Data Processing Addendum for Daryn Lab Inc.

This Data Processing Addendum ("DPA") is incorporated into and forms an integral part of the Terms of Service (the "Agreement") entered into between the Customer ("Controller") and Daryn Lab Inc. ("Processor").

This DPA applies to the extent that Processor processes Personal Data on behalf of the Controller in the course of providing the Services.

• "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Personal Data Breach" shall have the meanings given to them in the GDPR.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "Services" means the services provided by the Processor to the Controller under the Agreement.

• Confidentiality: Ensure that its personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security: Implement and maintain appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access ("Security Measures"). These measures shall include, as appropriate, encryption of data in transit (SSL/TLS) and at rest (AES-256), access controls, and regular security reviews.
• Sub-processing: (a) The Controller provides a general authorization for the Processor to engage third-party Sub-processors to process Personal Data, including those listed in Annex 1. (b) The Processor shall maintain an up-to-date list of its Sub-processors and shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes. (c) The Processor will enter into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
• Data Subject Rights: To the extent legally permitted, promptly notify the Controller of any request received from a Data Subject to exercise their rights under the GDPR. The Processor shall provide the Controller with commercially reasonable assistance to enable the Controller to respond to such requests.
• Personal Data Breach: Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The Processor shall provide the Controller with sufficient information to allow the Controller to meet any obligations to report the breach to the supervisory authorities.
• Data Protection Impact Assessments: Provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities, as required under the GDPR.

Upon the Controller's reasonable request, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Processor will not transfer Personal Data outside the European Economic Area (EEA), the United Kingdom, or Switzerland without ensuring that the transfer is in compliance with the GDPR. The Processor shall ensure that such transfers are made on the basis of an adequacy decision or are governed by a valid transfer mechanism, such as the Standard Contractual Clauses (SCCs).

Upon termination of the Agreement, or upon the Controller's written request, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.

In the event of any conflict between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the parties' data protection obligations.