1. Definitions

The following terms, as used in this DPA, shall have the meanings set forth below. Any undefined terms shall carry the meaning assigned to them in the Agreement.

• CCPA: Refers to the California Consumer Privacy Act of 2018, including all subsequent amendments, such as the California Privacy Rights Act of 2020 (CPRA), along with any binding regulations adopted under these laws.
• Controller: The entity or individual responsible for determining the purposes and means of processing Personal Data, either alone or in collaboration with others.
• Customer Personal Data: Personal Data that forms part of the Customer Data provided to Relolink under the Agreement. Customer Personal Data excludes any data processed by Relolink as a Controller, such as Relolink’s internal business records or data used for marketing and account administration, which are subject to Relolink’s Privacy Policy.
• Data Protection Laws: Encompasses all applicable privacy, data protection, and security laws, including but not limited to the CCPA, GDPR, FADP, and related regulations or amendments within relevant jurisdictions.
• Data Subject: Any identifiable individual to whom Customer Personal Data pertains.
• Data Subject Request: A formal request from a Data Subject to exercise their rights under applicable Data Protection Laws regarding Customer Personal Data held or processed by Relolink.
• GDPR: Refers to:
  • The General Data Protection Regulation (EU Regulation 2016/679) within the European Union (EU GDPR), or
  • The equivalent regulation as applied under UK law through the UK Data Protection Act 2018 (UK GDPR).
• Personal Data: Any information relating to an identified or identifiable individual, as defined under applicable Data Protection Laws.
• Personal Data Breach: An incident leading to unauthorized access, disclosure, alteration, or destruction of Customer Personal Data within Relolink’s custody or control.
• Processing: Any operation performed on Personal Data, whether automated or manual, including but not limited to its collection, use, storage, or deletion.
• Processor: A party that processes Personal Data on behalf of the Controller, following their instructions.
• Restricted Transfer: The movement of Customer Personal Data to a location outside:
  • The EEA, unless the destination has an adequacy decision under GDPR,
  • The UK, unless adequacy standards under UK GDPR are met, or
  • Switzerland, unless recognized as adequate under the FADP.
• Standard Contractual Clauses (SCCs): Legal safeguards established by the European Commission for data transfers to non-EEA jurisdictions, as updated or replaced.
• Subprocessor: Any third party engaged by Relolink to process Customer Personal Data on its behalf as part of the services provided under the Agreement.
• Supervisory Authority: The regulatory body responsible for enforcing Data Protection Laws, such as the European Data Protection Board (EDPB), the UK Information Commissioner’s Office (ICO), or the Swiss Federal Data Protection and Information Commissioner (FDPIC).

2. Scope of This Data Processing Addendum

This DPA governs the Processing of Customer Personal Data as outlined in Annex 1 (Data Processing Details). Annex 2 (Europe Annex), Annex 3 (California Annex), and Annex 5 (APAC-Specific Provisions), as applicable, govern Relolink’s Processing of Customer Personal Data in compliance with regional data protection laws.

The provisions of this DPA apply exclusively to Relolink’s Processing of Customer Personal Data as required under applicable Data Protection Laws, including the GDPR, the CCPA, and other similar privacy laws mandating specific data protection terms in agreements between Customers and their Processors or Service Providers.

3. Processing of Customer Personal Data

Relolink agrees to process Customer Personal Data strictly in accordance with Customer’s documented instructions, as outlined in the Agreement or as required by applicable law. In cases where Customer Personal Data is governed by the GDPR, Relolink will comply with the laws of the EU or UK, as applicable.

Customer authorizes Relolink to process Customer Personal Data solely for the purpose of delivering the Services as defined in the Agreement. The Agreement, along with the Customer’s configuration and use of the Services’ features, constitutes the entirety of Customer’s instructions. Any additional instructions from Customer will only be binding if agreed to in writing and incorporated as an amendment to this DPA.

If Relolink determines, in good faith, that any Customer instruction violates applicable Data Protection Laws, it will promptly inform Customer and may suspend the execution of such instruction until the matter is resolved.

Relolink may process PII collected through the “Request Information” feature exclusively on behalf of the Customer and in accordance with documented instructions. Relolink does not determine the purpose or means of processing such data.

• Customers are responsible for:
  • Ensuring that data collection via the “Request Information” feature complies with applicable data protection laws
  • Providing external users with required notices, obtaining lawful explicit informed consents, and adhering to data subject rights obligations.
• Relolink will implement appropriate safeguards to protect PII but is not liable for:
  • The content, purpose, or legality of data requests initiated by the Customer.
  • Any failure by the Customer to meet its obligations as a data controller.

Customers importing non-personal data (e.g., property or school information) via web scraping features and tools are responsible for ensuring compliance with applicable laws and third-party agreements. Relolink assumes no responsibility for the legality of scraped data uploaded to or processed within the platform. Scraped non-personal data will be processed only for purposes outlined in Relolink’s Terms of Use and within the limits of user-provided instructions.

4. Relolink Personnel

Relolink will ensure that all personnel authorized to access or process Customer Personal Data are bound by confidentiality obligations, whether contractual or legal, that remain in effect during and after their employment or engagement.

Relolink will limit access to Customer Personal Data to those personnel who require such access to fulfill Relolink’s obligations under the Agreement. Access will be granted based on the principle of least privilege and revoked promptly upon termination of employment or engagement.

5. Security

Relolink will implement and maintain technical, organizational, and physical measures designed to safeguard Customer Personal Data against unauthorized access, loss, alteration, or disclosure. These measures, detailed in Annex 4 (Security Measures), will align with applicable Data Protection Laws and industry standards.

Relolink reserves the right to update or modify its security measures as needed, provided that any such changes do not reduce the overall protection of Customer Personal Data. Relolink will provide prior notice to Customer of material changes that could affect the security or integrity of the data.

6. Data Subject Requests

Customer is responsible for responding to any Data Subject Requests related to the exercise of rights under applicable Data Protection Laws. Relolink will provide reasonable assistance, as requested in writing, to enable Customer to fulfill its obligations in this regard, taking into account the nature of the Processing and the information available to Relolink.

If Relolink receives a Data Subject Request directly, it will promptly notify Customer and, where feasible, direct the Data Subject to submit their request to Customer. Relolink will not independently respond to such requests unless required by applicable law.

Relolink may charge Customer for any additional assistance required beyond the standard features of the Services, provided that such charges are reasonable and disclosed in advance.

7. Personal Data Breaches

Relolink will notify Customer without undue delay upon becoming aware of any Personal Data Breach involving Customer Personal Data. Such notification will include sufficient details to enable Customer to assess the nature and impact of the breach and fulfill any legal or regulatory reporting obligations.

Relolink’s notification of a breach does not constitute an admission of fault or liability. If Customer determines that a notification to a Supervisory Authority, Data Subjects, or the public is required, Customer will consult with Relolink, where permitted by applicable law, to ensure any such communication accurately reflects the facts and includes necessary clarifications.

Relolink will take reasonable steps to investigate the breach, mitigate its effects, and prevent recurrence, keeping Customer informed of relevant developments.

Customer Responsibility for Breaches:

Relolink shall not be responsible for any breaches, security incidents, or unauthorized access caused by the Customer, its employees, contractors, or any failure to comply with Customer’s security obligations under the Agreement. In such cases, the Customer is solely responsible for fulfilling any notification obligations and addressing any consequences resulting from the breach.

Here’s the full Subprocessor List, Updates, and Customer Objections section rewritten to address transparency, notification obligations, and payment responsibilities in the event of a termination due to an objection:

8. Subprocessing and Roles of the Parties

Roles of the Parties

Relolink acts as a Processor when processing Customer Personal Data in accordance with the Customer’s instructions under the Agreement. In certain cases, Relolink may act as a Controller, such as when processing data for its own account management, analytics, or marketing purposes. Processing performed as a Controller is governed by Relolink’s Privacy Policy and is not subject to this DPA.

Relolink may also process aggregate or anonymized data derived from Customer Personal Data for analytics, benchmarking, and product improvement, provided that such data cannot be linked to any individual or Customer. This processing is not subject to this DPA.

Subprocessor List and Updates

Relolink maintains an up-to-date list of all Subprocessors involved in processing Customer Personal Data. This list is available on Relolink’s website at www.relolink.io and may be provided upon written request from the Customer.

Relolink will update the Subprocessor list to reflect new engagements or replacements at least 30 days prior to the Subprocessor commencing any processing of Customer Personal Data. Customers may subscribe to receive notifications of updates to the Subprocessor list through [insert method, e.g., an email subscription or dashboard].

If Relolink reasonably determines that prior notice is impracticable (e.g., due to urgent service requirements), Relolink will provide notice as soon as possible after the engagement.

By continuing to use the Services after an update to the Subprocessor list, the Customer acknowledges and agrees to the use of the updated Subprocessor(s).

Customer Objections

If a Customer objects to the use of a new Subprocessor based on valid data protection concerns, the objection must be submitted in writing to Relolink within the 30-day notice period. The objection must clearly describe the data protection risks posed by the Subprocessor.

Relolink will evaluate the objection in good faith and may take reasonable steps to address the Customer’s concerns, including reassigning the processing activity to a different Subprocessor where feasible.

If a resolution cannot be reached, the Customer may terminate the affected Services by providing written notice to Relolink. Such termination will take effect:

1. At the end of the Customer’s current subscription term; or
2. Earlier if mutually agreed by the Parties.

The Customer will remain responsible for payment of any fees incurred up to the termination date, including fees for any minimum commitments or in-progress services. Relolink will not refund prepaid fees related to terminated Services unless required by law.

Liability for Subprocessors

Relolink ensures that Subprocessors engaged in processing Customer Personal Data are bound by obligations no less protective than those in this DPA. While Relolink is responsible for its Subprocessors’ compliance, Relolink is not liable for damages caused by a Subprocessor’s independent negligence or breach, provided Relolink has taken reasonable steps to vet, engage, and oversee the Subprocessor.

9. Compliance Assistance and Audits

Compliance Assistance

Relolink will provide reasonable assistance to the Customer to comply with applicable Data Protection Laws, including but not limited to:

1. Security Measures: Supporting the implementation and maintenance of technical and organizational measures necessary to ensure the confidentiality, integrity, and availability of Customer Personal Data.
2. Incident Management: Assisting with the investigation, mitigation, and reporting of Personal Data Breaches in accordance with this DPA.
3. Regulatory Compliance: Providing information necessary to complete any legally required data protection impact assessments, consultations with Supervisory Authorities, or other regulatory filings required by applicable law.

Such assistance will be limited to the measures and information reasonably available to Relolink and will not require Relolink to disclose confidential information unrelated to its obligations under this DPA.

Audits and Inspections

1. Customer’s Right to Audit
   a. The Customer may audit Relolink’s compliance with this DPA and applicable Data Protection Laws, including inspecting Relolink’s data processing facilities, systems, and procedures.
   b. Routine audits may occur no more than once every three (3) years, except in circumstances where:
   • Required by a Supervisory Authority.
   • Triggered by a material data protection breach involving Customer Personal Data.
   • Necessary to fulfill a specific legal obligation.
2. Notice Requirements
   a. Routine audits require a minimum of sixty (60) days’ written notice.
   b. Expedited audits for urgent regulatory or compliance matters may be requested with at least fifteen (15) business days’ notice.
3. Scope and Methodology
   a. All audits must be conducted during Relolink’s regular business hours and in a manner that minimizes disruption to Relolink’s operations.
   b. The audit scope must be reasonable, clearly defined, and agreed upon in advance by both Parties.
   c. The Customer may engage an independent, qualified third-party auditor, subject to Relolink’s prior written approval, which will not be unreasonably withheld.
4. Use of Existing Certifications
   a. Relolink maintains industry-recognized certifications, including [e.g., ISO 27001, SOC 2], and agrees to provide the Customer with the most recent reports upon request.
   b. Where such certifications are up to date and no material changes have occurred, they will be deemed sufficient to meet the Customer’s audit requirements.
5. Costs and Expenses
   a. Routine audits are conducted at the Customer’s sole expense. Relolink reserves the right to charge reasonable fees for providing support or access required to conduct the audit.
   b. Additional fees may apply for extraordinary audit requests outside the scope of this DPA, such as those requiring custom reports or significant resource allocation.
6. Confidentiality of Findings
   a. Audit findings, reports, and any related materials constitute Relolink’s Confidential Information and are subject to strict confidentiality obligations.
   b. The Customer agrees:
   • Not to disclose any findings or reports to third parties, including competitors, consultants, or vendors, without Relolink’s prior written consent.
   • To use the findings solely for the purpose of verifying Relolink’s compliance with this DPA.
   • To securely destroy or return all materials upon audit completion, except where legal obligations require their retention.
     c. Any unauthorized disclosure of findings or misuse of audit results will constitute a material breach of this DPA, entitling Relolink to suspend or terminate the Agreement and seek remedies.
7. Resolution of Findings Relolink will promptly address any material non-compliance identified in an audit and notify the Customer of corrective actions taken.

10. Return and Deletion of Customer Personal Data

1. Return and Deletion
   
   a. Upon expiration or termination of the Agreement, Relolink will, at Customer’s written direction:

   • Return all Customer Personal Data to the Customer in a structured, commonly used, and machine-readable format; or
   • Delete all Customer Personal Data in its possession, custody, or control, except where retention is required by applicable law.

1. If no written instructions are provided within thirty (30) days of expiration or termination, Relolink will delete all Customer Personal Data in accordance with its internal data retention and deletion policies.

1. Exceptions to Deletion
   
   Relolink may retain Customer Personal Data solely to the extent required by applicable law or to comply with its legal obligations, provided that:
   • Such data is kept confidential and protected with appropriate technical and organizational measures.
   • Relolink only processes the retained data for the purpose specified by the applicable law.
2. Certification of Deletion
   Upon written request, Relolink will provide the Customer with a certification confirming the deletion of Customer Personal Data, as described above.
3. Backup Data
   Data stored in Relolink’s backup systems will be securely isolated and deleted in accordance with Relolink’s standard backup retention and deletion schedules, typically within [number of days or months] after deletion from active systems.
4. Customer Responsibility The Customer is responsible for exporting or retrieving its data from the Services prior to the termination or expiration of the Agreement. Relolink shall not be liable for any loss of data following such termination or expiration if the Customer has failed to provide written instructions or retrieve its data.

11. Customer Responsibilities

1. Security Responsibilities
   a. The Customer is responsible for implementing and maintaining appropriate security measures to protect its use of the Services, including:
   • Securing all account authentication credentials, systems, and devices used to access the Services.
   • Ensuring that access to the Services is restricted to authorized users.
   • Backing up Customer Data as needed.
2. Compliance with Laws
   a. The Customer warrants that its instructions to Relolink regarding the processing of Customer Personal Data comply with all applicable Data Protection Laws.
   b. The Customer is solely responsible for ensuring that:
   • There is a valid legal basis for Relolink’s processing of Customer Personal Data as described in the Agreement.
   • All necessary notices, consents, and permissions have been obtained from Data Subjects to allow Relolink to process Customer Personal Data in accordance with this DPA.
3. Prohibited Data
   a. The Customer acknowledges that the Services are not designed to process special categories of data, including but not limited to:
   • “Protected health information” under HIPAA.
   • Sensitive personal data under GDPR or similar laws (e.g., biometric data, genetic data).
     b. The Customer agrees not to submit or include any such prohibited data in the Services.
4. Requests Beyond Standard Service
   a. Any requests for Relolink’s cooperation, information, or assistance beyond the standard features and tools provided within the Services will be subject to additional fees and must be agreed upon in writing.
   b. Relolink reserves the right to charge for such requests, including but not limited to:
   • Customized reporting.
   • Extensive assistance with regulatory inquiries.
   • Data Subject Request processing outside the scope of the standard Services.
5. Indemnification
   The Customer agrees to indemnify, defend, and hold Relolink harmless from and against any claims, liabilities, damages, or losses arising from:
   • The Customer’s breach of its obligations under this DPA or applicable Data Protection Laws.
   • The Customer’s failure to obtain necessary consents or provide required notices to Data Subjects.

12. Precedence and Miscellaneous Provisions

1. Precedence
   
   In the event of any conflict or inconsistency:
   
   a. Between this DPA and the Agreement, the terms of this DPA shall prevail solely with respect to the processing of Customer Personal Data.
   b. Between this DPA and any standard contractual clauses or applicable annexes (e.g., Annex 2 or Annex 3), the terms of the standard contractual clauses or annexes shall prevail with respect to Restricted Transfers and their related obligations.
2. Amendments
   Relolink reserves the right to amend this DPA as necessary to comply with changes in applicable Data Protection Laws, provided that such amendments do not materially reduce the level of protection for Customer Personal Data. Relolink will notify the Customer of any such amendments, and continued use of the Services after such notification constitutes acceptance of the updated terms.
3. Governing Law and Jurisdiction
   This DPA shall be governed by and construed in accordance with the laws governing the Agreement, unless otherwise required by applicable Data Protection Laws. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Agreement.
4. Entire Agreement
   This DPA, including its annexes, constitutes the entire agreement between the Parties concerning the processing of Customer Personal Data and supersedes all prior and contemporaneous agreements, representations, and understandings, whether written or oral, relating to the subject matter.
5. No Waiver
   The failure of either Party to enforce any provision of this DPA shall not constitute a waiver of its rights under such provision or any other provision.
6. Severability
   If any provision of this DPA is found to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be modified to the extent permitted by law to achieve the original intent of the Parties.
7. Survival
   The provisions of this DPA that by their nature extend beyond the expiration or termination of the Agreement shall survive such expiration or termination, including but not limited to obligations related to confidentiality, liability, data protection, and dispute resolution.

13. Feedback on this Policy: 

Relolink is committed to maintaining transparent and user-friendly policies that align with regulatory standards and user needs. If you have feedback, suggestions, or concerns specific to this Policy, please contact us at legal@relolink.io.

Our legal team reviews feedback bi-annually or as needed and considers relevant suggestions for incorporation into future policy updates. While not all feedback will result in immediate changes—or changes at all—your input is invaluable in helping us refine our policies for clarity, compliance, and user satisfaction.

14. Language and Governing Version

Non-English translations of this DPA are provided for convenience only. In the event of any conflict, the English version will prevail.

Annex 1: Data Processing Details

This Annex 1 forms part of the Data Processing Addendum between Relolink, LLC (“Relolink”) and the Customer.

1. Customer / Data Exporter Details

• Name: As specified in the Agreement or applicable ordering document.
• Contact Details: As specified in the Agreement or applicable ordering document.
• Customer Role: Controller (or, if Customer uses the Services on behalf of a Controller, Processor).
• Activities Relevant to Data Processing: Use of Relolink’s SaaS platform and related services as described in the Agreement.

2. Relolink / Data Importer Details

• Name: Relolink, LLC
• Contact Details:
  Relolink, LLC
  [Relolink’s Office Address]
  Email: [privacy@relolink.com]
• Relolink Role: Processor (and Controller where applicable as outlined in the Agreement).
• Activities Relevant to Data Processing: Provision of SaaS services, including but not limited to data storage, processing, and access management, as described in the Agreement.

3. Categories of Data Subjects

Relolink may process Personal Data relating to the following categories of Data Subjects:

• Employees, agents, and contractors of the Customer.
• Customers or clients of the Customer.
• Business partners, service providers, and affiliates of the Customer.
• Other individuals whose data is submitted through the Services.

4. Categories of Personal Data

Relolink may process the following categories of Personal Data:

• Contact details (e.g., name, email address, phone number).
• Employment information (e.g., job title, department).
• Identification data (e.g., government IDs, passport numbers).
• Communication data (e.g., messages, files).
• Location data (e.g., physical address, geographic location data).
• System usage data (e.g., login credentials, IP addresses).

5. Special Categories of Data

Relolink does not intentionally process special categories of data (e.g., health, biometric, or racial data). Customers are prohibited from submitting such data unless expressly agreed in writing.

6. Nature and Purpose of Processing

Relolink processes Customer Personal Data solely for the following purposes:

• To provide, operate, and support the Services as defined in the Agreement.
• To respond to support inquiries and provide customer assistance.
• To comply with Customer instructions as outlined in the Agreement and this DPA.
• To improve and enhance the functionality of the Services, including analytics and troubleshooting.

7. Duration of Processing

Relolink will process Customer Personal Data:

• For the duration of the Agreement between Relolink and the Customer.
• As required by applicable laws after termination or expiration of the Agreement.

8. Data Transfers

Relolink may transfer Customer Personal Data to:

• Subprocessors located in jurisdictions with adequate data protection standards, as outlined in Annex 2.
• Subprocessors in non-adequate jurisdictions under lawful transfer mechanisms, such as Standard Contractual Clauses (SCCs).

9. Data Retention

Relolink retains Customer Personal Data for the duration of the Agreement. Upon termination or expiration, Relolink will delete or return the data as outlined in the DPA, except where retention is required by law.

Annex 2: Europe Annex

This Annex 2 (Europe Annex) forms part of the Data Processing Addendum and applies to Relolink’s processing of Customer Personal Data subject to the GDPR, including Restricted Transfers from the EEA, UK, and Switzerland.

1. Incorporation of Standard Contractual Clauses (SCCs)

Relolink and the Customer agree to comply with the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 (the “SCCs”), as supplemented or modified by this Annex. The SCCs are incorporated into this DPA by reference and are available at:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en 

2. Population of SCCs

• Modules Applicable:
  • Module 2 (Controller-to-Processor): Where the Customer is a Controller, and Relolink is a Processor.
  • Module 3 (Processor-to-Processor): Where the Customer is a Processor acting on behalf of a Controller.
• Key Terms:
  • Clause 7: Docking Clause is not applicable.
  • Clause 9: Subprocessor requirements align with Section 8 of this DPA. Notifications regarding Subprocessors are provided at: [Relolink Subprocessor List URL].
  • Clause 11: Optional language regarding independent dispute resolution mechanisms is not applicable.
  • Clause 17: The SCCs shall be governed by the laws of Ireland.
  • Clause 18: Disputes under the SCCs shall be resolved in the courts of Ireland.

3. Swiss-Specific Requirements

For data transfers subject to the Swiss Federal Act on Data Protection (FADP):

• References to the GDPR include the FADP.
• The term “Member State” shall include Switzerland.
• The governing law for SCCs shall be Swiss law, and disputes shall be resolved in the courts of Switzerland.

4. UK-Specific Requirements

For data transfers subject to the UK GDPR:

• The SCCs are modified by the UK International Data Transfer Addendum issued by the ICO.

Disputes related to UK transfers shall be governed by UK law and resolved in the courts of the United Kingdom.

5. Transparency and Cooperation

Relolink will provide the Customer with:

• Relevant documentation, including certifications and Audit Reports, demonstrating compliance with the SCCs.
• Assistance with supervisory authority requests related to Restricted Transfers.

6. Obligations of the Data Importer (Relolink)

Relolink shall:

• Implement appropriate safeguards to protect Customer Personal Data during and after transfer.
• Notify the Customer if unable to comply with the SCCs or applicable data protection laws.
• Cease processing if instructed by the Customer due to compliance concerns.

Annex 3: California Annex

This Annex 3 (California Annex) applies to Relolink’s processing of Customer Personal Data subject to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

1. Relolink’s Role as a Service Provider

Relolink acknowledges its role as a Service Provider under the CCPA/CPRA and agrees to:

• Process Personal Information only for the specific purposes outlined in the Agreement.
• Not Sell or Share Personal Information, as defined under CCPA/CPRA.
• Retain, use, or disclose Personal Information only to fulfill its contractual obligations or comply with applicable law.

2. Assistance with Consumer Rights

Relolink will provide reasonable assistance to enable the Customer to comply with Consumer rights under the CCPA/CPRA, including:

• Access requests.
• Deletion requests.
• Requests to know what Personal Information has been collected.

3. Restrictions on Use of Personal Information

Relolink shall not:

• Use Personal Information for any purpose other than providing the Services.
• Combine Personal Information received from the Customer with Personal Information from other sources, except as permitted by law.

4. Subprocessors and Third-Party Engagements

Relolink will:

• Notify the Customer of Subprocessors used to process Personal Information.
• Ensure Subprocessors comply with similar obligations under CCPA/CPRA.

5. Certification

Relolink certifies that it understands and will comply with its obligations under this Annex.

Annex 4: Security Measures

This Annex 4 forms part of the Data Processing Addendum and outlines the technical and organizational measures Relolink, LLC (“Relolink”) implements to protect Customer Personal Data.

1. Measures of Pseudonymization and Encryption

• Relolink ensures that all Customer Personal Data is encrypted:
  • In transit: Data is encrypted using TLS 1.2 or higher.
  • At rest: Data is encrypted using AES-256 encryption.
• Pseudonymization is applied where feasible to minimize the identification of Data Subjects.

2. Measures to Ensure Ongoing Confidentiality, Integrity, Availability, and Resilience

• Access to Customer Personal Data is restricted to authorized personnel with a legitimate business need, enforced through role-based access controls.
• Multi-factor authentication (MFA) is required for access to production systems.
• Relolink maintains robust identity and access management protocols, logging all access to critical systems.
• Data centers hosting Customer Personal Data are certified for compliance with ISO 27001 and SOC 2 Type II standards.

3. Measures for Restoring Availability and Access

• Daily backups are performed automatically, with encrypted storage in geographically separate locations.
• A disaster recovery plan is in place to ensure service restoration within a reasonable time frame, with annual testing of recovery protocols.
• System redundancies are designed to handle unexpected failures with minimal downtime.

4. Processes for Regular Testing and Evaluation

• Regular third-party penetration testing is conducted to assess vulnerabilities.
• Annual internal audits and risk assessments are performed to evaluate the effectiveness of security controls.
• Compliance audits, including SOC 2 Type II and ISO 27001, are conducted annually to validate adherence to industry standards.

5. Measures for User Identification and Authorization

• Relolink enforces a principle of least privilege for all system users.
• Elevated privileges are granted only with documented approval and are logged for audit purposes.
• User accounts are reviewed periodically to ensure ongoing compliance with access policies.

6. Measures for the Protection of Data During Transmission

• All data transmitted between Relolink’s systems and third parties is secured using encryption protocols, including HTTPS.
• Secure channels, such as VPNs or private networks, are used for internal data exchanges.

7. Measures for the Protection of Data During Storage

• Data is stored in Relolink’s cloud infrastructure, leveraging industry-leading service providers.
• All stored data is encrypted using customer-specific keys managed via a secure key management service (KMS).
• Data integrity is monitored through regular checksum verifications.

8. Measures for Ensuring Physical Security

• Relolink’s office facilities require secure keycard access and are monitored via CCTV.
• Data centers hosting Relolink’s systems are physically secured by Relolink’s cloud provider (e.g., AWS, Azure) and include 24/7 surveillance, biometric access controls, and redundant power supplies.

9. Measures for Logging and Monitoring

• Relolink uses centralized logging systems to capture and monitor system activity, including access and modification events.
• Alerts are configured to detect unusual activity or potential threats in real time.
• Logs are stored in secure, tamper-proof systems and retained for a minimum of 12 months.

10. Measures for Internal IT and IT Security Governance

• Relolink has a dedicated Information Security team responsible for implementing and managing security policies.
• An Information Security Management System (ISMS) is maintained to align with ISO 27001 standards.
• Security awareness training is provided to all employees annually.

11. Measures for Data Minimization

• Relolink only collects and processes data necessary for the performance of the Services as outlined in the Agreement.
• Data retention policies are enforced to ensure timely deletion of unnecessary data.

12. Measures for Data Quality

• Relolink provides tools for Customers to review and update their data as needed.
• Automated checks are implemented to identify and flag incomplete or inaccurate records.

13. Measures for Limited Retention and Secure Deletion

• Data is retained only for the duration of the Agreement unless required by law.
• Upon termination, data is securely deleted using industry-standard methods unless otherwise agreed in writing.

14. Measures for Data Portability

• Relolink provides export tools enabling Customers to retrieve their data in a structured, commonly used, machine-readable format.
• Requests for data export are processed within 30 days.

Annex 5: APAC-Specific Provisions

This Annex 5 forms part of the Data Processing Addendum (“DPA”) and governs the processing of Customer Personal Data subject to applicable data protection laws in the Asia-Pacific (APAC) region. The provisions of this Annex supplement the terms of the DPA and apply specifically to jurisdictions within APAC where Relolink processes Customer Personal Data.

1. Compliance with Local Laws

Relolink agrees to comply with all applicable data protection laws and regulations in the APAC region, including but not limited to:

• Australia: Privacy Act 1988 and the Notifiable Data Breaches (NDB) Scheme.
• Singapore: Personal Data Protection Act 2012 (PDPA).
• Japan: Act on the Protection of Personal Information (APPI).
• India: Digital Personal Data Protection Act, 2023 (DPDP).
• China: Personal Information Protection Law (PIPL).

Relolink will make reasonable efforts to remain informed of updates to these laws and adjust its data processing activities accordingly.

2. Data Localization and Cross-Border Transfers

• Data Localization: Where required by local law, Relolink will ensure that certain Customer Personal Data is stored and processed exclusively within the jurisdiction, including but not limited to China (critical information) and India (sensitive personal data).
• Cross-Border Transfers: Relolink will implement appropriate safeguards, including:
  • Standard Contractual Clauses (SCCs) where applicable.
  • Obtaining explicit Data Subject consent for jurisdictions requiring it, such as under Japan’s APPI or China’s PIPL.
  • Complying with regulatory approval requirements for transfers in China and other jurisdictions.

Relolink shall maintain a publicly accessible Subprocessor List, detailing the jurisdictions in which Customer Personal Data is processed and stored.

3. Breach Notification Obligations

Relolink will notify the Customer of any Personal Data Breach involving Customer Personal Data within the following timeframes or as otherwise required by local law:

• Australia: As soon as practicable but no later than 30 days.
• Singapore: No later than 72 hours after becoming aware of the breach.
• India: Within a reasonable timeframe as prescribed by the Indian Data Protection Board.
• China: Immediate notification for significant breaches requiring regulatory reporting.
• Japan: Within a reasonable timeframe to comply with APPI obligations.

Relolink’s notification shall include:

• Nature of the breach.
• Categories and volume of data affected.
• Mitigation actions taken.
• Measures to prevent recurrence.

4. Rights of Data Subjects

Relolink will assist the Customer in complying with Data Subject rights under applicable APAC laws, including:

• Access and Correction: Data Subjects in Australia, Singapore, and Japan have the right to request access to or correction of their Personal Data.
• Withdrawal of Consent: Data Subjects in Singapore and India have the right to withdraw consent for processing activities.
• Portability and Deletion: Data Subjects in India and Japan may request deletion or portability of their Personal Data under specific circumstances.
• Relolink will provide mechanisms to facilitate these requests, subject to verification of the Data Subject’s identity and any applicable legal exceptions.

5. Subprocessors and Third-Party Engagements

• Relolink will notify the Customer of any Subprocessors engaged to process Customer Personal Data in the APAC region.
• Subprocessors are required to comply with obligations consistent with this DPA and applicable local laws.
• The Subprocessor List will be updated and available at [Relolink Subprocessor List URL].

6. Consent and Data Collection Obligations

• Relolink ensures that Customer Personal Data is collected lawfully, with appropriate consent mechanisms as required under local laws such as Singapore’s PDPA and India’s DPDP.
• Where explicit consent is required for processing sensitive data, Relolink will implement mechanisms to obtain and document such consent.

7. Data Retention and Deletion

• Relolink will retain Customer Personal Data only for as long as necessary to fulfill the purposes outlined in the Agreement or as required by local laws.
• Upon request or contract termination, Relolink will delete or anonymize Customer Personal Data in accordance with applicable legal requirements, including:
  • China’s PIPL mandatory deletion clauses.
  • India’s DPDP provisions for timely deletion upon purpose fulfillment.

8. Security Measures

Relolink implements robust technical and organizational measures to secure Customer Personal Data processed in the APAC region, consistent with Annex 4 of this DPA and applicable local requirements.

• Data encryption is mandatory for storage and transmission.
• Multi-factor authentication is required for all personnel accessing production systems.
• Regular security audits are conducted to ensure compliance with APAC-specific standards.

9. Regulatory Cooperation

Relolink will cooperate with APAC regulators as required by local laws, including but not limited to:

• Responding to regulator inquiries and investigations.
• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by Singapore’s PDPA, Japan’s APPI, and China’s PIPL.

10. Governing Law and Dispute Resolution

• For disputes involving Customer Personal Data processed under this Annex, the governing law shall be the local law of the jurisdiction in which the data originated, unless otherwise agreed in the Agreement.
• Relolink will engage in good faith to resolve disputes through mediation or arbitration as required by local laws or contractual obligations.