• “Data Protection Laws”: The GDPR and all other applicable laws concerning the processing of Personal Data.

• “Personal Data”: Any information relating to an identified or identifiable natural person.

• “Data Subject”: The individual to whom Personal Data relates.

• “Processing”: Any operation performed on Personal Data, such as collection, storage, use, disclosure, or destruction.

• “Sub-Processor”: Any processor engaged by Naxon to process Personal Data on behalf of the Customer.

2.1. Role of the Parties: The Customer (Controller) determines the purposes and means of the processing of Personal Data, and Naxon (Processor) processes Personal Data on behalf of the Customer.

2.2. Subject Matter: This DPA governs Naxon’s processing of Personal Data on behalf of the Customer in relation to the SaaS services provided under the Agreement.

3.1. Processing in Accordance with Instructions: Naxon shall only process Personal Data in accordance with the documented instructions from the Customer, unless required to do so by law.

3.2. Confidentiality: Naxon shall ensure that individuals authorized to process Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security: Naxon shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

3.4. Sub-Processors: Naxon shall not engage any Sub-Processor without the prior written consent of the Customer. Naxon shall ensure that Sub-Processors are bound by data protection obligations no less protective than those set out in this DPA.

4.1. Lawful Basis for Processing: The Customer shall ensure that it has a lawful basis for processing Personal Data and will not instruct Naxon to process Personal Data in any manner that violates applicable Data Protection Laws.

4.2. Instructions: The Customer shall provide documented instructions to Naxon regarding the processing of Personal Data.

5.1. Naxon shall assist the Customer in responding to requests from Data Subjects exercising their rights under the GDPR, including access, rectification, erasure, restriction, and data portability requests.

6.1. Naxon shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach. Naxon will provide reasonable assistance to the Customer in its efforts to investigate and mitigate the breach and notify the appropriate supervisory authorities and affected Data Subjects.

7.1. Naxon shall not transfer Personal Data outside the European Economic Area (EEA) unless such transfers comply with the requirements of the GDPR, including the use of appropriate safeguards.

8.1. Upon termination or expiration of the Agreement, Naxon shall, at the Customer’s discretion, delete or return all Personal Data processed on behalf of the Customer, unless retention is required by law.

9.1. Naxon shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor appointed by the Customer, to verify compliance with this DPA and applicable Data Protection Laws.

10.1. The parties agree that Naxon’s liability for breach of this DPA shall be limited to the amounts set out in the Agreement, subject to any limitations under applicable law.