Data Processing Agreement

"Controller" = Regio Development SRL, in its capacity as a SaaS digital signage service provider.

"Processor" = Regio Development SRL, in its capacity as processor of personal data on behalf of its customers.

"Personal data" = any information relating to an identified or identifiable natural person.

"Processing" = any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"GDPR" = Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

This Agreement sets out the obligations and responsibilities of the parties in connection with the processing of personal data within the provision of SaaS digital signage services.

The Agreement governs processing carried out by the Processor on behalf of and for the Controller, in line with the latter's documented instructions.

Purpose of processing: provision of digital signage services, including content management, screen performance monitoring and platform usage analytics.

The Processor will notify the Controller of any personal data breach within 24 hours of becoming aware of it.

The notification will include: the nature of the breach, the categories and approximate number of data subjects, the categories and approximate number of records affected, and the measures taken to remedy the breach.

The Processor will cooperate with the Controller in investigating the incident and implementing remedial measures.

A detailed incident report will be issued within 72 hours, including causes, impact and preventive measures implemented.

Personal data is stored and processed exclusively within the European Economic Area (EEA).

Servers are located in certified data centres in Romania and other EU member states.

If a transfer of data outside the EEA becomes necessary, the Processor will:

• Obtain prior written authorisation from the Controller

• Ensure adequate safeguards through Standard Contractual Clauses approved by the European Commission

• Implement supplementary protection measures in line with EDPB recommendations

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement.

The Controller, or an auditor mandated by the Controller, has the right to carry out audits, including inspections at the Processor's premises, with at least 30 days' notice.

Audits will take place during normal business hours and will not unduly affect the Processor's activities.

Audit costs are borne by the Controller, except where major non-conformities are identified.

The Processor will remedy any non-conformity identified within the agreed timeframe, but no later than 90 days.

The Processor is liable for damage caused by processing only where it has failed to fulfil its obligations under this Agreement or has acted outside or against the Controller's lawful instructions.

The Processor's liability is limited to direct damages up to the value of the annual contract, except for:

• Wilful or grossly negligent breaches

• Breaches of confidentiality and data security

• Sanctions imposed by supervisory authorities

In the event of a joint action against the Controller and Processor, each party will be liable in proportion to its degree of responsibility.