Effective Date: March 1, 2025

SCALIBIT - DATA PROCESSING ADDENDUM

This Data Processing Addendum (the “Addendum”) is executed by and between you (“Customer”) and the SCALIBIT entity that is a party to the General Terms of Service, and any other agreements between you and SCALIBIT (collectively, the "Agreement"). SCALIBIT and Customer are referred to herein, individually, as a "Party", and collectively as the "Parties". This DPA is effective as of the effective date of the Agreement ("Effective Date") and governs all Processing of Customer Personal Data under the Agreement.

1. SCOPE, ORDER OF PRECEDENCE, AND TERM

  • 1.1 This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service (“Agreement”) between SCALIBIT.COM (“SCALIBIT”) and the Customer. SCALIBIT and Customer are individually a “party” and, collectively, the “parties.”

    - 1.1.1 This Agreement does not apply to Virtual Machines (VPS Hosting, VDS Hosting, Dedicated Cloud Servers), Cloud Services (Cloud Hosting, Cloud Servers, Cloud Backup), Cloud Compute (Standard Performance, High Performance, High Frequency), Optimized Cloud Compute (General Purpose, CPU Optimized, Memory Optimized, Storage Optimized), and Dedicated Server services, where SCALIBIT acts solely as an infrastructure provider. The Customer retains full administrative control over the servers and is solely responsible for the management and processing of any hosted data.

    • SCALIBIT solely acts as an infrastructure provider for Virtual Machines (VPS Hosting, VDS Hosting, Dedicated Cloud Servers), Cloud Services (Cloud Hosting, Cloud Servers, Cloud Backup), Cloud Compute (Standard Performance, High Performance, High Frequency), Optimized Cloud Compute (General Purpose, CPU Optimized, Memory Optimized, Storage Optimized), and Dedicated Server services. SCALIBIT does not process or have access to customer data stored on these servers. Customers have full administrative control and are responsible for data management, processing, and compliance with applicable regulations.

  • 1.2 This DPA applies where and only to the extent that SCALIBIT processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the appropriate jurisdiction, including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

  • 1.3 The duration of the Processing covered by this DPA shall be in accordance with the duration of the Agreement.

2. DEFINITIONS

Unless otherwise defined in the Agreement (as defined herein), all capitalized terms used in this DPA will have the meanings given to them below:

  • 2.1 “Affiliate” means any entity that controls or is under common control with a Party. “Control” means direct or indirect ownership or control of fifty percent (50%) or more of the voting interests of an entity.

  • 2.2 “Agreement” means the ToS and all other written or electronic agreement(s) between SCALIBIT and Customer, which govern use of the Website, Products, or Order (as applicable), as such terms or agreement may be updated from time to time. For the avoidance of doubt, all references to the “Agreement” shall also include the Standard Contractual Clauses (where applicable, as defined herein).

  • 2.3 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing Customer Personal Data under the Agreement.

  • 2.4 "Customer” means the purchaser of the services from SCALIBIT, a Website visitor, user and/or the party set forth in the related Order.

  • 2.5 "Database Software is a software program or utility used for creating, editing and maintaining database files or records, such as (but not limited to) MySQL and MariaDB.

  • 2.6 "Logical Security the protection of computer software ("Operating System") of SCALIBIT’s platform, including user identification and password access, authentication, access rights. These measures are to ensure that only authorised users are able to perform actions or access information on our platform.

  • 2.7 "Parties are SCALIBIT ("SCALIBIT") together with the Customer.

  • 2.8 "Physical Security the protection of hardware, software, network and data from physical action and events that could cause serious loss or damage to SCALIBIT’s platform. This includes protection from fire, flood, natural disasters, theft and vandalism.

  • 2.9 "Software is defined as (but not limited to) WordPress, Magento, Spreadsheets, Documents, customers code.

  • 2.10 “CCPA” means the California Civil Code Sec. 1798.100 et seq. (also known as the “California Consumer Privacy Act”).

  • 2.11 “Consumer,” “Business,” “Sell,“ and/or “Service Provider” shall have the meanings given to them in the CCPA or CPRA (as applicable).

  • 2.12 “SCALIBIT Network” means SCALIBIT’s data center facilities, servers, networking equipment, and software systems that are within SCALIBIT’s control and are used to serve and/or provide the Websites and Products.

  • 2.13 “De-Identified Data” means data that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a specific Data Subject.

  • 2.14 “SCALIBIT Data” means (a) all information relating to SCALIBIT’s business and delivery of the Services, including but not limited to Personal Data concerning Customer and its employees or representatives, (b) other data concerning or relating to Customer’s account, transaction history, use of the Services and identity verification, and (c) subject to any restrictions under any applicable Data Protection Laws, De-Identified Data.

  • 2.15 “SCALIBIT Security Standards” means the security standards attached to this DPA as Annex 3.

  • 2.16 “CPRA” means the amendments to the CCPA, California Civil Code Sec. 1798.100 et seq. (also known as the California Privacy Rights Act of 2020).

  • 2.17 “Customer Data” means the personal data SCALIBIT processes on behalf of Customer via the Website or Products, as more particularly described in this DPA. Customer Personal Data does not include SCALIBIT Data.

  • 2.18 “Data Protection Laws” means all applicable worldwide laws, regulations, and legislation relating to data protection and privacy related to processing of Customer Data under the Agreement, including without limitation, where applicable, European Data Protection Laws and Non-European Data Laws, in each case as amended, repealed, consolidated or replaced from time to time.

  • 2.19 “Data Subject” means an identified or identifiable natural person to whom specific Personal Data relates.

  • 2.20 “Europe” means the European Economic Area and its member states (“EEA”), Switzerland and the United Kingdom (“UK”).

  • 2.21 “European Data Protection Laws” means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) the GDPR as it forms part of UK law by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (together, “UK Data Protection Laws”); and (v) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance (“Swiss DPA”).

  • 2.22 “Non-European Data Protection Laws” means the CCPA, the Türkiye The Personal Data Protection Law (KVKK), the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”), the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018,the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”), the CCPA, the CPRA, the Virginia Consumer Data Privacy Act (“VDCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Protection Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and all other data protection laws and regulations pertaining to the personal data of its citizens and residents .

  • 2.23 “Personal Data” means information that relates to an identified or identifiable natural person, including any information defined as Personal Data, Personal Information, or Personally Identifiable Information (“PII”) in any applicable Data Protection Laws. Personal Data does not include De-Identified Data.

  • 2.24 “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. “Processes” and “Process” shall be construed accordingly.

  • 2.25 "Processor” means a natural or legal person, public authority, agency, or body that processes Customer Personal Data on behalf of a Controller under the Agreement.

  • 2.26 "Services” means the products or services that SCALIBIT has agreed to provide pursuant to the Agreement that involve processing of Customer Personal Data.

  • 2.27 “Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by SCALIBIT.

  • 2.28 “Sensitive Data” means (i) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, credit, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (v) account passwords; or (vi) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.

  • 2.29 “Sub-processor” means any processor engaged by SCALIBIT or its Affiliates to assist in fulfilling its obligations with respect to serving or providing the Website or Products pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of SCALIBIT but shall exclude SCALIBIT’s employees, contractors, or consultants.

  • 2.30 “Transfer” means

    - (a) transfer of Customer Personal Data from Controller to Processor, whether by physical transfer or by granting access to Customer Personal Data held or otherwise controlled by Controller or

    - (b) an onward transfer of Customer Personal Data from a Processor to a Subprocessor (and any subsequent onward transfer by a Subprocessor to another Subprocessor).

  • 2.31 “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S.119(A) of the UK Data Protection Act 2018, as updated or amended from time to time.

  • 2.32 Unless otherwise defined herein, the terms “personal data,” “controller,” “data subject,” “processor” and “processing” shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and “process,” “processes,” and “processed,” with respect to any Customer Data, shall be interpreted accordingly.

3. DATA PROCESSING

  • 3.1 Scope and Roles. If European Data Protection Laws or the KVKK, the CCPA apply to either Party’s processing of Customer Data, the Parties acknowledge and agree that with regard to the processing of Customer Data, this DPA applies when Customer Data is processed by SCALIBIT. In this context, SCALIBIT will act as “processor” to Customer who may act either as “controller” or “processor” with respect to Customer Data (as each term is defined in the GDPR).

    - 3.1.1 In the case of Virtual Servers (VPS), Virtual Machines (VM), Cloud Servers, and Dedicated Servers, SCALIBIT acts solely as an infrastructure provider. SCALIBIT does not have access to or control over the data hosted on the servers and does not assume the role of a Data Processor under GDPR for such services. The Customer retains full administrative control and responsibility over the hosted data.

  • 3.2 Purpose Limitation and Customer Controls. SCALIBIT shall process Customer Data, as further described in Annex A (Details of Data Processing) of this DPA, only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”). The Website and Products provide Customer with a number of controls, including security features and functionalities, that Customer may use to retrieve, correct, delete or restrict Customer Data. Without prejudice to Section 5/Veri İşleme Güvenliği, Customer may use these controls as technical and organizational measures to assist it in connection with its obligations under the GDPR, CCPA, CPRA, KVKK, and all other applicable Data Protection Laws, including its obligations relating to responding to requests from Data Subjects.

  • 3.3. SCALIBIT shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions and shall treat Personal Data as Confidential Information. Customer instructs SCALIBIT to Process Personal Data for the following purposes:

    (i) Processing in accordance with the Agreement and applicable orders;

    (ii) Processing to comply with other reasonable instructions provided by Customer (e.g., via a support ticket) where such instructions are consistent with the terms of the Agreement, and

    (iii) Processing of Personal Data that is required under applicable law to which SCALIBIT or SCALIBIT Affiliate is subject, including but not limited to applicable Data Protection Laws, in which case SCALIBIT or the relevant SCALIBIT Affiliate shall to the extent permitted by applicable law, inform the Customer of such legally required Processing of Personal Data.

    Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data

  • 3.4 Prohibited Data. Customer will not provide (or cause to be provided) any Sensitive Data to SCALIBIT for processing under the Agreement, and SCALIBIT will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.

  • 3.5 Compliance with Laws.

    3.5.1 Customer represents and warrants that

    - it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to SCALIBIT; and

    - it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for SCALIBIT to process Customer Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any other content created, sent, or managed through the Website or Products, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.

  • 3.6 SCALIBIT will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.

  • 3.7 SCALIBIT will inform Customer of any instruction that it deems to be in violation of GDPR and will not execute the instructions until they have been confirmed or modified.

  • 3.8 When Customer Data is processed by SCALIBIT both parties acknowledge and agree that:

    - SCALIBIT is a Data Processor of Customer Data under the GDPR

    - Customer is a Data Controller of Customer Data under GDPR.

  • 3.9 Customer Instructions.

    The parties agree that the Agreement and this DPA, including the provision of instructions via configuration tools such as any SCALIBIT management console and APIs made available by SCALIBIT for the Website and Products, constitute Customer’s documented instructions regarding SCALIBIT’s processing of Customer Data (“Documented Instructions”). SCALIBIT will process Customer Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Customer and SCALIBIT, including agreement on any additional fees payable by Customer to SCALIBIT for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if SCALIBIT declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA.

  • 3.10 Confidentiality of Customer Data.

    SCALIBIT shall treat all Customer Data as strictly confidential information. Customer Data may not be copied, transferred or otherwise processed in conflict with the Instruction from Customer unless required by law.

    SCALIBIT employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all Customer Data under this DPA with strict confidentiality and only process Customer Data in accordance with the Instruction.

    SCALIBIT will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Website or Products, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a preservation request, warrant, subpoena or court order). To the extent applicable by law, if a governmental body sends a demand for Customer Data, SCALIBIT will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, SCALIBIT may provide Customer’s basic contact information to the government body. If compelled to disclose Customer Data to a government body, then SCALIBIT will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless SCALIBIT is legally prohibited from doing so.

4. SCALIBIT'S RESPONSIBILITIES

  • 4.1 SCALIBIT’s responsibilities with regard to the processing of personal data provided by the Customer in its use of the Services is limited to providing adequate security measures to store the data uploaded by the Customer onto the hosting platform. SCALIBIT is responsible for the Physical Security of its platform, and the Logical Security of the Operating System and the Database Software which serves the Customer’s database. SCALIBIT is not responsible for the security of the data however populated within such databases and/or hosting space by the Customer, or Software managed by the Customer and the access to the data that this has. This is the sole responsibility of the Customer.

  • 4.2 SCALIBIT shall, in relation to any personal data processed in connection with the performance by SCALIBIT of its obligations under this agreement:

    - 4.2.1 process that personal data only on the written instructions of the Customer, unless SCALIBIT is otherwise required to do so by the laws of any member of the European Union or by the laws of the European Union that apply to SCALIBIT (“Applicable Laws”). Where SCALIBIT is required by Applicable Laws to process personal data, SCALIBIT shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prevent SCALIBIT from notifying the Customer;

    - 4.2.2 pursuant to article 32 of the GDPR, ensure that it has appropriate technical and organisational measures in place in order to protect against any unauthorised or unlawful processing of personal data, accidental loss or destruction of personal data, and damage being caused to personal data. Such measures are set out in Annex 2 of this agreement.

    - 4.2.3 ensure only personnel required for the purposes of carrying out this agreement have access to, and that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;

    - 4.2.4 if the Customer is unable to access the relevant information, to assist the Customer, and in any event, at the Customer’s cost, provide reasonable assistance in responding to any request from a supervising authority or a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

    - 4.2.5 notify the Customer on becoming aware of a personal data breach

    - 4.2.6 in accordance with SCALIBIT’s standard policies, delete, or return (at the Customer’s cost) in a format determined by SCALIBIT, personal data and copies thereof, on termination of the agreement, unless required by any Applicable Laws to continue to store the personal data; and

    - 4.2.7 maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits to be carried out by the Customer, only so far as is necessary in order to demonstrate compliance, provided that the Customer (a) provides SCALIBIT with no less than 30 days’ notice of such audit or inspection; (b) refunds SCALIBIT for all reasonable costs and expenses that it incurs as a result of any such audit or inspection (c) both parties agree the scope, duration and purpose of such audit or inspection. If the Customer becomes privy to any Confidential Information of SCALIBIT as a result of this clause, the Customer shall hold such Confidential Information in confidence and, unless required by law, not make the Confidential Information available to any third party, or use the Confidential Information for any other purpose. The Customer acknowledges that SCALIBIT shall only be required to use reasonable endeavours to assist the Customer in procuring access to any third party assets, records or information as part of any audit;

5. THE CUSTOMER'S RESPONSIBILITIES

  • 5.1 The Customer acknowledges that SCALIBIT has no knowledge of the type/content of any personal data received, stored, or transmitted to SCALIBIT’s platform, by using the Services.

  • 5.2 If SCALIBIT believes or becomes aware that its processing of Customer personal data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall inform Customer and provide reasonable cooperation to Customer (at the Customer's expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

  • 5.3. In respect of personal data which the Customer receives, stores, or transmits using the Services, the Customer:

    - 5.3.1 will ensure, and warrants that, it has all necessary and appropriate consents and notices in place to ensure that it can lawfully transfer the personal data to SCALIBIT, for the duration and purposes of this agreement;

    - 5.3.2 undertakes that its use of the Services for processing personal data will each (i) comply with privacy laws or regulations applicable to its Processing of Customer Personal Data, (ii) not cause SCALIBIT to infringe Applicable Data Protection Law. The Customer will ensure that it has all necessary consents, notices and other requirements in place to enable lawful processing of the customer personal data by SCALIBIT for the duration and purposes of this agreement;

    - 5.3.3 shall, unless otherwise provided for in the agreement, be solely responsible for the legality, confidentiality, integrity, availability, accuracy and quality of all data it processes;

    - 5.3.4 shall be solely responsible for ensuring the safety and security of all the data it controls and processes. The Customer warrants it has relevant and appropriate security measures in place to adequately protect the personal data it collects/processes. The Customer must verify the adequacy of SCALIBIT’s security measures as appropriate for the type of personal data the Customer collects/processes and stores on SCALIBIT’s platform. The Customer should refer to the Acceptable Use Policy to ensure it is not in breach of SCALIBIT’s terms and conditions.

    - 5.3.5 is solely responsible for responding to any request from a data subject and in ensuring its own compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

    - 5.3.6 For Virtual Servers (VPS), Virtual Machines (VM), Cloud Servers, and Dedicated Servers, the Customer assumes full responsibility for the management, processing, and security of any data hosted on the servers. SCALIBIT does not have root access or administrative privileges over these servers and, therefore, is not responsible for ensuring compliance with GDPR or any other data protection regulations related to the hosted data.

    - 5.3.7 shall indemnify SCALIBIT against any claims, actions, liabilities, proceedings, direct losses, damages, expenses, fines and costs (including without limitation court costs and reasonable legal fees) incurred by SCALIBIT as a direct result of any negligence, wilful misconduct, or breach of the Data Protection Legislation of the Customer.

6. LEGAL PROCESS AND OTHER THIRD PARTY REQUESTS FOR CUSTOMER PERSONAL DATA

  • 6.1 SCALIBIT will not respond to any informal request for any Customer Personal Data from a government body, law enforcement agency, or other person except in response to a subpoena, search warrant, court order, or other similar legal process (collectively, “Legal Process”), unless such disclosure is determined by SCALIBIT in its reasonable discretion to be

    - (a) Required by law,

    - (b) Necessary to protect SCALIBIT's systems or data from harm or misuse, or

    - (c) Necessary to protect SCALIBIT or any other person from damage or physical harm.

  • 6.2 Unless prohibited by law, SCALIBIT will notify Customer promptly if it receives any Legal Process that requires SCALIBIT to provide access to or disclose Customer Personal Data.

7. SECURITY OF DATA PROCESSING

  • 7.1 SCALIBIT shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data in accordance with SCALIBIT’s security standards described in Annex B (“Security Measures”) of this DPA.

  • 7.2 Customer expressly acknowledges that SCALIBIT provides security features and functionality that Customer can use to protect Customer Personal Data. Customer is solely responsible for taking appropriate risk-based steps to protect the security of Customer’s account and Customer Personal Data within Customer’s control, including by using security features and functionality provided by SCALIBIT. Customer also is solely responsible for ensuring that all content that Customer places or causes to be placed within the Services is free of vulnerabilities that could result in the compromise of Customer Personal Data and SCALIBIT’s systems, including but not limited to malicious software.

  • 7.3 SCALIBIT is not responsible for backing up Customer Personal Data.

  • 7.4 Customer is required to comply with all Payment Card Industry Data Security Standard Requirements (“PCI-DSS”). Customer Personal Data, including credit, debit or other payment card holder information (“PCI-DSS Data”) may only be provided through Services specifically designed to Process such PCI-DSS Data. SCALIBIT does not offer PCI-DSS compliant Services. and If Customer uses SCALIBIT Services to process or store PCI-DSS Data, Customer is solely responsible for any violations of PCI-DSS requirements.

  • 7.5 SCALIBIT shall ensure that any person who is authorized by SCALIBIT to process Customer Data (including its employees, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

  • 7.6 SCALIBIT restricts its personnel from processing Customer Data without authorization by SCALIBIT as described in the SCALIBIT Security Standards. SCALIBIT imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

  • 7.7 Customer is responsible for reviewing the information made available by SCALIBIT relating to data security and making an independent determination as to whether such meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that SCALIBIT may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Website or Products provided to Customer.

  • 7.8 Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Website and Products, including securing Customer Account authentication credentials, protecting the security of Customer Data when in transit to and from the Website or Product, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Website or Products.

SCALIBIT strongly recommends that customers enable Multi-Factor Authentication (MFA) for their accounts to enhance security. Additionally, customers should use strong passwords, restrict access controls, and regularly monitor account activity to prevent unauthorized access.

8. DATA SECURITY INCIDENTS

  • 8.1 SCALIBIT offers Customer extensive opportunities to access and control Customer Personal Data Processed on Customer’s behalf. SCALIBIT is not responsible for any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data that does not result from a compromise of SCALIBIT’s systems. Examples of Security Incidents for which SCALIBIT is not responsible include Customer’s failure to maintain the secrecy of its passwords, downloading of malicious content, or any other security vulnerability caused by or introduced into the Services and Customer’s hosted environment by Customer.

  • 8.2 SCALIBIT will use commercially reasonable efforts to notify Customer of a breach of security of SCALIBIT’s systems leading to the accidental or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Security Incident”) within the time period required under applicable law. Notifications of such incidents will be sent to the account email address as set by Customer. It is Customer’s sole responsibility to ensure this information is correct and kept up to date inside the control panel.

  • 8.3 Upon becoming aware of a Security Incident, SCALIBIT shall use commercially reasonable efforts to:

    - notify Customer without undue delay, and where feasible, within forty-eight (48) hours of awareness;

    - provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and

    - promptly take reasonable steps to contain and investigate any Security Incident. SCALIBIT’s notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by SCALIBIT of any fault or liability with respect to the Security Incident.

  • 8.4 SCALIBIT will take appropriate, risk-based steps that are reasonably necessary to contain, mitigate, and remediate a Security Incident without unreasonable delay.

  • 8.5 SCALIBIT will provide information reasonably requested by Customer to assess the impact of a Security Incident on Customer Personal Data and for Customer to provide notice of the Security Incident to governmental authorities, affected Data Subjects, or any other person.

  • 8.6 Customer agrees that Data Breach Notifications will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

  • 8.7 SCALIBIT’s acknowledgement of a Security Incident or decision to notify Customer of a Security Incident is not an admission of fault or liability.

9. SUB-PROCESSING

  • 9.1 Customer acknowledges, understands and agrees that Company may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing tracking or support services. The Sub Processors list currently engaged by Company to carry out processing activities on Customer Data on behalf of Customer is, as amended by Company, available online. Company shall notify Customer if it adds or removes Subprocessors prior to any such changes. Company may update the Subprocessor list and may provide Customer with a mechanism to obtain notice of that update. Customer consents to Company’s use of Subprocessors as described in this Section. Except as set forth in this Section, or as Customer may otherwise authorize, Company will not permit any Subprocessor to carry out processing activities on Customer Data on behalf of Customer.

  • 9.2 Before transferring Customer Personal Data to a Subprocessor, SCALIBIT will:

    - 9.2.1 Shall complete a written agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable under this DPA. It remains accountable for any Sub-Processor in the same way as for its own actions and omissions. SCALIBIT will restrict Sub-Processor access to Customer Data to what is necessary to provide the Services.

    - 9.2.2 Customer acknowledges and agrees that, where applicable, SCALIBIT fulfills its obligations under Clause 9 of the Controller-to-Processor Clauses and Processor-to-Processor Clauses (as applicable) by complying with this Section and that SCALIBIT may be prevented from disclosing Subprocessor agreements to Customer due to confidentiality restrictions but SCALIBIT shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Sub-processor agreements.

  • 9.3 New Subprocessors; Right to Object.

    - 9.3.1 SCALIBIT will exercise reasonable efforts to notify Customer in writing at least thirty (30) days in advance if SCALIBIT intends to appoint new a Subprocessor; provided, however, that thirty (30) days’ advance notice is not required and SCALIBIT will notify Customer without undue delay after the appointment of a new Subprocessor if immediate appointment is required to maintain the security of Customer Personal Data or to comply with applicable law. Notifications of such engagements will be delivered to the account email address and/or through the control panel interface. It is Customer’s sole responsibility to ensure account information is correct and kept up to date.

    - 9.3.2 If Customer reasonably objects to a new Subprocessor, Customer must notify SCALIBIT in writing within thirty (30) days after the Subprocessor’s appointment. In SCALIBIT's sole discretion, SCALIBIT may use commercially reasonable efforts to address Customer’s objection. If the Parties are unable to resolve Customer’s objection within thirty (30) days, Customer may terminate this DPA and any portion of the Agreement relating to the processing of Customer Personal Data.

    - 9.3.3 If Customer does not object to a new Subprocessor within thirty (30) days of notice of Subprocessor’s appointment, Customer will be deemed to have accepted the new Subprocessor.

  • 9.4 A list of SCALIBIT’s Sub-processors can be disclosed upon request, according to Annex C.

10. DATA SUBJECT RIGHTS

  • 10.1 Customer is solely responsible for responding to any request to exercise a Data Subject’s rights under the Data Protection Laws, Customer’s privacy policies, or Customer’s terms of service, including but not limited to requests to know, access, correct, or delete Customer Personal Data (“Data Subject Requests”).

  • 10.2 SCALIBIT will not respond to a Data Subject Request except on documented instructions from Customer or as otherwise required under applicable law.

  • 10.3 SCALIBIT will notify Customer of any Data Subject Request. Customer is solely responsible for responding to any Data Subject request. If Customer has exhausted all means available to respond to a Data Subject Request – subject to Customer’s agreement to pay SCALIBIT’s reasonable expenses in advance – SCALIBIT will provide Customer with assistance reasonably necessary to allow Customer to respond to a Data Subject Request.

11. DATA PROTECTION IMPACT ASSESSMENTS, PRIOR CONSULTATION, AND COMPLIANCE INQUIRIES

  • 11.1 Data Protection Impact Assessments; Prior Consultation. At Customer’s expense, SCALIBIT will provide reasonable assistance to Customer in conducting any data protection impact assessments and consultations with government authorities or regulators concerning processing of Customer Personal Data.

  • 11.2 Compliance Inquiries. Customer may periodically request information reasonably necessary to confirm SCALIBIT’s compliance with its obligations under applicable Data Protection Laws. If SCALIBIT fails to respond to Customer’s request within forty-five (45) days, Customer may terminate the Agreement. For the avoidance of doubt, nothing in this DPA gives Customer the right to conduct an audit of SCALIBIT’s business, systems, or services. SCALIBIT’s obligation under this section is limited to providing Customer with information reasonably necessary to confirm that SCALIBIT is in compliance with its obligations under applicable Data Protection Laws.

  • 11.3 If a Data Subject brings a claim directly against SCALIBIT for a violation of their Data Subject rights, Customer will indemnify SCALIBIT for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that SCALIBIT has notified Customer about the claim and given Customer the opportunity to cooperate with SCALIBIT in the defense and settlement of the claim.

12. TRANSFERS OF PERSONAL DATA

  • 12.1 Customer acknowledges that Company may transfer and process Customer Data to and in the United States and anywhere else in the world where Company, its Affiliates or its Sub-processors maintain data processing operations. Company shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.

  • 12.2 Türkiye Data. To the extent that SCALIBIT is a recipient of Customer Data protected by the Türkiye The Personal Data Protection Law, the Parties acknowledge and agree that SCALIBIT may transfer such Customer Data outside of Türkiye as permitted by the terms agreed upon by the Parties and subject to SCALIBIT complying with this DPA and the Türkiye The Personal Data Protection Law.

    SCALIBIT ensures that data transfers from Türkiye comply with the Personal Data Protection Law (KVKK). SCALIBIT applies appropriate legal safeguards, including Standard Contractual Clauses (SCCs) or other legally recognized mechanisms, to maintain compliance with KVKK and other applicable data protection laws.

  • 12.3 Australian Data. To the extent that Company is a recipient of Customer Data protected by the Australian Privacy Law, the Parties acknowledge and agree that Company may transfer such Customer Data outside of Australia as permitted by the terms agreed upon by the Parties and subject to Company complying with this DPA and the Australian Privacy Law.

  • 12.4 EEA Data Transfers. To the extent that Company is a recipient of Customer Data protected by GDPR in a country outside of EEA that is not recognized as providing an adequate level of protection for personal data (as described in applicable European Data Protection Laws), the Parties agree to abide by and process such Customer Data in compliance with the SCCs, which shall be incorporated into and form an integral part of this DPA.

  • 12.5 UK Data Transfers. With respect to transfers to which the UK Data Protection Laws apply, the SCCs shall apply and shall be deemed amended as specified by the UK Addendum. The UK Addendum shall be deemed executed by the parties and incorporated into and form an integral part of this DPA. In addition: Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out in Annexes I and II of the relevant SCCs; and Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party.”

  • 12.6 Swiss Data Transfers. With respect to transfers to which the Swiss DPA apply, the SCCs shall apply in accordance with Section 11.3 with the following modifications:

    - 12.6.1 references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;

    - 12.6.2 references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss DPA;

    - 12.6.3 references to “EU,” “Union” and “Member State law” shall be replaced with “Switzerland”;

    - 12.6.4 Clause 13(a) and Part C of Annex Il shall be deleted; (v) references to the “competent supervisory authority” and “competent courts” shall be replaced with “the Swiss Federal Data Protection and Information Commissioner” and “relevant courts in Switzerland”;

    - 12.6.5 Clause 17 shall be replaced to state “The Clauses are governed by the laws of Switzerland”; and

    - 12.6.6 Clause 18 shall be replaced to state “Any dispute arising from these Clauses shall be resolved by the applicable courts of Switzerland. The parties agree to submit themselves to the jurisdiction of such courts.”

  • 12.7 Compliance with the SCCs. The Parties agree that if Company cannot ensure compliance with the SCCs, it shall promptly inform Customer of its inability to comply. If Customer intends to suspend the transfer of European Data and/or terminate the affected parts of the Website or Products, it shall first provide notice to Company and provide Company with a reasonable period of time to cure such non-compliance, during which time Company and Customer shall reasonably cooperate to agree what additional safeguards or measures, if any, may be reasonably required. Customer shall only be entitled to suspend the transfer of data and/or terminate the affected parts of the Website or Products for non-compliance with the SCCs if Company has not or cannot cure the non-compliance within a reasonable period.

  • 12.8 Alternative Transfer Mechanism. To the extent Company adopts an alternative lawful data transfer mechanism for the transfer of European Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Laws and extends to the countries to which European Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer European Data (within the meaning of applicable European Data Protection Laws), Company may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of European Data.

13. JURISDICTION SPECIFIC REQUIREMENTS AND INTERNATIONAL DATA TRANSFERS OF PERSONAL DATA

  • 13.1 Processing of Customer Personal Data under this DPA may involve Processing regulated by one or more Data Protection Laws and/or may involve the international transfer of Customer

  • 13.2 SCALIBIT stores and processes EU Data in data centers located inside and outside the European Union. All other Customer Data may be transferred and processed in the United States and anywhere in the world where Customer, its Affiliates and/or its Sub-processors maintain data processing operations. SCALIBIT shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

  • 13.3 Notwithstanding Section 7.1, to the extent SCALIBIT processes or transfers (directly or via onward transfer) Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland (“EU Data”) in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, Customer hereby authorizes any transfer of EU Data to, or access to EU Data from, such destinations outside the EU.

  • 13.4 If Customer Personal Data originates from the United States, the terms relating to the U.S. Data Protection Laws specified in Annex B (California: Section 2, All U.S. States: Section 3 ) to this DPA apply.

  • 13.5 If Customer Personal Data originates from the European Union/European Economic Area (“EU/EEA”), the United Kingdom (“UK”), or Switzerland, or if Customer is established in one or more of those jurisdictions, the terms relating to applicable EU/EEA, UK and/or Swiss Data Protection Laws specified in Annex B (Europe: Section 1, Switzerland: Section 4, United Kingdom: Section 5 ) to this DPA apply.

  • 13.6 Türkiye Data. To the extent that SCALIBIT is a recipient of Customer Data protected by the Türkiye The Personal Data Protection Law, the Parties acknowledge and agree that SCALIBIT may transfer such Customer Data outside of Türkiye as permitted by the terms agreed upon by the Parties and subject to SCALIBIT complying with this DPA and the Türkiye The Personal Data Protection Law.

  • 13.7 Australian Data. To the extent that SCALIBIT is a recipient of Customer Data protected by the Australian Privacy Law, the Parties acknowledge and agree that SCALIBIT may transfer such Customer Data outside of Australia as permitted by the terms agreed upon by the Parties and subject to SCALIBIT complying with this DPA and the Australian Privacy Law.

  • 13.8 If a valid international data transfer mechanism (“Mandatory Transfer Mechanism”) is required to lawfully Transfer Customer Personal Data, the terms specified in Schedule 4 to this DPA apply.

14. RETURN OR DELETION OF PERSONAL DATA

Upon termination or expiration of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent SCALIBIT is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data SCALIBIT shall securely isolate and protect from any further processing, except to the extent required by applicable law.

15. TERMINATION OF THE DPA

This DPA shall remain in effect for as long as SCALIBIT carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement.

If any provision of this DPA is found to be unenforceable, then that provision shall be modified to the extent necessary to make it enforceable and the remainder of this DPA shall remain in effect as written. However, if modifying any unenforceable provision would result the failure of the essential purpose of this DPA, the entire DPA shall be considered null and void unless amended pursuant to Section 16.2.

16. GENERAL

  • 16.1 Complete Agreement; Interpretation. This DPA constitutes the entire agreement between the Parties concerning the subject matter of this DPA and supersedes all prior or contemporaneous representations, understandings, agreements, and communications between the Parties, whether written or verbal, regarding the subject matter of this DPA. In the event of a conflict between this DPA and the Agreement (or any other agreement between the Parties), this DPA will govern and control with respect to the subject matter of this DPA.

  • 16.2 Amendment. This DPA may be modified or amended by SCALIBIT in its sole discretion pursuant to the procedures set forth in the Agreement. If Customer disagrees with such amendment, Customer’s sole remedy is to terminate that portion of the Agreement relating to the Processing of Customer Personal Data on thirty (30) days’ notice. Unless expressly agreed by the Parties in writing, any amendment of this Agreement is effective only with respect to Processing that occurs after the date of such amendment.

  • 16.3 Waiver. The waiver of any breach of this DPA is effective only if in writing by an authorized representative of the Party waiving such breach and no such waiver will be construed as a waiver of any subsequent breach.

  • 16.4 Notices. Except as expressly stated herein, notices required under this DPA will be provided in accordance with the Notice requirements set forth in the Agreement.

    For data protection inquiries, customers can contact SCALIBIT’s Data Protection Officer (DPO) at dpo@scalibit.com. The DPO is responsible for ensuring compliance with GDPR, CCPA, KVKK, and other applicable data protection laws.

  • 16.5 Liability. This DPA does not provide any basis for either Party or any other person to recover damages of any type other than those set forth in the Agreement and subject to all limitations set forth therein.

  • 16.6 Enforcement. The terms of this DPA may only be enforced by the Parties on behalf of themselves and their respective Affiliates in accordance with the dispute resolution provisions set forth in the Agreement. This restriction on enforcement has no effect, however, on an individual Data Subject’s ability to enforce their rights under the Data Protection Laws.

  • 16.7 Termination. Unless terminated earlier pursuant to the Agreement or any other applicable provision of this DPA or any applicable Data Protection Laws, this DPA shall terminate upon the completion of Processing or termination of the Agreement, whichever is later. Following termination of this DPA, SCALIBIT will return, delete, or de-identify Customer Personal Data pursuant to the terms of the Agreement and this DPA, unless SCALIBIT is required to maintain Customer Personal Data pursuant to applicable law. If SCALIBIT is required to retain Customer Personal Data following termination of the Agreement, SCALIBIT will continue to comply with its obligations relating to the Processing of Customer Personal Data under this DPA and will promptly return or delete any such Customer Personal Data after retention is no longer legally required.

17. US PRIVACY LAW & CALIFORNIA PRIVACY LAWS

For the purposes California Privacy Laws and other applicable US privacy laws: (i) we are a “Service Provider”; (ii) you are disclosing Personal Data to us solely for a valid business purpose in providing the Services to you; (iii) we may not sell Personal Data or retain, use, or disclose Personal Data except as required to provide the Services in accordance with the Agreement or as otherwise permitted by California Privacy Law and other applicable US privacy law; and (iv) we will not combine your Personal Data with personal information that we collect or receive from another source (other than information we receive from another source in connection with our obligations to you under the Agreement). We certify that we understand and will comply with these obligations and that we will treat Personal Data with the same level of privacy protection as required by California Privacy Law and applicable US privacy law. You may take reasonable and appropriate steps to help ensure that we use Personal Data in a manner consistent with California Privacy Law and applicable US privacy law obligations. Upon notice, you may take reasonable and appropriate steps to stop and remediate unauthorized use of your Personal Data. Further, we will notify you if we determine that we can no longer meet our obligations under this DPA.

18. LAW AND JURISDICTION

This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the jurisdiction specified in the Terms of Service.

19. LIMITATION OF LIABILITY AND INDEMNIFICATION

The total liability of each part under this addendum shall be subject to the limitation of liability as set out in SCALIBIT Terms of Service. For the avoidance of doubt, in no instance will SCALIBIT be liable for any losses or damages suffered by Customer where Customer is using Services in violation of its Terms of Service, regardless of whether it terminates or suspend an account due to such violation.

Indemnification. You will indemnify, defend and hold us, our Affiliates and our Subprocessors harmless from and against all claims, damages, losses, liabilities, costs and expenses (including reasonable attorney fees and legal costs) in connection with disputes, controversies, claims or actions made or brought by a third party arising from: (i) you and your End Users' breach of this Agreement or violation of any applicable law; (ii) you and your End Users' authorized or unauthorized use of the SCALIBIT Services; (iii) you and your End Users' authorized or unauthorized access, maintenance or transmission of content or data by or through SCALIBIT Resources; (iv) you and your End Users' wrongful or negligent acts or omission in connection with its performance of any SCALIBIT Service; (v) you and your End Users' infringement or misappropriation of any Proprietary Right(s); (vi) Customer's disclosure of any information that is confidential or protected by law and (vii) as between you and your End Users.

ANNEX 1

Details of Processing of Customer Personal Data

This Annex 1 includes details of Processing Customer Personal Data Required under the Data Protection Laws.

Subject matter and duration of Processing of Customer Personal Data:

The subject matter and duration of Processing of Customer Personal Data are described in the Agreement.

The nature and purpose of Processing of Customer Personal Data:

Processing of Customer Personal Data by SCALIBIT is reasonably required to provide the Services as described in the Agreement.

Type of Personal Data and Categories of Data Subjects:

The types of Customer Personal Data and categories of Data Subjects are controlled by Customer and/or the Controller who provided Customer Personal Data to Customer in its/their sole discretion.

Sensitive Data or Special Categories of Data:

Sensitive Data may, from time-to-time, be Processed pursuant to the Agreement. The types of Sensitive Data Processed under the Agreement are determined by Customer and/or the Controller who provided Sensitive Data to Customer in its/their sole discretion.

Obligations and Rights of the Controller:

The obligations and rights of Customer are described in the Agreement and this DPA.

Data Exporter:

The data exporter is the entity identified as Customer in the DPA.

Data Importer:

The data importer is Company, a provider of web services.

Data Subjects:

Data Subject is defined in Section 2.19 of the DPA.

Security:

The Security Measures implemented by the data importer are as described in Annex 3 to the DPA (Company Security Standards).

ANNEX 2

Technical and Organisational Measures in Accordance with Article 32 GDPR

1. Applicability

  • 1.1 The requirements of this Annex 2 apply to SCALIBIT and any Subprocessor (including but not limited to any cloud service provider) used by SCALIBIT to provide the Services and/or Process Customer Personal Data.

  • 1.2 If SCALIBIT uses any Subprocessor to provide the Services and/or Process Customer Personal Data, SCALIBIT shall ensure that such Subprocessor complies with each of the requirements of this Annex.

2. Information Privacy and Data Security Management

  • 2.1 Risk Management Process. SCALIBIT shall maintain an appropriate risk management process to frame, assess, respond to and monitor risk to Customer Personal Data, consistent with SCALIBIT’s obligations under the Agreement, the DPA, and applicable law.

  • 2.2 Information Security Program Scope. At a minimum, SCALIBIT’s information security program, including all applicable privacy and data protection policies, shall be designed to:

    - 2.2.1 Protect the confidentiality, integrity and availability of Customer Personal Data in SCALIBIT’s possession or control or to which SCALIBIT has access; and

    - 2.2.2 Protect against reasonably anticipated threats or hazards to the confidentiality, integrity, and availability of Customer Personal Data.

  • 2.3 Information Security Program Updates. SCALIBIT will regularly review and update its information security program in accordance with industry standard practices and frameworks appropriate to the type, volume, and sensitivity of Customer Personal Data processed by SCALIBIT.

  • 2.4 Risk Assessments and Testing. SCALIBIT will regularly conduct risk assessments for all systems processing Customer Personal Data and will periodically conduct third-party penetration testing on applications and infrastructure used to provide the Services as reasonably deemed necessary by SCALIBIT.

  • 2.5 Continuity and Resiliency. SCALIBIT will implement appropriate measures to protection the integrity and availability of its systems that Process Customer Personal Data, including measures such as performance and availability monitoring, design of redundant and resilient systems, use of uninterruptable power supplies, DDoS protections, load and stress testing, and other similar measures.

3. Organizational Security

  • 3.1 Accountability. SCALIBIT will develop and implement written information security policies and procedures that clearly define responsibility for protection of Customer Personal Data within SCALIBIT, including designation of one or more specific individuals to be responsible for the administration of SCALIBIT’s information security program and protection of Customer Personal Data.

  • 3.2 Asset Management and Controls. SCALIBIT will maintain an asset management policy and asset controls, including asset classification and an inventory of devices and systems that are used to provide the Services and/or process Customer Personal Data.

  • 3.3 Physical Security. SCALIBIT also shall implement risk-based controls to maintain the physical security of its facilities, including implementing reasonable measures to ensure that only authorized users have access to SCALIBIT’s electronic devices, network, critical systems, applications, server room, communication rooms, and work environments. Measures that SCALIBIT may employ, where appropriate, include but are not limited to alarms, CCTV monitoring, visitor access management, and destruction of Personal Data on physical devices before disposal/recycling.

4. Security Operations

  • 4.1 Secure System Configuration. SCALIBIT will establish controls to ensure that systems used to provide the Services and/or Process Customer Personal Data are securely configured.

  • 4.2 Vulnerability and Patch Management. SCALIBIT will establish and maintain a vulnerability and patch management system that ensures all systems used to provide the Services and/or Process Customer Personal Data are patched against known security vulnerabilities in a reasonable time period based on the criticality of the patch and sensitivity of the Customer Personal Data.

  • 4.3 Malware Prevention. SCALIBIT will implement detection, prevention, and remediation controls to protect against malicious software (including appropriate user awareness programs).

  • 4.4 Logging and Auditing. SCALIBIT will employ a log management program that defines the scope, creation, storage, analysis, and disposal of logs using risk-based industry standards.

  • 4.5 Security Incident Detection and Response. SCALIBIT will maintain risk-based systems for detecting Security Incidents as required by Section 8 of the Agreement, including use of intrusion detection and intrusion prevention systems.

5. Training

SCALIBIT will ensure that its personnel receive regular training regarding their confidentiality and data protection obligations as they relate to Customer Personal Data.

6. Access Controls

  • 6.1 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:

    - 6.1.1 Server root passwords are only known to SCALIBIT, either at initial deployment of the server or when the Customer has provided SCALIBIT with the details in order to assist with troubleshooting. SCALIBIT only hold the root password of the server that was current when it was deployed. It is the Customer’s responsibility to ensure passwords are secure and changed when required. SCALIBIT does store the modified root passwords.

  • 6.2 For SCALIBIT Control Panel:

    - 6.2.1 Control Panel passwords are only known to SCALIBIT. Passwords are restricted to authorised staff and controlled using various authentication systems such as Two Factor Authentication, LDAP, Radius and cryptographic key. Note: this does not apply to third party control panels eg. cPanel, Plesk, Centos Web Panel, etc. installed on Customer servers.

    - 6.2.2 SCALIBIT only store Customer’s passwords in an encrypted format.

7. Internal Access Control

  • 7.1 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:

    - 7.1.1 The responsibility of access control is with the Customer.

8. Transfer Control

  • 8.1 For Control Panel / Web Hosting / Website / mailboxes:

    - 8.1.1 When a Customer’s service is not renewed and/or is cancelled with SCALIBIT, the Customer’s hosting and data stored on the hosting account is deleted including but not limited to any databases Customers have created for use with the Service. It is the Customer’s responsibility to delete any data from their hosting space, databases or servers before expiry of their Service term.

  • 8.2 For self-managed dedicated / VPS / Cloud servers, and managed services:

    - 8.2.1 When a Customer ends their rental agreements with SCALIBIT, we ensure that the server is delegated into our cancellation delegation where we securely wipe the data on the disks.

  • 8.3 For Colocation servers:

    - 8.3.1 The servers will be returned to the Customer

9. Isolation Control

  • 9.1 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:

    - 9.1.1 The Customer is responsible for Isolation control.

10. Pseudonymisation

  • 10.1 For dedicated / VPS / Cloud servers, colocation servers and customer solution servers the Customer is responsible for pseudonymisation.

11. Integrity

  • 11.1 Data Transfer Control:

    - 11.1.1 SCALIBIT employees are trained to ensure that personal data is handled in accordance with appropriate data protection regulations.

    - 11.1.2 The Customer is responsible for ensuring that the data transmitted is encrypted.

12. Data Entry Control

  • 12.1 For SCALIBIT's internal system managing data collection:

    - 12.1.1 Data is entered or collected by the Customer.

    - 12.1.2 Changes in data are logged in the appropriate SCALIBIT system.

  • 12.2 For self-managed dedicated / VPS / Cloud servers, and colocation servers:

    - 12.2.1 The Customer is responsible for input control. Data is entered or collected by the Customer.

  • 12.3 For Managed dedicated / VPS / Cloud servers:

    - 12.3.1 The Customer is responsible for input control. Data is entered or collected by the Customer.

13. Availability and Resilience (Article. 32 Para.1 Clause b GDPR)

  • 13.1 For SCALIBIT’s internal system:

    - 13.1.1 Daily backups of all relevant data realigned for fulfilment of the Services

    - 13.1.2 Employment of security measure (virus scanning, firewalls, encryption of data only where appropriate, spam filters).

    - 13.1.3 Employment of Raid protection on all relevant servers.

    - 13.1.4 Monitoring of all relevant servers.

  • 13.2 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer solution servers:

    - 13.2.1 The Customer is responsible for their own Data backups. This service cannot be backed up and SCALIBIT is not responsible for any backups related to this service.

    - 13.2.2 The Customer should employ software firewalls and restrict ports.

  • 13.3 For unmanaged dedicated / VPS / Cloud servers:

    - 13.3.1 The Customer is responsible for their own Data backups. This service cannot be backed up and SCALIBIT is not responsible for any backups related to this service.

    - 13.3.2 The Customer should employ software firewalls and restrict ports.

  • 13.4. For rapid recovery measures (Article 32 Para. 1 Clause c GDPR):

    - 13.4.1 SCALIBIT has a defined escalation chain which is followed in the event of known issues in order to address the issues promptly.

  • 13.5 Procedure for regular testing, assessments and evaluation (Article. 25 Para.1 GDPR)

    - 13.5.1 SCALIBIT has Incident response policies.

    - 13.5.2 As per Article. 25 Para. 2 GDPR, data protection default settings are taken into account for SCALIBIT software development.

ANNEX 3

Company Security Standards

Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Agreement or DPA.

  • 1. Information Security Program. Company will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Company secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Company Network, and (c) minimize security risks, including through risk assessment and regular testing. Company will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures: The Company Network will be electronically accessible to employees, contractors and any other person as necessary to provide the Website and Products. Company will maintain access controls and policies to manage what access is allowed to the Company Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Company will maintain corrective action and incident response plans to respond to potential security threats.

  • 2. Continued Evaluation. Company will conduct periodic reviews of the security of Company’s Network and adequacy of Data Processor’s information security program as measured against industry security standards and its policies and procedures. Company will continually evaluate the security of Company’s Network to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

ANNEX 4

International Mandatory Cross Border Transfer Mechanisms

1. Definitions

  • 1.1 The “Data Privacy Framework (‘DPF’)” means the EU-US, Swiss-US, or UK-US Data Privacy Framework certification programs operated by the U.S. Department of Commerce [www.dataprivacyframework.gov].

  • 1.2 The “UK-US Data Bridge” means the UK Extension to the EU-US Data Privacy Framework.

  • 1.3 The “EU Standard Contractual Causes” mean the standard contractual clauses approved by the European Commission and attached in the annex to decision 2021/914 of June 2021.

  • 1.4 The UK International Data Transfer Agreement (“UK IDTA”) issued by the UK Information Commissioner, Version B1.0, is deemed to be executed by the Parties as of the Effective Date of the Agreement, and the EU Standard Contractual Clauses are deemed amended as specified by the UK IDTA in relation to data transfers from the UK.

2. Order of Precedence

  • 2.1 No Mandatory Transfer Mechanism is used if a transfer is made to a country that has been deemed to offer an adequate level of data protection by the Data Protection Laws of the country from which such Customer Personal Data is transferred.

  • 2.2 If a Transfer is required and such Transfer is covered by more than one Mandatory Transfer Mechanism, the Transfer will be subject to a single Mandatory Transfer Mechanism in accordance with the following order of precedence: (a) the applicable EU or Swiss DPF; (b) the UK-US Data Bridge; (c) the EU Standard Contractual Clauses; (d) the UK IDTA; or (e) any other applicable Mandatory Transfer Mechanism permitted under the applicable Data Protection Law.

  • 2.3 If a Mandatory Transfer Mechanism is deemed invalid after execution of this Agreement, all future Transfers will be deemed made by the next applicable valid Mandatory Transfer Mechanism.

DATA PROCESSING ADDENDUM - ANNEX A

Details of Data Processing

1. Categories of Data Subjects: The categories of Data Subjects whose Personal Data is Processed include (a) a user or visitor to the Website; (b) Customer (i.e., an individual with access to a Customer Account); and (c) a Customer user, visitor, customer, subscribe, end-user and other individual about whom Customer has given Company information or has otherwise interacted with Customer via the Website or Products (collectively, a “Customer End-User”).

2. Categories of Personal Data: Customer or Customer End-Users may upload, submit, or otherwise provide certain Personal Data via the Website or Products, the extent of which is typically determined and controlled by Customer in its sole discretion, and may include the following types of Personal data:

  • 2.1 Identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility).

  • 2.2 Identification and contact data (name, date of birth, gender, general, occupation or other demographic information, address, title, contact details, including email address); personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data); financial information (credit card details, account details, payment information).

3. Sensitive Data Processed (if applicable): Company does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the Website or Products.

4. Frequency of Processing: Continuous and as determined by Customer.

5. Subject Matter and Nature of the Processing: Company provides hosted private cloud services, as more particularly described on the Agreement, Website, Products or Order. The subject matter of the data processing under this DPA is the Customer Data. Customer Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities: Storage and other processing necessary to provide, maintain and improve the Website and Products provided to Customer pursuant to the Agreement.

6. Purpose of the Processing: Company shall only process Customer Data for the Permitted Purposes, which shall include: (a) processing as necessary to provide the Website and Products in accordance with the Agreement; (b) processing initiated by Customer in its use of the Website and Products; and (c) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.

7. Duration of Processing and Period for which Personal Data will be Retained: Company will process Customer Data as outlined in Section 14 (Return or Deletion of Personal Data) of this DPA.

DATA PROCESSING ADDENDUM - ANNEX B

Security Measures

The Security Measures implemented by the data importer are as described in Annex 3 to the DPA (Company Security Standards).

Jurisdiction - Specific Terms

1. Europe:

  • 1.1. Objection to Sub-processors. Customer may object in writing to the appointment of a new Sub-processor within thirty (30) days of receiving notice in accordance with Section 9.1 of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Company will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Product in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to suspension or termination).

  • 1.2. Government Data Access Requests. As a matter of general practice, Company does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Company accounts (including Customer Data). If Company receives a compulsory request (whether through a preservation request, subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a Company account (including Customer Data) belonging to a Customer whose primary contact information indicates the Customer is located in Europe, Company shall: (a) review the legality of the request; (b) inform the government agency that Company is a processor of the data; (c) attempt to redirect the agency to request the data directly from Customer; (d) subject to the applicable law related to the request, notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy; and (e) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. As part of this effort, Company may provide Customer’s primary and billing contact information to the government agencies or authorities. Company shall not be required to comply with this paragraph if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or Company’s property, the Website, or Products, but where Company is legally prohibited from notifying Customer of requests it shall use commercially reasonable efforts to obtain a waiver of the prohibition.

2. California:

  • 2.1. Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA.

  • 2.2. For this “California” section of Annex B only, “Permitted Purposes” shall include processing Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.

  • 2.3. Company’s obligations regarding Data Subject requests, as described in Section 10s (Data Subject Rights) of this DPA, extend to rights requests under the CCPA.

  • 2.4. Notwithstanding any use restriction contained elsewhere in this DPA, Company shall process Customer Data to serve or deliver the Website or Products, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, or as otherwise permitted or required by applicable law.

  • 2.5. Notwithstanding any use restriction contained elsewhere in this Annex B, Company may de-identify or aggregate Customer Data as part of serving or delivering the Website or Products specified in this DPA and the Agreement.

  • 2.6. Where Sub-processors process the Personal Information of Customer contacts, Company takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom Company has entered into a written contract that includes terms substantially similar to this “California” section of Annex B or are otherwise exempt from the CPA’s definition of “sale.” Company conducts appropriate due diligence on its Sub-processors.

3. All U.S. States (including California):

  • 3.1. SCALIBIT may not (a) sell or share Customer Personal Data, (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or (c) retain, use, or disclose any Customer Personal Data outside of the direct business relationship between SCALIBIT and Company.

  • 3.2. SCALIBIT’s access to Customer Personal Data is not part of the consideration exchanged by the Parties under the Agreement.

  • 3.3. Customer shall have the right to take reasonable steps to: (a) verify SCALIBIT processes Customer Personal Data in a manner consistent with this DPA, including exercising the rights set forth in Section 11 of the DPA; (b) requiring stopping and remediation of SCALIBIT’s Processing activities conducted in violation of the DPA’s terms, and (c) taking any other reasonable steps (as determined in Customer’s sole discretion) to ensure SCALIBIT’s compliance with this DPA. If SCALIBIT is unable or unwilling to comply with Customer’s reasonable requests pursuant to this Section 3.3, Customer’s sole remedy is to terminate this DPA and that portion of the Agreement that relates to processing of Customer Personal Data.

  • 3.4. SCALIBIT certifies that it understands and will comply with the obligations under the Data Protection Laws and this DPA, including all restrictions on Processing Customer Personal Data.

4. Switzerland:

  • 4.1. When SCALIBIT engages a Subprocessor, it will:

    -4.1.1 Require the Subprocessor to comply with those Technical and Organizational Measures set forth in Sections 7, 8, and 11, and Schedule 2 of the DPA that are appropriate to the nature of processing by the Subprocessor, including but not limited to all Technical and Organizational Measures required by Article 28 of the GDPR; and

    - 4.1.2 Require the Subprocessor to agree in writing to only process Customer Personal Data (a) in Switzerland, (b) in the EU/EEA, (c) in another country that the European Commission has declared to have an “adequate” level of data protection, or (d) on terms set forth in Schedule 4 regarding international Transfers of Customer Personal Data.

  • 4.2. To the extent Customer Personal Data Transfers from Switzerland are made subject to the EU Standard Contractual Clauses (as defined in Schedule 4), the following amendments apply:

    - 4.2.1 References to “Member State” will be interpreted to include Switzerland; and

    - 4.2.2 To the extent Transfers are subject to the Federal Act on Data Protection (“FADP”) references to “Regulation (EU) 2016/679” will be deemed to be references to the FADP.

  • 4.3. To the extent required by the FADP, the EU Standard Contractual Clauses will be deemed to include data relating to legal entities as Customer Personal Data.

5. United Kingdom:

  • 5.1. References to “GDPR” will be deemed to be references to the corresponding laws and regulations of the United Kingdom, including, without limitation the UK GDPR and UK Data Protection Act of 2018.

  • 5.2. When Company engages a Subprocessor, it will:

    - 5.2.1 Require the Subprocessor to comply with those technical and organizational measures set forth in Sections 7, 8, and 11, and Schedule 2 of the DPA that are appropriate to the nature of processing by the Subprocessor, including but not limited to all technical and organizational measures required by Article 28 of the UK GDPR; and

    - 5.2.2Require the Subprocessor to agree in writing to only process Customer Personal Data in (a) the UK, (b) the EU/EEA, (c) another country that the United Kingdom has declared to have an “adequate” level of data protection, or (d) on terms set forth in Schedule 4 regarding international Transfers of Customer Personal Data.

6. Canada:

  • 6.1. Company takes steps to ensure that Company’s Sub-processors, as described in Section 9 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom Company has entered into a written contract that includes terms substantially similar to this DPA. Company conducts appropriate due diligence on its Sub-processors.

  • 6.2. Company will implement technical and organizational measures as set forth in Section 7 (Security of Data Processing) of the DPA.

ANNEX C

List of SCALIBIT Sub-processors

Available upon request

SCALIBIT is a global technology company providing cloud solutions, advanced compute, dedicated server services, and infrastructure — from virtual machines to data center deployments, across the Americas, Europe, Asia-Pacific, Australia, and Africa.

We accept credit and debit cards, digital wallets, local payment methods, bank transfers, and Bitcoin.

Copyright © 2025 SCALIBIT technology. All Rights Reserved.