Data Processing Agreement

1. Scope and Parties

This Data Processing Agreement ("DPA") supplements the Terms of Service between Artyql, on behalf of Dammar and Partners Pte Ltd. (UEN 202510485Z) ("Processor") and the Customer ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller pursuant to Article 28 of Regulation (EU) 2016/679 ("GDPR").

This DPA applies where the Customer submits personal data to the Artyql platform and Artyql processes such data on the Customer's behalf.

2. Subject Matter and Duration

The Processor will process personal data for the duration of the Terms of Service to provide the Artyql consumer intelligence platform, including product management, supplier and customer relationship management, regulatory compliance, and analytics functions. Processing continues until the agreement terminates and all personal data is deleted or returned.

3. Categories of Data Subjects and Personal Data

Data subjects include: the Customer's employees and authorized users, the Customer's suppliers' and customers' contact persons, and any other individuals whose personal data the Customer inputs into the Service.

Categories of personal data processed: names, email addresses, phone numbers, job titles, business addresses, IP addresses, and any other personal data the Customer includes in its use of the Service.

The Processor does not process special categories of personal data (Article 9 GDPR) unless explicitly instructed by the Controller in writing.

4. Obligations of the Processor

The Processor shall: process personal data only on documented instructions from the Controller (Article 28(3)(a)); ensure that persons authorized to process personal data are bound by confidentiality obligations (Article 28(3)(b)); implement appropriate technical and organizational security measures (Article 28(3)(c) and Article 32); respect conditions for engaging sub-processors (Article 28(2) and (4)); assist the Controller in responding to data subject requests (Article 28(3)(e)); assist the Controller in ensuring compliance with Articles 32-36 (security, breach notification, impact assessments, prior consultation) (Article 28(3)(f)); at the Controller's choice, delete or return all personal data upon termination (Article 28(3)(g)); and make available all information necessary to demonstrate compliance and allow for audits (Article 28(3)(h)).

5. Sub-processors

The Controller grants general written authorization for the Processor to engage sub-processors. The Processor shall: maintain a current list of sub-processors (available on request and published at artyql.io/legal/sub-processors); notify the Controller at least 30 days before adding or replacing a sub-processor; impose equivalent data protection obligations on sub-processors via written contract; and remain fully liable for the acts of its sub-processors.

If the Controller objects to a new sub-processor, the parties shall discuss the concern in good faith. If the objection cannot be resolved within 30 days, the Controller may terminate the affected Service.

6. International Transfers

Customer Data is stored within the European Economic Area (Frankfurt, Germany). Where personal data must be transferred outside the EEA (including to Singapore for Artyql's operational processing), such transfers are protected by EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 — and supplemented by appropriate technical measures (encryption in transit and at rest).

7. Security Measures (Article 32)

The Processor implements: encryption of personal data in transit (TLS 1.3) and at rest (AES-256); pseudonymization where feasible; access control with role-based permissions and multi-factor authentication; regular testing and evaluation of security measures; employee confidentiality agreements and security training; incident response procedures with defined escalation paths; and business continuity and disaster recovery measures.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of a personal data breach. The notification shall include: the nature of the breach, including categories and approximate number of data subjects and records; the name and contact details of the DPO or other contact point; a description of likely consequences; and measures taken or proposed to address the breach and mitigate its effects.

9. Audits

The Processor shall make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller. The Controller shall give at least 30 days' written notice of an audit. Audits shall be conducted during normal business hours, no more than once per year (unless a data breach or regulatory investigation requires an additional audit), and shall not unreasonably interfere with the Processor's business operations.

10. Deletion and Return of Data

Upon termination of the Service, the Processor shall: provide the Controller with the ability to export Customer Data in a structured, machine-readable format (JSON or CSV) for 30 days; delete all personal data within 90 days of termination, unless retention is required by applicable law; and certify deletion in writing upon the Controller's request.

11. Standard Contractual Clauses

The EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and shall apply to any transfer of personal data from the Controller (in the EEA) to the Processor (in Singapore) or to any sub-processor outside the EEA. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail.

12. Contact