DATA PROCESSING AGREEMENT

This Data Processing Agreement (“Agreement”) is entered into on the date set out below by and between WEEKEND FREEDOM, LDA. (dba as LEGAU), a company with the Portuguese taxpayer number 516 547 143, with registered office at Rua Dona Maria do Rosário Patacão, no. 24, ground floor left, 1885-059 Moscavide, Lisbon, Portugal (hereinafter referred to as the “Subcontractor” or “Legau”), and the undersigned (hereinafter referred to as the “Data Controller“). The Subcontractor and the Data Controller shall be jointly referred to as the “Parties” and individually as a “Party”.

WHEREAS:

(A) That, by virtue of a SaaS contract entered into between the parties (“Contract”), the Subcontractor has undertaken to provide the Data Controller with SaaS services as described in the Contract and its Annexes (“Services“).

(B) That the Subcontractor processes personal data on behalf of the Data Controller for the performance of said Services.

(C) That, in order to regulate said processing, both Parties agree to enter into this Agreement, which shall be governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), by Law no. 58/2019 of 8 August (ensures the implementation of the GDPR in the Portuguese legal order) and other applicable legislation on data protection and, in particular, by clauses of this Agreement.

The Subcontractor and the Data Controller agreed as follows:

1. DEFINITIONS

1.1. For the purposes of interpreting this Agreement, the definitions set out in the GDPR shall apply.

1.2. Without prejudice, these terms and expressions shall have the following meanings:

(A) “Legislation” or “applicable legislation” shall mean the legislation of the European Union or of a Member State relating to Privacy and Protection of Personal Data that is applicable to the Parties, namely Law no. 58/2019, of 8 August;

(B) “Instructions” shall mean any written communication addressed by the Data Controller to the Subcontractor ordering the Subcontractor to act in a certain way in relation to personal data. These instructions may be rectified, withdrawn, amplified or replaced at any time by written notice from the Data Controller;

(C) “Sub-Subcontractor” shall mean a subcontractor who, within the scope of the services contracted and provided to the Data Controller under the Contract, carries out specific personal data processing operations on behalf of Legau, in accordance with the instructions of the latter, the conditions laid down in the contractual documents and the conditions established in this Agreement.

2. OBJECT

2.1. The purpose of this Agreement is to authorize and regulate the processing of personal data by Legau in its capacity as Subcontractor, in relation to the personal data for which the Data Controller is responsible for processing.

2.2. The aforementioned processing of personal data on behalf of the Data Controller is aimed at the fulfillment by Subcontractor of the obligations arising from the Contract for the performance of the Services.

2.3. By this Agreement, the Data Controller shall determine the scope, purposes and manner in which the Subcontractor may process personal data within the scope of the Contract and this Agreement.

2.4. The Subcontractor shall process personal data solely and exclusively in accordance with the Contract, this Agreement and the written instructions of the Data Controller.

3. DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA

3.1. The processing activities will concern the personal data whose respective data subjects are identified in Section 1 of Appendix 1 (“Description of the Processing of Personal Data“) to this Agreement.

3.2. The Subcontractor shall carry out the processing operations identified in Clause 5 in relation to the categories of personal data identified in Section 2 of Appendix 1 to this Agreement.

3.3. The Data Controller expressly acknowledges and warrants that it will instruct its users not to use, make available or insert into the Subcontractor’s systems and platforms, under the Contract and this Agreement, any personal data other than those provided for in this Agreement.

3.4. The Data Controller also undertakes to inform and ensure that its employees, sub-subcontractors and other service providers who have access to the Subcontractor’s systems and platforms are duly informed of the provisions of Clause 3.3, and shall be liable to the Subcontractor for damages arising from non-compliance with the same.

4. PURPOSES

4.1. The categories of personal data identified in Section 2, of Appendix 1 will be processed by the Subcontractor on behalf of the Data Controller solely and exclusively for the purpose of carrying out operations within the scope of the Services contracted by the Data Controller.

4.2. In particular, the Subcontractor will carry out the processing operations identified in Section 3 of Appendix 1.

4.3. The processing operations identified in Appendix 1 are without prejudice to others that may be indicated in accordance with the performance of the Services and the terms of this Agreement.

4.4. Processing operations must be carried out in accordance with the provisions of this Agreement, the Contract, current legislation and best practices, as well as in accordance with the instructions of the Data Controller.

4.5. Without prejudice to the instructions of the Data Controller, the Subcontractor, within the scope of the execution of the Contract and the practices of its industry, is authorized to exercise its own discretion in the selection and use of the means it deems necessary to pursue the object of the Contract, in accordance with this Agreement.

5. OBLIGATIONS OF THE DATA CONTROLLER

5.1. The Data Controller undertakes to:

(a) Allow access to and/or make personal data available to the Subcontractor, whenever necessary for the fulfillment and performance of the Contract;

(b) Transmit their instructions regarding the processing operations to be carried out through written communication;

(c) To maintain the conditions of lawfulness on which the processing of personal data is based;

(d) Complying with the obligation to be transparent with data subjects;

(e) Keep personal data up to date;

(f) Comply with its legal obligations, in accordance with the law;

(g) Where applicable, keep a record of all processing activities for which they are responsible, containing the information required by law;

(h) Inform the Subcontractor of the existence of any request to exercise rights and/or complaints regarding personal data processed by the Subcontractor on behalf of the Data Controller.

5.2. The Data Controller has the right to request reasonable documentation and information in order to audit the processing of personal data by the Subcontractor, solely and strictly for the purpose of verifying that personal data:

(a) They are being treated according to your instructions;

(b) They are being treated in accordance with the law;

(c) Appropriate technical and organizational measures are in place to protect personal data.

6. OBLIGATIONS OF THE SUBCONTRACTOR

6.1. The Subcontractor undertakes to:

(a) To process only the personal data identified, as well as those it collects during and for the performance of the Services, solely and exclusively in accordance with the purposes of the Contract;

(b) Process personal data in accordance with the instructions of the Data Controller, as well as in compliance with its legal obligations as a Subcontractor;

(c) Keeping a record of the operations it carries out in accordance with the instructions of the Data Controller by recording all categories of processing activities carried out on behalf of the Data Controller;

(d) Ensure that access to personal data is limited only to those of its employees who need to have access to personal data and as necessary, who the Subcontractor will seek to have expressly committed in writing to guaranteeing confidentiality and complying with the security measures implemented;

(e) Maintain confidentiality and the duty of secrecy in relation to the personal data to which you have access through this Agreement, even after its termination;

(f) Not to use the personal data entrusted to it for purposes other than those explicitly identified in the Contract and/or in this Agreement, namely for its own purposes except as provided for in the Contract;

(g) Not to communicate the data to third parties, except when necessary for the fulfillment and execution of its legal obligations derived from the Contract;

(h) Inform the Data Controller of the existence of any request for the exercise of rights and/or complaint regarding the personal data processed on its behalf by the Subcontractor, collaborating with the Data Controller in responding to requests for the exercise of rights by data subjects;

(i) Collaborate with the supervisory authorities whenever notified to do so, but must inform the Data Controller of this obligation as soon as they become aware of it, unless the law expressly prevents and/or prohibits them from providing this information.

6.2. If the Subcontractor considers that any of the Data Controller’s instructions violate data protection legislation or any other legal provision, the Subcontractor shall inform the Data Controller in writing and may refuse to comply with said instruction, without such refusal constituting a breach of the Contract and/or Agreement.

7. RECORDS OF TREATMENT ACTIVITIES

7.1. Legau, in its capacity as Subcontractor of the Data Controller, shall keep and maintain a record in electronic format of the processing activities carried out on behalf of the Data Controller, containing the information provided for in Article 32(2) of the GDPR.

7.2. The Subcontractor, whenever notified to do so, shall make the register available to the supervisory authority, without prejudice to the duty to inform the Data Controller of such notification as soon as it becomes aware of it.

8. RETENTION OF PERSONAL DATA

8.1. The Subcontractor may store personal data on behalf of the Data Controller only for the duration of the Contract.

8.2. At the end of the aforementioned period, the Subcontractor shall act in accordance with the provisions of Clause 20 of this Agreement.

9. IMPACT ASSESSMENTS

9.1. The Subcontractor undertakes to carry out a data protection impact assessment whenever this is required by law and under the terms defined therein.

9.2. The Subcontractor undertakes to provide the result of the aforementioned data protection impact assessments and the guidance received from the supervisory authority whenever requested by the Data Controller within a maximum of forty-eight (48) hours of receiving the written request from the Data Controller.

10. SAFETY

10.1. The appropriate technical and organizational measures to protect personal data must provide a level of security appropriate to the risks presented by the processing, taking into account the state of the art and the nature of the data to be protected, which must enable personal data to be protected against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of processing.

10.2. Without prejudice, the Subcontractor shall ensure that appropriate technical and organizational measures are in place to ensure a level of security appropriate to the risk, including, as appropriate:

(a) The confidentiality, integrity and constant availability of processing systems and services;

(b) The resilience of the systems and services that process personal data;

(c) The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the safety of treatment;

(e) The possibility of pseudonymization and/or encryption of personal data.

10.3. The Data Controller may, at its reasonable discretion, request from the Subcontractor elements demonstrating compliance with the obligations of this Clause.

11. SECURITY INCIDENTS

11.1. The Subcontractor shall inform the Data Controller within twenty-four (24) hours of becoming aware of any security incident, whether attempted or not, affecting personal data or the contracted processing operations.

11.2. The Subcontractor must keep a documented record of all security incidents that may affect personal data and/or processing operations.

11.3. In the event of a personal data breach, the Subcontractor undertakes to assist and collaborate with the Data Controller with regard to:

(a) Notification to be made to the control authority;

(b) Communication to affected data subjects;

(c) Report to the judicial authority;

11.4. The Subcontractor may contact the local police authorities in the event of a breach of its premises or theft of equipment or documents.

11.5. The obligations of this Clause are without prejudice to those arising from legislation, particularly in the field of information security and cybercrime.

12. COMMUNICATION TO THIRD PARTIES

12.1. The Subcontractor is prohibited from communicating any data to third parties, with the exception of:

(a) Communications instructed by the Data Controller;

(b) In compliance with its legal obligations;

(c) For sub-subcontractors of the Subcontractor, provided that under the terms of Clause 14;

(d) In the cases provided for by law.

13. INTERNATIONAL TRANSFERS

13.1. The Subcontractor may not carry out any operations with regard to personal data that coincide with their transfer to countries outside the European Economic Area, including personal data in transit, or the storage of personal data on servers located in third countries.

13.2. Without prejudice to Clause 13.1, the Subcontractor shall immediately notify the Data Controller in writing of any transfers of personal data, whether permanent or temporary, to one or more countries outside the European Union, and shall provide all the information necessary to determine whether all the conditions laid down in the GDPR are met, in particular:

(a) The suitability of the destination country; or

(b) Adequate safeguards; or

(c) The existence of binding rules applicable to approved companies; or

(d) Regarding the existence of derogations for specific situations.

13.3. The Subcontractor shall only proceed with any transfers, whether permanent or temporary, after obtaining the express written consent of the Data Controller, who may refuse such consent at his/her sole discretion, as described in Appendix I and II of this Agreement.

13.4. Where the Data Controller authorizes the transfer to a third country subject to adequate safeguards, the Data Controller shall adopt measures necessary to remedy the inadequacy of data protection in the third country and such measures shall ensure compliance with data protection requirements and respect for the rights of data subjects.

13.5. Any transfer based on the derogations for specific situations provided for in Article 49 of the GDPR must be substantiated in writing and accompanied by the necessary documentation to substantiate it.

14. SUBSEQUENT SUBCONTRACTORS

14.1. The Subcontractor is authorized to subcontract its obligations without prior authorization from the Data Controller, however, the Subcontractor must make a communication to the Data Controller containing the information described in Section 5 of Appendix 1.

14.2. The sub-subcontractor shall be subject to the same data protection obligations as those laid down in this Agreement and the aforementioned legislation, namely the obligation to provide guarantees for the implementation of appropriate technical and organizational measures for the security of the processing, in such a way that the processing complies with the requirements of the Regulation.

14.3. The Subcontractor acknowledges that failure to comply with its obligations and those of the sub-subcontractor shall be the responsibility of the Subcontractor, without prejudice to any rights that the Subcontractor may have vis-à-vis the sub-subcontractor, either under the respective contract or under the law.

14.4. Without prejudice to the provisions of Clause 14.1, any company belonging to the Subcontractor’s corporate group and providing services to the Subcontractor within the scope of the execution of the Contract shall not, however, be considered a sub-subcontractor of the Subcontractor:

(a) The Subcontractor undertakes to cooperate with the Data Controller in fulfilling its obligations under this Agreement;

(b) The Subcontractor assumes full responsibility for the services provided by any company that belongs to its corporate group and that provides services to it within the scope of the execution of the Contract, remaining the only entity fully responsible to the Data Controller for the activities carried out and the quality thereof, as well as for any damage and/or loss that they may cause in their execution.

14.5. The Data Controller is hereby informed of the identities identified in Section 5 of Appendix 1 (“Description of the Processing of Personal Data“) in order to carry out the operations identified in Subsection 5.1 of said Appendix 1.

15. AUDIT

15.1. The Subcontractor shall make available to the Data Controller, upon request, all reasonable information necessary to demonstrate compliance of the data processing activities carried out on behalf of the Data Controller with this Agreement and with applicable law, in particular with regard to compliance with the required security measures, and shall provide, where necessary and to the extent reasonable, any reasonable information and documentation directly related to the processing of the data so that the Data Controller can verify such compliance.

15.2. These audits may be carried out directly by the Data Controller or by a third party mandated by the Data Controller, provided that it is not an entity that competes directly or indirectly with the Subcontractor.

15.3. The Subcontractor shall guarantee access to the necessary documentation and information, and, if and when necessary and reasonable, and to the extent strictly necessary, during working hours and without creating disruption to the normal functioning of the Subcontractor, access to its premises where the processing operations take place, to the extent reasonable, for the purpose of carrying out the audit and review of the personal data processing procedures, as well as to any and all employees of the Subcontractor involved in the processing operations.

15.4. The Subcontractor is responsible for ensuring compliance with the obligation of this Clause with its sub-subcontractors, guaranteeing that all necessary and reasonable steps are taken to this end.

16. EXERCISE OF RIGHTS

The Subcontractor is not authorized to respond to requests from data subjects in the exercise of rights under the GDPR, and must inform the Data Controller of any request it receives within twenty-four (24) hours of receipt, always indicating the date and time of receipt of the request to exercise rights.

17. DURATION AND RESOLUTION

17.1. This Agreement shall enter into force on the date on which it is signed by both Parties and shall have a duration identical to that set out in the Contract.

17.2. With regard to the termination of this Agreement, the provisions of the Contract shall apply.

17.3. Failure to comply with any obligations arising from the Agreement and/or legislation that may affect and/or call into question the processing of personal data may be grounds for termination of the Agreement by the Data Controller.

17.4. In the cases provided for in the preceding paragraph, the Data Controller undertakes to stipulate a period within which the Subcontractor may remedy the breach of obligations, at the end of which it may terminate the Agreement.

17.5. Upon termination or expiry of the Contract, the Subcontractor shall return or destroy the personal data in accordance with Clause 20 of this Agreement.

18. EFFECTS OF TERMINATION AND/OR RESCISSION OF THE CONTRACT

If necessary, upon expiry or termination of this Agreement, the Subcontractor undertakes to take all necessary measures to ensure an orderly transfer of data processing operations to the Data Controller or to a third party appointed by it.

19. RESPONSIBILITY

19.1. The Subcontractor is liable for direct damage caused by intent or gross negligence, demonstrably caused to the Data Controller, when:

(a) It has not complied with the obligations arising from the legislation directly applicable to it;

(b) It has not followed the provisions of this agreement;

(c) It has not followed the good practices in force in the sector;

(d) You have not followed the instructions, provided they are lawful and reasonable, of the Data Controller.

20. DESTRUCTION

20.1. Upon expiry and/or termination of the Contract, the Subcontractor shall destroy all personal data in its possession, which obligation includes the deletion of personal data from all media on which the data is stored.

20.2. When personal data is destroyed, the Data Controller must present a document stating that the data has been destroyed and/or deleted from the media on which the data is stored.

20.3. The Subcontractor is responsible for ensuring compliance with the obligation of this Clause with its sub-subcontractors, ensuring that all necessary steps are taken to this end.

20.4. This Clause is without prejudice to the keeping of the documentation necessary to comply with legal and/or judicial and/or administrative obligations to which the Subcontractor is bound.

21. ANNOUNCEMENTS

For the purposes of communications between the Parties, all communications, notices, authorizations, requests and/or claims to be made in execution of this Agreement shall be made by registered letter with acknowledgement of receipt or by email, to the contacts defined in the Agreement, and the rules set out therein shall apply.

22. FORCE MAJEURE

22.1. In the event of any event that may be considered force majeure, the Parties shall be excused from fulfilling the obligations arising from this Agreement that are affected by force majeure, and the Party affected shall inform the other in writing within five (5) days of the occurrence of the event, specifying its causes and its possible duration and consequences on the performance of the Contract.

22.2. If the circumstances continue for thirty (30) days after said communication and affect the ability of one of the Parties to fulfill all of its obligations under this Agreement, either Party may terminate the Agreement with immediate effect by giving written notice to the other Party.

23. GENERAL PROVISIONS

23.1. In situations where Legau acts as Subcontractor and the undersigned as Data Controller, this Agreement shall prevail over any contradictory provision of the Contract. In situations where Legau acts as Data Controller, the provisions of Clause 9 of the Contract shall prevail.

23.2. Without prejudice to the provisions of the Agreement for situations in which Legau acts as data controller, in the event that Legau, as Data Subcontractor, uses the data for purposes other than those indicated in this Agreement, it shall be considered for all purposes as data controller, guaranteeing the Data Controller against any and all claims of the data subjects.

23.3. Without prejudice to the provisions of the Contract for situations in which Legau acts as controller, the situation provided for in the previous paragraph shall not affect the civil and criminal liability of the Subcontractor, either towards the undersigned as Data Controller, or towards the holders of the personal data.

23.4. An integral part of this Agreement is Appendix 1, which constitutes the entire agreement between the Parties and no alteration, modification or addition thereto shall take effect unless made in writing and signed by both Parties.

24. LAW AND JURISDICTION

24.1. This Agreement shall be construed in accordance with the Contract.

24.2. The failure of the parties to exercise a right granted to them cannot and must not be understood as a waiver of that right.

24.3. This Agreement shall be governed by the legislation in force in Portugal.

24.4. The Parties agree that, in order to settle any dispute arising from this Agreement that cannot be settled amicably, the Lisbon District Court shall have exclusive jurisdiction, expressly waiving any other jurisdiction.

The Parties executed this Agreement in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

Date: ______________________

For and on behalf of Weekend Freedom, Lda. (dba as Legau)

______________________

Name: Luís Alves Dias

Capacity: Director

For and on behalf of the Data Controller:

Company’s legal name: ______________________

Company’s registered office address: ______________________

Company’s registration number: ______________________

Company’s contact email: ______________________

APPENDIX I

Description of the Processing of Personal Data

APPENDIX II

List of Subcontractors

Infrastructure sub-Subcontractors

Service specific sub-Subcontractors