following subprocessors: Amazon Web Services (AWS), Stripe, Cloudflare, Vercel, Sentry, Render, Neon, Temporal, Google Cloud, OpenAI, Anthropic, and xAI (“Subprocessors”). General Translation will (a) enter into a contractual agreement with each Subprocessor that imposes data protection obligations that are substantially as protective as General Translation’s obligations under this DPA to the extent applicable to the nature of the services provided by such Subprocessor and (b) remain responsible for the acts and omissions of the Subprocessors’ Processing of Customer Personal Data under this DPA.

3.2. Notice of New Subprocessors

General Translation will provide Customer reasonable advance notice prior to appointing any new Subprocessor. Customer may object to the appointment of such new Subprocessor within 15 days of the date of such notice on reasonable privacy or security grounds by providing General Translation written notice of its objection. In the event that Customer objects to General Translation’s appointment of a new Subprocessor, Customer and General Translation will work together in good faith to address any such objection.

4. Assistance

4.1. Data Subject Rights

General Translation will (a) promptly forward to Customer any request it receives from “data subjects” or “consumers” (as such terms are defined under applicable Data Protection Law) to exercise their rights under applicable Data Protection Law relating to Customer Personal Data, (b) advise such data subjects and consumers to submit such requests directly to Customer, and (c) provide Customer with reasonable assistance as necessary for Customer to fulfil its obligations under applicable Data Protection Laws to respond to such requests.

4.2. Cooperation

Taking into account the nature of the Processing, General Translation will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligations under applicable Data Protection Laws, including to conduct data protection impact assessments and consultations with regulatory authorities. General Translation may charge Customer a reasonable fee for such assistance under this Section 4.2.

5. Security

5.1. Security Measures

General Translation has implemented and will maintain the Security Measures described on General Translation’s Trust Center at https://trust.generaltranslation.com/. The Parties acknowledge that the Security Measures provide an appropriate level of security for the risks of the Processing of Customer Personal Data under the Agreement. General Translation may update or modify the Security Measures provided that such updates and modifications do not materially decrease the overall security of the Services.

5.2. Security Incident

General Translation will notify Customer without undue delay and in any case within 72 hours after becoming aware of any breach of the Security Measures that results in unauthorized access to, or disclosure or use of, Customer Personal Data (“Security Incident”). General Translation will assist Customer in complying with Customer’s obligations under applicable Data Protection Law by making reasonable efforts to provide Customer with information relating to the Security Incident. General Translation will also use reasonable efforts to investigate the Security Incident and mitigate the effects and remediate the causes of the Security Incident.

5.3. Audit Reports and Certifications

General Translation is audited against established industry standards such as SOC 2 Type II and ISO 27001. Upon Customer’s written request, General Translation will provide to Customer with General Translation’s audit reports or certifications, or other information reasonably necessary to demonstrate compliance with this DPA.

5.4. Audits

Upon Customer’s written request, no more than once every 12 months, General Translation will permit Customer to audit General Translation’s controls applicable to its Processing of Customer Personal Data and compliance with this DPA (“Audit”), provided that such Audit is conducted at Customer’s sole cost, during normal business hours, in a manner that causes minimal disruption, and in accordance with mutually agreed upon scope and terms.

6. International Data Transfers

6.1. Data Transfers

Customer authorizes General Translation to conduct transfers of Customer Personal Data to countries deemed to have an adequate level of data protection by the European Commission or the applicable competent regulatory authority on the basis of adequate safeguards in accordance with Data Protection Law or pursuant to (a) the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time (“EU SCCs”) or (b) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time (“UK Addendum”).

6.2. EU Data Transfers

For transfers of Customer Personal Data from the European Union, General Translation and Customer conclude Module 2 (controller-to-processor) of the EU SCCs and, if Customer is a processor on behalf of a third-party controller, Module 3 (Processor-to-Subprocessor) of the EU SCCs, which are incorporated herein and completed as follows: (a) the “data exporter” is Customer; (b) the “data importer” is General Translation; (c) the optional docking clause in Clause 7 is implemented; (d) option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 3.2; (e) the optional redress clause in Clause 11(a) is struck; (f) option 1 in Clause 17 is implemented; (g) the governing law is the law of Ireland and the courts in Clause 18(b) are the Courts of Dublin, Ireland; and (h) Annex I and Annex II to Module 2 and 3 of the EU SCCs are Schedule I to DPA and the Security Measures, respectively. For transfers of Customer Personal Data from Switzerland, any dispute arising from these EU SCCs relating to Swiss Data Protection Laws will be resolved by the courts of Switzerland and data subjects who have their habitual residence in Switzerland may bring claims under the EU SCCs before the courts of Switzerland.

6.3. UK Data Transfers

For transfers of Customer Personal Data from the United Kingdom, General Translation and Customer conclude the UK Addendum, which is incorporated herein and completed as follows: (a) in Table 1, the “Exporter” is Customer and the “Importer” is General Translation, their details are set forth in this DPA and the Agreement; (b) in Table 2, the first option is selected and the “Approved EU SCCs” are the EU SCCs referred to in Section 6.2; (c) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Schedule I to DPA and the Security Measures, respectively; and (d) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

7. Misc

7.1. Limitation of Liability

General Translation’s aggregate liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, shall be subject to the “Limitations of Liability” section of the Agreement.

7.2. Term

The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement.

Schedule I to DPA

Description of Processing

1. List of Parties

Data exporter

Name: Customer.

Activities relevant to the data transferred under these Clauses: Customer receives the Services as described in the Agreement and General Translation provides Customer Personal Data to General Translation in that context.

Role (controller/processor): Controller.

Data importer

Name: General Translation.

Activities relevant to the data transferred under these Clauses: General Translation provides the Services to Customer as described in the Agreement and Processes Customer Personal Data on behalf of Customer in that context.

Role (controller/processor): Processor on behalf of Customer.

2. Categories of Data Subjects

Customer and Customer’s users.

3. Categories of Personal Data Transferred

Customer Personal Data, the content of which is determined and controlled by Customer.

4. Sensitive Data Transferred (If Applicable)

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A

5. Frequency of the Transfer

The frequency of the International Data Transfer (e.g., whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.

6. Nature of the Processing

The Customer Personal Data will be processed and transferred as described in the Agreement and DPA.

7. Purposes of the International Data Transfer and Further Processing

The Customer Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement and DPA.

8. Duration of Processing

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

9. Sub-Processor Transfers

For International Data Transfer to (Sub)Processors, also specify subject matter, nature, and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Agreement and DPA. The Processing will take place for the duration of the Agreement.

10. Competent Supervisory Authority

The competent authority for the Processing of Customer Personal Data relating to data subjects located in the EEA is the Supervisory Authority of Ireland.

The competent authority for the Processing of Customer Personal Data relating to data subjects located in the UK is the UK Information Commissioner.

The competent authority for the Processing of Customer Personal Data relating to data subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

11. Technical and Organizational Measures

General Translation will implement security safeguards designed to protect the security, confidentiality and integrity of Personal Data as described on General Translation’s Trust Center at https://trust.generaltranslation.com/.