Terms of Service for Issuers

Applicable as of 18 October 2023

We are Programmable Equity OÜ, an Estonian company with registry code 16320994 and registered address Kristjani road 4, 74015, Harju county, Estonia, hereinafter “we”, “us”, “our” or “KOOS”.

We are operating the website https://koos.io/, its subdomains (the “Website”) and the KOOS solution, including the software, databases, interfaces, mobile application, associated media, documentation, updates, new releases and other components or materials incorporated therein or integrated therewith (hereinafter collectively the “Platform”). Through the Platform, we provide software and solutions to help companies and other organisations (the “Issuer”, “you”, “your”) to motivate, thank or otherwise remember certain persons (the “Contributors”) by issuing them virtual shares (the “Virtual Shares”). The Virtual Shares may be attached with certain rights or benefits. Such rights and benefits will be recorded in the terms of Virtual Shares (the “Terms of Virtual Shares”) The Contributors that have accepted the Virtual Shares will be registered in the register of Virtual Shares as holders of Virtual Shares (the “Virtual Shareholders").

In addition to solutions and services made available via the Platform KOOS may provide you certain community coaching services to assist you in the preparation of your community engagement strategy and support you in its implementation. Such services are of advisory nature that are provided in reliance on information and input provided by you and with the understanding that the responsibility for the implementation of the strategy lies with you.

Any service made available by KOOS via the Platform or otherwise to the Issuers is hereinafter referred to as the “Issuer Service” or the “Issuer Services”. The specific content, scope and description of the Issuer Services may vary from time to time.

By accepting these Terms, you confirm that you have carefully read and understood these Terms of Service for Issuers (the “Terms”) and agree to be bound by them. We may add separate appendices to these Terms which form integral part of these Terms. These Terms, its appendices, and the documents referenced herein form together a legally binding agreement between you and us (the “Agreement”) that shall govern the provision of respective Issuer Services.

Issuers using the Platform have previously also issued and registered tokens which represent various rights as specified in respective terms and conditions of such instruments. Although in these Terms we only use the term ‘virtual share’, they continue to apply also to the Issuer Services in relation to such token programs. Therefore, references to ‘virtual shares’ in these Terms refer also to ‘tokens’ unless the context requires otherwise.

In case these Terms are published also in a language other than English and there is any discrepancy or conflict between the English version and the version in other language, then the English language version shall prevail.

1. OUR ISSUER SERVICES
   1. These Terms govern the provision of all Issuer Services which are made available by us to you through the Platform or otherwise as described herein, including any issuer services which are not defined in these Terms, but which are made available to you through the Platform.
   2. The Issuer Services include, above all, access to the Platform to help you to issue Virtual Shares, generate Terms of Virtual Shares based on our templates and keep record of the Virtual Shares, the Contributors, the Virtual Shareholders and Terms of Virtual Shares.
2. USE OF THE ISSUER SERVICES
   1. Subject to the Terms, we hereby grant to you a limited non-exclusive, non-sublicensable and non-transferable right/license to use the Issuer Services.
   2. The Issuer Services are provided to you on an “as is” and “as available” basis without any warranties of any kind either express or implied. We may update, improve, or change the Platform and/or the Issuer Services, including add and remove features at any time.
   3. To access the Platform and/or the Issuer Services, you must have an account. To create such account, you may need to complete certain procedures. If you generate a username and/or password or if we generate a private key to you in such process, you should keep them confidential and securely. You should change any password regularly. You should inform us immediately if you get information about any breach of security or unauthorized use of your account.
3. FEES AND PAYMENT
   1. The Issuer Services are subject to fee(s) (the “Fee” or “Fees”).
   2. The amounts of Fees will be made available to you on the Website, by e-mail (for example, through a link in the e-mail) or in any other manner accepted by you in the course of use of the Issuer Services.
   3. You acknowledge and agree that we may unilaterally change the Fees at any time and from time to time when there is an objective justification for that. Above all, we may unilaterally change the Fees in case (i) there is any change in our costs, expenses, risks and/or liabilities relating to the provision of the Issuer Services, including, without limitation, due to changes in laws and regulations and/or in the interpretation and application of the laws and regulations or (ii) there are other objective reasons of whatsoever nature. We shall notify you of changes in Fees by e-mail, on the Website or in any other manner accepted by you at least 14 days in advance. If you do notf agree with such amendments, you may terminate the Agreement by notice in writing to us.
   4. The amounts of Fees are exclusive of value added tax (VAT) which will be added in accordance with applicable laws.
   5. You shall pay the Fees in accordance with our invoices by a bank transfer to our bank account specified in the invoice or through a card payment.
   6. The Fees are non-cancellable and non-refundable.
4. LEGAL, FINANCIAL, TAX AND SIMILAR MATTERS
   1. As KOOS is a software company, we are not professional advisers in legal, tax, financial or accounting matters. However, we would like to draw your attention to certain legal, regulatory, tax and similar matters that may be relevant in connection with the Virtual Shares. For example:
      1. your offering and issuance of the Virtual Shares to Contributors and other actions that you may take in connection with the Virtual Shares and (all collectively “Virtual Share Actions”) may be regulated by different laws and regulations, including tax laws, advertising laws, consumer protection laws, data protection laws (including GDPR), anti-money laundering and terrorist financing laws and securities, investment and financial services laws; you should ensure that you comply with all such laws and regulations and, if necessary, consult with professional lawyers and other competent advisors;
      2. the Virtual Share Actions may also require certain approvals, shareholders’ resolutions, board resolutions or other similar actions under your articles of association and other corporate governance rules as well as agreements you have signed (for example, shareholders’ agreements and financing agreements); you should ensure that you comply with all such requirements;
      3. although we may have provided you some general guidance on some general tax aspects that may be relevant to the Virtual Share Actions based on currently effective laws and currently prevailing practices, you should consult with professional tax advisors to fully understand the tax consequences of any Virtual Share Action and make sure that all taxes are duly paid or withheld;
      4. you should make sure that the templates for Terms of Virtual Shares suit your needs and resources, as you will be the one responsible for the fulfilment of obligations arising from Virtual Shares and Terms of Virtual Shares;
      5. you should also ensure that all your communication with Contributors/Virtual Shareholders in relation to the Virtual Shares is not ambiguous, deceptive, misleading, or otherwise objectionable;
      6. you acknowledge that the community coaching services we may provide you are provided in good faith and on a best efforts basis and it should not be deemed as an advice on legal, tax or financial matters.
   2. We are providing our Issuer Services on the assumption and condition that you select all Contributors/Virtual Shareholders yourself and you will have a direct legal relationship with Contributors/Virtual Shareholders. We act as an operator of the Platform that helps you to record Virtual Shareholders and Terms of Virtual Shares. We are not the issuers of any Virtual Shares and neither do we act as a broker, agent or other intermediary in bringing the Contributors to your attention or in making any decisions regarding the reservation or recall of the Virtual Shares.
   3. You mandate us, through certain Platform functionalities, to collect information from the Contributors and Virtual Shareholders, to check and determine compliance with certain eligibility criteria under the Terms of Virtual Shares, to provide acceptance to the Terms of Virtual Shares by the Contributors/Virtual Shareholders and, if applicable, to facilitate payment processing in connection with the exercise of rights arising from the Virtual Shares. If the Terms of Virtual Shares allow Virtual Share transfers, the Platform may enable Virtual Shareholders to make such amendments to the register of Virtual Shareholders as is necessary for registering the transfers. All these functionalities of the Platform are operated, and the related Issuer Services are carried out, on your behalf.
   4. You acknowledge and agree that we are able to provide the Issuer Services only with respect to such Virtual Shareholders that identify themselves with us as set out in Terms of Virtual Shares and agree to the Terms of Virtual Shares.
   5. It is mandatory to use the template of the Terms of Virtual Shares that we have provided to you. You may adjust those provisions of the template that describe your Virtual Shares and specific rights represented by Virtual Shares, but the final version of the Terms of Virtual Shares must be approved by us. Any other changes in the template may be made only with good reason. All changes in the Terms of Virtual Shares must be submitted for our approval. Upon the implementation of any changes without our approval, we may suspend our Issuer Services or terminate the Agreement.
   6. You must ensure that the rights and obligations represented by Virtual Shares do not qualify as financial instruments, e-money, virtual currencies (Est. virtuaalvääring) or any other type of asset within the scope of financial sector regulations.
5. ADDITIONAL OBLIGATIONS
   1. You and us both must ensure that all information that we provide each other in connection with the Issuer Services, including information that you provide on your client account, is current, complete and accurate.
   2. You and us both must provide each other with all necessary cooperation in relation to this Agreement and all information and documents that may be required for the performance this Agreement. You and us both must comply with requests and orders of public authorities and regulatory bodies relating to the use of the Issuer Services.
   3. You must ensure that all devices, software and hardware used in connection with your use of the Issuer Services are fit for using the Issuer Services.
   4. You must use all reasonable endeavours to prevent any unauthorised access to, or use of, the Issuer Services.
   5. We also request your compliance with the following restrictions and obligations that we consider customary for any software services agreement: you should not use the Issuer Services or the Platform in a way that (a) is unlawful, unethical, deceptive, misleading or in conflict with industry practices, or (b) is harmful, threatening, defamatory, infringing, harassing or discriminatory, or (c) may infringe the intellectual property rights or other rights of any third party; you should also not (i) use the Issuer Services or the Platform in any manner that could negatively affect other users from fully enjoying the Issuer Services or the Platform; (ii) attempt to circumvent any content filtering techniques or security measures that we employ for the Issuer Services or the Platform, or attempt to access any service or area of the Issuer Services or the Platform that you are not authorized to access; (iii) use any robot, spider, crawler, scraper, or other automated means or interface not provided by us, to access the Issuer Services or the Platform or to extract data; (iv) use or attempt to use another client’s account or Virtual Shareholder’s account without authorization; (v) introduce any malware, virus or other harmful material into the Issuer Services or the Platform; (vi) use the Issuer Services or the Platform from a jurisdiction that we have determined to be a jurisdiction where the use of the Issuer Services or the Platform is prohibited; (vii) access any part of the Issuer Services or the Platform to build a product or service which competes with the Issuer Services or the Platform.
   6. When you communicate with the Contributors or Virtual Shareholders on the Platform, including share any updates or notices, you may only post content that you own, have created, or that you have clear permission to publish. You may not post false, inaccurate, misleading, unlawful, obscene, defamatory, or libellous content on the Platform. We have no obligation to pre-screen or endorse any of the content you post, but we have the right in our sole discretion to refuse, edit, move, or remove any your content, that is submitted on or through the Platform, without any prior notice.
   7. For the purpose of facilitating interaction among the communities of different Issuers on the Platform, we have the right to display the information related to you and the Virtual Shares to the Contributors and Virtual Shareholders of other Issuers, and vice versa, the information related to other Issuers and their Virtual Shares to your Contributors and Virtual Shareholders.
   8. As a precondition to provide (or continue to provide) the Issuer Services, we may require that Contributors/Virtual Shareholders provide us certain information or documents or take other actions (e.g., to comply with anti-money laundering, terrorist financing prevention laws and regulations, and applicable financial sanctions) from time to time. We ask you to cooperate with us to procure that such information and/or documents are provided and other actions taken in a timely manner.
6. INTELLECTUAL PROPERTY RIGHTS
   1. You acknowledge and agree that we and/or our licensors own all intellectual property rights in the Platform and the Issuer Services. Except as expressly stated herein, this Agreement does not grant you intellectual property rights or other rights in respect of the Platform and the Issuer Services.
   2. Except as may be allowed by mandatory provisions of applicable law, you shall not (i) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit or distribute all or any portion of the Platform by any means or (ii) attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Platform.
   3. We confirm that we have all the rights in relation to the Issuer Services that are necessary to grant all the rights we purport to grant under this Agreement.
   4. You hereby warrant that the information, corporate visual images, or other works you upload while using Issuer Services does not infringe any rights of any third party, including the intellectual property rights of any third party. You hereby agree to fully indemnify and hold the us harmless from and against all damage, liabilities to third parties and all losses incurred in connection with claims by third parties resulting from breach of third-party rights related to such information, corporate visual images or other works, including intellectual property rights.
   5. We acknowledge and agree that the corporate visual images or other works uploaded to the Platform is your intellectual property. You hereby grant us the non-exclusive, non-transferable (expect to the extent necessary to perform the Issuer Services to you pursuant to Agreement), free of charge and worldwide right to display the corporate visual images or other works and information on the Platform generally, and to otherwise use the corporate visual images or other works and information for the provision of the Issuer Services to you during the term of the Agreement.
7. DATA PROTECTION
   1. In order to provide you the Issuer Services, we act as the data processor and process certain personal data about Contributors/Virtual Shareholders. Therefore, you must ensure that there exists a legal ground for processing the personal data of Contributors/Virtual Shareholders listed in Appendix 1 of the Appendix A.
   2. You and us both must comply with all data protection legislation, including GDPR that applies to the data processed under this Agreement.
   3. Your and our roles and responsibilities regarding data processing in the context of this Agreement are set out in Appendix A.
   4. You must ensure that the Contributors/Virtual Shareholders Holders have granted consent that gives us the right, or that a contract exists or will exist with them for the performance of which we are entitled, to contact them in connection with the Issuer Services and Virtual Share Actions and any changes in them as well as for the purposes of marketing our products and services.
8. LIMITATION OF LIABILITY
   1. We are not liable to you, under the Agreement or otherwise, for any damages other than direct proprietary damages. This limitation does not apply in case the damage is caused intentionally.
   2. You are not liable to us under the Agreement for any damages other than direct proprietary damages, unless set out otherwise in the Agreement. This limitation does not apply in case the damage is caused intentionally.
   3. You agree to compensate us, our employees and directors, contractors and entities belonging to the same group with us, all damages, including fees and costs related to the settlement of claims, protecting our rights or participating in proceedings of every kind and nature whatsoever, that are caused by you or by any of your employees, directors, contractors or entities belonging to the same group with you and that arise out of, or are related to, the alleged or actual breach of the Terms of Virtual Shares or otherwise related to your Virtual Shares.
   4. We are liable for breach of this Agreement if we have committed such breach intentionally or as a result of gross negligence. The liability for other breaches is excluded.
   5. We are not liable for, and you may not rely on, any breach, event or circumstance that has been caused by or is attributable to any action or omission of, or other circumstance depending on any third person, including, without limitation any vulnerability, failure, unavailability, inaccessibility, delay, no-response, abnormal behaviour, change of terms, of software or any other features of the Platform that are provided or are dependent on any third person.
   6. Our aggregate liability under this Agreement shall be limited to the total amount of fees that you have paid during six months preceding the date on which the claim arose. This limitation does not apply in case the damage is caused intentionally.
9. TERMINATION OF AGREEMENT; SUSPENSION OF SERVICES
   1. You may terminate this Agreement unilaterally (a) ordinarily by giving us at least 30 calendar days’ advance notice in writing, or (b) extraordinarily by notice in writing in case we commit a material breach of our obligations under this Agreement.
   2. We may terminate this Agreement unilaterally extraordinarily by notice in writing in case you commit a material breach of your obligations under this Agreement.
   3. We may suspend the provision of the Issuer Services and/or restrict your access to your account without prior notice if (a) you materially breach the Agreement or have not remedied any breach within a reasonable cure-period granted (b) we have a reasonable suspicion of your fraud or your inappropriate activity and/or (c) this is necessary to ensure the security of the Platform and/or other users of our services.
   4. We may terminate this Agreement unilaterally extraordinarily also in case any actions or omissions of any third party or other circumstances depending on any third party (including change in laws or regulations or actions by any public authority) materially impair our ability to provide the Issuer Services to you and such situation is not of temporary nature.
   5. Upon the termination of this Agreement for any reason, we may erase your data held with us, except in case we receive, within ten days after the effective date of termination, your written request to deliver the most recent back-up of such data to you. In such case, we use reasonable efforts to deliver the back-up to you in a mutually agreed form within 30 days of the receipt of such request, provided you take actions on your part to receive such data.
10. LINKED SITES AND THIRD-PARTY CONTENT
    1. The Platform and the Issuer Services may include links to other websites or services or to third party content.
    2. We do not endorse any such linked sites or third-party content or the information, material, products, or services contained on or accessible through linked sites. Access and use of linked sites, including the information, material, products, and services on linked sites or available through linked sites is solely at your own risk.
11. AMENDMENTS TO THE TERMS
    1. We may unilaterally amend these Terms in case (i) we improve, change, adapt or adjust any of the Issuer Services and/or the Platform, including add or remove any features or elements of the Issuer Services and/or the Platform (ii) there is any change in our costs, expenses, risks and/or liabilities relating to the provision of the Issuer Services, including, without limitation, due to changes in laws and regulations and/or in the interpretation and application of the laws and regulations and/or (iii) there are other objective reasons of whatsoever nature. If we make any such amendments, we shall notify you by providing an updated Terms by e-mail, through the Platform or in any other manner accepted by you in the course of the use of the Issuer Services.
    2. We may also unilaterally amend these Terms on grounds not specified in Section 11.1. If we make any such amendments, we shall notify you in the same manner as provided in Section 11.1 at least 14 days in advance. If you do not agree with such amendments, you may terminate the Agreement by notice in writing to us.
12. CONFIDENTIALITY
    1. The information about a party that the other party obtains in the course of preparation or performance of this Agreement which such party had not obtained without the entry into this Agreement shall be considered as confidential information. The party shall not disclose the other party’s confidential Information to any third party nor use such information for any purpose other than the performance of this Agreement, except (i) upon the prior consent of the other party or (ii) if the disclosure is required under applicable laws and regulations or (ii) the confidential Information is disclosed to the party’s banks, auditors or professional consultants and advisers who are bound by an obligation to hold such information confidential.
    2. However, a party may disclose the fact of entry into this Agreement and the name, trademark and logo of the other party in its press materials, on the Platform and their websites, and in other sales and marketing materials for the purposes of the promotion of its services.
    3. The obligations set forth in Section 12 of this Agreement shall survive the termination of the Agreement and shall apply, in respect of each item of Confidential Information, for a period of three years after the disclosure of the respective item of Confidential Information.
13. FINAL PROVISIONS
    1. If any provision of this Agreement is invalid or unenforceable you and us shall make best efforts to replace such provision to achieve the effect closest to the original provision.
    2. This Agreement constitutes the entire agreement between you and us with respect to the subject matter hereof and supersedes all other prior declarations of intent, agreements and other communication between you and us with respect to the subject matter hereof (merger clause).
    3. This Agreement shall be governed by Estonian laws. Any dispute or claim arising out of this Agreement shall be subject to jurisdiction of Harju County Court (Harju Maakohus) in Estonia as the court of first instance.
    4. Any notice or other communication to you under these Terms is deemed duly delivered if it is sent to your e-mail address registered with us. If you would like to change such e-mail address, please notify us in accordance with Section 13.5.
    5. Unless otherwise specified in the Terms any notice or other communication under these Terms must be in a form reproduceable in writing and, in case of notice to us, it must be sent to the e-mail address specified below:

       Name:	Programmable Equity OÜ
       Address	Kristjani road 4, 74015 Viimsi vald, Estonia
       E-mail	info@koos.io

APPENDIX – A

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA“) between you and us (the “Parties”) forms an integral part of the Terms/ the Agreement.

WHEREAS:

1. You act as the Controller.
2. You have entered an agreement with us to purchase from us certain Services. In the course of provision of the Issuer Services, we need to process personal data for you.
3. By this DPA, the Parties enter into a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

IT IS AGREED AS FOLLOWS:

1. DEFINITIONS AND INTERPRETATION
   1. Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
      1. “DPA” means this Data Processing Agreement and all Schedules;
      2. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
      3. “Data Transfer” means:
         1. a transfer of Issuer Personal Data from you to us; or
         2. an onward transfer of Issuer Personal Data from us to a Subprocessor, or between two establishments of us;
      4. “EEA” means the European Economic Area;
      5. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
      6. “GDPR” means EU General Data Protection Regulation 2016/679;
      7. “Issuer Personal Data” means any Personal Data Processed by us on behalf of you pursuant to or in connection with the Agreement;
      8. “Services” means the Issuer Services provided by us to you;
      9. “Subprocessor” means any person appointed by or on behalf of us to process Issuer Personal Data on behalf of you in connection with the DPA.
   2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. PROCESSING OF ISSUER PERSONAL DATA
   1. We shall:
      1. comply with all applicable Data Protection Laws in the Processing of Issuer Personal Data; and
      2. not process Issuer Personal Data other than to perform the obligations and exercise rights arising under the Agreement or pursuant to your relevant documented instructions.
   2. If the applicable law prohibits us from performing certain data processing operations requested by you, we shall act under the applicable law and notify you about the reason of the non-performance.
   3. You hereby instruct us to process Issuer Personal Data. You instruct us to receive or collect and process the Issuer Personal Data items as listed in Appendix 1 to this DPA.
      You may provide us additional instructions during the term of this DPA. Instructions shall be provided at least in a form that enables written reproduction (via email, for example).
   4. You shall ensure that you have a valid legal ground for making the Issuer Personal Data under the Agreement and this DPA available to us for Processing. Where appropriate and required under the applicable law, you shall obtain valid consents from the involved data subjects or have other valid legal basis under the GDPR.
      You shall also ensure and be responsible that you comply with all requirements applicable to the data controller under the GDPR and other applicable laws. This includes, but is not limited to, the requirement to provide data subjects transparent information concerning the Processing of their personal data, etc.
   5. You shall inform us immediately of withdrawal of the consent for data Processing by any Contributor/Virtual Shareholder or termination of any other legal ground for Processing the Issuer Personal Data.
3. OUR PERSONNEL
   We shall take reasonable steps to ensure the reliability of any employee, agent or contractor of us who may have access to the Issuer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Issuer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual’s duties to us, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. SECURITY
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall in relation to the Issuer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
   2. We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. We maintain appropriate administrative, technical and physical safeguards to protect Personal Data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of Processing of the Personal Data in our possession. This includes, for example, firewalls, password protection and other access and authentication controls. We use SSL technology to encrypt data during transmission through public internet, and we also employ application-layer security features to further anonymize Personal Data. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store on the Service, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.
   3. If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.
   4. We shall review the applicable security measures from time to time and you have a right to give us recommendations concerning the applicable security measures.
5. SUBPROCESSING
   1. You hereby give us a general authorisation to engage Subprocessors. We shall ensure that the same data protection obligations as set out in this DPA and in the applicable law are imposed on each Subprocessor engaged by us by way of a contract concluded between us and the relevant Subprocessor. We shall remain fully liable to you for the performance of data processing related obligations by the Subprocessor.
   2. Please note that we may change or add Subprocessors from time to time. We do not have an obligation to notify you in advance if we want to change or add Subprocessors. You have the right to ask from us the list of current Subprocessors at any time and we shall provide you this information without undue delay, but in no longer than 30 days.
6. DATA SUBJECT RIGHTS
   1. Taking into account the nature of the Processing and information available to us, we shall assist you in ensuring the compliance with the obligations pursuant to GDPR Articles 32 to 36.
   2. Considering clause 6.1., inter alia, we shall assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
   3. We shall:
      1. notify you if we receive a request from a Data Subject under any Data Protection Law in respect of Issuer Personal Data; and
      2. ensure that we do not respond to that request except pursuant to your documented instructions or as required by applicable laws to which we are subject, in which case we shall to the extent permitted by applicable laws inform you of that legal requirement before we respond to the request.
7. PERSONAL DATA BREACH
   1. We shall notify you without undue delay if we become aware of a Personal Data Breach affecting Issuer Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
   2. We shall co-operate with you and take reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
   We shall provide reasonable assistance to you with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which you reasonably consider to be required by articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Issuer Personal Data by, and taking into account the nature of the Processing and information available to us.
9. DELETION OR RETURN OF ISSUER PERSONAL DATA
   We shall, no later than within 30 calendar days of the date of cessation of any Services involving the Processing of Issuer Personal Data, delete and procure the deletion of all copies of those Issuer Personal Data unless we have a valid legal basis for retaining data for a longer period (such as our legitimate interest or legal obligation, for example).
10. AUDIT RIGHTS
    1. Subject to this Section 10, we shall make available to you on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the Processing of the Issuer Personal Data by us.
    2. Your information and audit rights only arise under Section 10.1 to the extent that the DPA does not otherwise give you information and audit rights meeting the relevant requirements of Data Protection Law. You shall notify us of the wish to perform the audit reasonably and not less than 30 days in advance. You or an auditor appointed by you shall carry out the audit during regular working hours and so that the audit interferes with our regular business activities as little as possible. All costs related to the audit shall be payable by you.
11. DATA TRANSFER
    We may not execute Data Transfer or authorize the Data Transfer to countries outside the EU and/or the European Economic Area (EEA) without your prior approval unless this is permitted under this clause. You allow us to transfer Issuer Personal Data outside the EEA, including involving Subprocessors located outside the EEA, if the transfer is made on the basis of the adequacy decision by the European Commission or we have adopted other appropriate safeguards as required by Chapter V of the GDPR (e.g., standard contractual clauses adopted by the European Commission). If we transfer Issuer Personal Data outside EEA, you may request from us information about the countries to which such data is transferred, and about the adopted safeguards. In the event that any of the implemented measures prove to be insufficient to meet the requirements arising from this applicable law (Chapter V of the GDPR in particular) for the transfer of Issuer Personal Data outside the EEA to be lawful, we will make reasonable efforts to implement a data transfer mechanism that meets the requirements of the applicable law (Chapter V of the GDPR in particular) or shall terminate such Data Transfer.
12. GOVERNING LAW AND JURISDICTION
    1. This DPA is governed by Estonian laws.
    2. Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Harju County Court (Harju Maakohus) in Estonia.

Appendix 1 to DPA

Categories of Data Subjects and Types of Personal Data