Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Terms of Service ("Agreement") between Summatus GmbH ("Raily", "Company", "we", "us", or "our") and the customer agreeing to these terms ("Customer"). This DPA reflects the parties' agreement on the processing of Personal Data in accordance with applicable Data Protection Laws.

Last updated: 06.08.2024

1. DEFINITIONS

1.1. "Affiliate" means an entity that directly or indirectly controls, is controlled by, or is under common control with a party.

1.2. "CCPA" means the California Consumer Privacy Act.

1.3. "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR, UK GDPR, CCPA, and Swiss Federal Act on Data Protection.

1.4. "Data Subject" means an identified or identifiable natural person.

1.5. "GDPR" means the General Data Protection Regulation (EU) 2016/679 and the UK GDPR.

1.6. "Personal Data" means any information relating to a Data Subject processed by Raily on behalf of Customer.

1.7. "Processing" means any operation performed on Personal Data.

1.8. "Subprocessor" means any processor engaged by Raily to process Personal Data.

1.9. "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission.

1.10. 'QFC Regulations' means the QFC Data Protection Regulations 2021.

1.11. Duration and Survival. This DPA will become legally binding upon the effective date of the Agreement. Raily will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Raily's obligations and Customer's rights under this DPA will continue in effect so long as Raily Processes Customer Personal Data.

1.12. 'Applicable Data Protection Laws' include, but are not limited to, the data protection laws of the UAE (including DIFC Data Protection Law 2020 and ADGM Data Protection Regulations 2021) and Saudi Arabia (including Personal Data Protection Law), depending on the jurisdiction of data processing.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties. The parties acknowledge that with regard to the processing of Personal Data, Customer is the controller and Raily is the processor.

2.2. Customer's Processing of Personal Data. Customer shall, in its use of the Services, process Personal Data in accordance with Data Protection Laws. Customer's instructions for the processing of Personal Data shall comply with Data Protection Laws.

2.3. Raily's Processing of Personal Data. Raily shall process Personal Data only for the purposes described in this DPA and the Agreement, and in accordance with Customer's documented instructions, unless required otherwise by applicable law.

2.4. Details of the Processing. The subject-matter, nature, purpose, and duration of this processing, as well as the types of Personal Data collected and categories of Data Subjects, are set forth in Annex 1 to this DPA.

2.5 AI Processing Details

The processing of Personal Data by AI systems includes:

a) Conversion of user data into vector representations for matchmaking and recommendations
b) Analysis of user preferences and behavior for personalized content delivery
c) Processing of visual data for enhancing user profiles and matches
d) Continuous learning and model updates based on user interactions
e) Generation of match percentages and compatibility scores

3. RIGHTS OF DATA SUBJECTS

3.1. Data Subject Requests. Raily shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject's rights under Data Protection Laws. If Raily receives a Data Subject Request in relation to Customer Personal Data, Raily will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request.

3.2. Assistance to Customer. Raily shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer's obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Raily's assistance and (ii) Raily is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Raily.

3.3. Response Time. Raily shall respond to Data Subject requests within 30 days, with the possibility of extension for up to 60 days in complex cases.

3.4. Raily commits to respecting the rights of data subjects as provided by Applicable Data Protection Laws, including but not limited to the right of access, rectification, and erasure of data.

4. RAILY PERSONNEL

4.1. Confidentiality. Raily shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.

4.2. Reliability. Raily shall take reasonable steps to ensure the reliability of any Raily personnel engaged in the processing of Personal Data.

4.3. Limitation of Access. Raily shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Agreement.

5. SUBPROCESSORS

5.1. Appointment of Subprocessors. Customer acknowledges and agrees that Raily may engage third-party Subprocessors in connection with the provision of the Services.

5.2. List of Current Subprocessors. Raily shall make available to Customer the current list of Subprocessors for the Services at https://raily.app/subprocessors. This list shall include the identities of those Subprocessors and their country of location. Raily shall update this list promptly with any changes.

5.3. Notification of New Subprocessors. Raily shall provide notification of a new Subprocessor(s) before authorizing any new Subprocessor(s) to process Personal Data in connection with the provision of the applicable Services.

5.4. Changes to Subprocessors. Raily maintains an up-to-date list of Subprocessors at https://raily.app/legal/subprocessors. Raily may update this list from time to time. It is Customer's responsibility to check this list periodically for any changes. Customer's continued use of the Services after an update to the Subprocessor list constitutes acceptance of the new Subprocessor(s). If Customer has a reasonable basis to object to Raily's use of a new Subprocessor, Customer shall notify Raily promptly in writing within ten (10) business days after checking the updated Subprocessor list. In the event of such an objection, Raily will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Raily is unable to make available such change within a reasonable period of time, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Raily without the use of the objected-to new Subprocessor by providing written notice to Raily.

5.5. Liability. Raily shall be liable for the acts and omissions of its Subprocessors to the same extent Raily would be liable if performing the services of each Subprocessor directly under the terms of this DPA.

6. SECURITY

6.1. Security Measures. Raily shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described in Annex 2 to this DPA.

6.2. Third-Party Certifications and Audits. Raily has obtained the third-party certifications and audits set forth in Annex 2 to this DPA. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Raily shall make available to Customer a copy of Raily's then most recent third-party audits or certifications, as applicable.

6.3. Raily shall maintain transparent privacy notices and make them easily accessible to Data Subjects.

6.4. Raily Personnel. Raily personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Raily's confidentiality and privacy policies.

6.5 AI-Specific Security Measures

a) Implement measures to ensure the accuracy, robustness, and cybersecurity of AI systems as per Article 15 of the EU AI Act
b) Regular testing and validation of AI models to prevent biases and ensure fairness
c) Implementation of kill-switch mechanisms for immediate halting of AI processing if necessary
d) Continuous monitoring of AI system outputs for anomalies or unexpected behaviors

7. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION

7.1. Notification. Raily shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification shall include, to the extent known to Raily at that time, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned. Raily shall also notify the QFC Data Protection Office of any serious breaches as required by QFC Regulations. Commits to complying with all applicable breach notification requirements established by local data protection laws, including notifying relevant supervisory authorities in the UAE and Saudi Arabia, where applicable.

7.2. Assistance to Customer. Raily shall provide reasonable assistance to Customer in the handling and documentation of Personal Data Breaches.

8. RETURN AND DELETION OF CUSTOMER DATA

8.1. Deletion or Return of Data. Raily shall, at the choice of Customer, delete or return all Personal Data to Customer after the end of the provision of Services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.

8A. AI Model Management

8A.1. Raily shall maintain detailed records of AI model versions, training data used, and significant updates.

8A.2. Upon request, Raily shall provide Customer with information about the AI models used in processing their data, including general descriptions of model architecture and key features.

8A.3. Raily shall implement procedures for regular evaluation of AI model performance, including checks for potential biases or unfair outcomes.

8A.4. In the event of significant changes to AI models that may affect data processing, Raily shall notify Customer and, if necessary, conduct a new Data Protection Impact Assessment.

8B. RECORDS OF PROCESSING ACTIVITIES

8B.1. Raily shall maintain detailed records of processing activities in accordance with QFC Regulations. Upon request, Raily shall make these records available to the QFC Data Protection Office.

9. TRANSFERS OF PERSONAL DATA

9.1. Standard Contractual Clauses. The Standard Contractual Clauses shall apply to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for Personal Data. The Standard Contractual Clauses shall not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.

9.2. For transfers to countries not recognized as adequate by QFC, Raily shall implement appropriate safeguards as required by QFC Regulations.

9.3. Supplementary Measures. In respect of any transfer of Personal Data outside the EEA, UK, or Switzerland, Raily shall implement appropriate supplementary measures as required by applicable Data Protection Laws to ensure an adequate level of protection for the Personal Data.

9.4. For data transfers to or from the UAE and Saudi Arabia, Raily commits to complying with all applicable local requirements for cross-border data transfers.

10. LIMITATION OF LIABILITY

10.1. To the extent permitted by applicable law, any liability arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

10.2. Each Party's liability, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Agreement.

10.3. Any reference to the liability of a Party means the total liability of that Party and all of its affiliates under the Agreement and this DPA together.

11. LEGAL EFFECT

This DPA shall only become legally binding between Customer and Raily when fully executed following the formalities steps set out in the Agreement. If Customer has previously executed a data processing addendum with Raily, this DPA supersedes and replaces such prior Data Processing Addendum.

12. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

12.1 Systematic Description of Processing

In addition to the details provided in Annex 1, Raily conducts the following types of processing:

• Collection and storage of user profile data, including names, contact information, and travel preferences
• Analysis of user behavior and travel patterns for matchmaking purposes
• Processing of geolocation data to facilitate real-time connections between users
• Handling of user-generated content, such as messages and shared travel plans
• Processing of payment information for premium services and in-app purchases
• Analysis of user data for personalized recommendations and travel planning

12.2 Assessment of Necessity and Proportionality

Raily has assessed the adequacy, relevance, and necessity of the processing activities described above and has determined that:

• The processing is necessary for providing our core matchmaking and travel companion services, enhancing user experience, ensuring platform security, and complying with legal obligations
• The amount and types of data collected are proportionate to the purposes of processing
• Data retention periods are limited to what is necessary for the stated purposes
• User consent is obtained for all non-essential data processing activities
• Data minimization principles are applied to ensure only necessary data is collected and processed
• Regular reviews are conducted to ensure ongoing relevance and necessity of processed data

12.3 Assessment of Risks to Data Subjects

Raily has identified the following potential risks to the rights and freedoms of data subjects:

1. Unauthorized access to personal data due to security breaches
2. Misuse of personal data by Raily employees or third-party contractors
3. Data loss or corruption due to technical failures
4. Unwanted disclosure of user location or travel plans to other users
5. Profiling leading to discriminatory treatment or exclusion from services

12.4 Measures to Address Risks

In addition to the security measures described in Annex 2, Raily implements the following measures to address the identified risks:

1. For unauthorized access: Implementation of advanced encryption techniques, regular security audits, and intrusion detection systems
2. For misuse of personal data: Strict access controls, employee background checks, and comprehensive data handling training for all staff
3. For data loss or corruption: Regular data backups, disaster recovery plans, and use of redundant systems
4. For unwanted disclosure: Granular privacy settings allowing users to control what information is shared, and clear guidelines on information sharing
5. For profiling risks: Regular algorithmic audits to detect and mitigate potential biases, and providing users with control over their data used for profiling

12.5 AI Risk Assessment

Raily has conducted a thorough risk assessmentof its AI systems, focusing on:

1. Potential impacts on user privacy and data protection
2. Risks of bias or discrimination in AI-driven matchmaking
3. Transparency and explainability of AI decision-making processes
4. Measures to ensure human oversight and intervention in AI processes

12.6 Ongoing AI Monitoring

Raily commits to:

1. Continuous monitoring of AI system performance and outputs
2. Regular audits of AI decision-making processes
3. Periodic reassessment of AI risks as systems evolve and improve
4. Maintaining open communication channels with users for feedback on AI-driven features

13. CONFLICT OF TERMS

13.1. In the event of any conflict or inconsistency among the following documents, the order of precedence will be:

1.  the applicable terms in the Standard Contractual Clauses;
2. the terms of this DPA; and
3. the Agreement.

13.2. No provision in the Agreement shall be construed to reduce, limit, or otherwise negatively affect any of Raily's obligations or Customer's rights under this DPA or the Standard Contractual Clauses.

13.3. In case of doubt, the interpretation that provides the highest level of data protection and security for Personal Data shall prevail.

14. COOPERATION WITH SUPERVISORY AUTHORITIES

14.1. Raily shall cooperate, on request, with the supervisory authority in the performance of its tasks.

14.2. Raily shall promptly notify Customer if it receives a request from a supervisory authority in connection with Customer Personal Data, unless prohibited by applicable law.

14.3. If a supervisory authority requires an audit of the data processing facilities from which Raily processes Customer Personal Data in order to ascertain or monitor Customer's compliance with Data Protection Laws, Raily shall cooperate with such audit, subject to appropriate confidentiality obligations.

14.4. Raily commits to cooperating with relevant supervisory authorities in the UAE and Saudi Arabia, including but not limited to the DIFC Data Protection Administration, ADGM Registration Authority, and Saudi Data and Artificial Intelligence Authority (SDAIA), in accordance with applicable law.

15. CONTINUOUS IMPROVEMENT

Raily is committed to continuously improving its data protection and security measures. Raily shall regularly review and update its practices, policies, and technical measures to ensure ongoing compliance with Data Protection Laws and industry best practices.

16. AI Transparency and User Rights

16.1. Raily shall provide clear information to users about the use of AI in its services, including how AI influences matchmaking and recommendations.

16.2. Users shall have the right to:

1. Receive explanations of significant AI-driven decisions affecting their experience
2. Contest AI-generated results and request human review
3. Opt-out of certain AI-driven features while retaining access to core services
4. Access and correct data used by AI systems for decision-making

16.3. Raily shall maintain a user-friendly interface for exercising these rights and shall respond to user requests within 30 days.