Data Processor Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Master Subscription Agreement (the "Agreement") between Cention AB, a Swedish corporation ("Processor" or "Cention"), and the Customer ("Controller") and sets forth the terms applicable when Personal Data is processed by Cention under the Agreement.

This DPA reflects the parties' commitment to comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other relevant legislation.

2. Definitions

In this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Cention on behalf of the Controller in connection with the Services.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Subprocessor" means any third party engaged by Cention to process Personal Data on behalf of the Controller.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR.
• "Services" means the customer service platform and related services provided by Cention under the Agreement.

3. Scope and Purpose of Processing

Cention will process Personal Data only:

• In accordance with documented instructions from the Controller
• To the extent necessary to provide the Services under the Agreement
• In compliance with applicable Data Protection Laws

The subject matter, duration, nature, and purpose of processing, as well as the types of Personal Data and categories of Data Subjects, are described in Annex 1 to this DPA.

4. Controller Obligations

The Controller warrants that:

• It has the legal authority to provide Personal Data to Cention for processing
• All Personal Data has been collected in accordance with Data Protection Laws
• Instructions provided to Cention comply with Data Protection Laws
• It will respond to Data Subject requests as required by law

5. Processor Obligations

Cention shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law
• Ensure that personnel processing Personal Data are bound by confidentiality obligations
• Implement and maintain appropriate technical and organisational security measures
• Assist the Controller with Data Subject rights requests
• Delete or return all Personal Data upon termination, at the Controller's election
• Make available information necessary to demonstrate compliance with this DPA
• Notify the Controller without undue delay if an instruction infringes Data Protection Laws

6. Security Measures

Cention implements technical and organisational measures appropriate to the risk, including:

• Encryption - AES-256 encryption at rest; TLS 1.2+ encryption in transit
• Access Controls - Role-based access, multi-factor authentication, SSO support
• Network Security - Firewalls, intrusion detection, DDoS protection
• Monitoring - 24/7 security monitoring and automated alerting
• Testing - Regular penetration testing and vulnerability scanning
• Business Continuity - Geographically distributed infrastructure, automated failover

Detailed security measures are described in our Security Policy.

7. Subprocessors

The Controller authorises Cention to engage Subprocessors to process Personal Data. Cention will:

• Maintain a current list of Subprocessors at cention.io/trust/subprocessors
• Notify the Controller at least 30 days before engaging new Subprocessors
• Ensure Subprocessors are bound by data protection obligations no less protective than this DPA
• Remain liable for the acts and omissions of Subprocessors

8. Data Subject Rights

Cention will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

• Access to Personal Data
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

Cention will promptly notify the Controller of any Data Subject request received directly.

9. Personal Data Breach Notification

Cention will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. The notification will include:

• Nature of the breach, including categories and approximate number of Data Subjects affected
• Name and contact details of the data protection contact
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. International Transfers

Personal Data may be transferred internationally. Cention ensures lawful transfers using:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Other approved transfer mechanisms

The Controller may select a data residency region (EU, US, or APAC) to control where data is stored.

11. Audit Rights

Cention will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits. Audits are subject to:

• Reasonable advance notice (minimum 30 days)
• Confidentiality obligations
• Limitation to once per calendar year (unless required by regulatory authority)

12. Term and Termination

This DPA remains in effect for the duration of the Agreement. Upon termination:

• Cention will cease processing Personal Data except as required by law
• At Controller's election, Cention will delete or return all Personal Data within 90 days
• Cention will provide certification of deletion upon request

Annex 1: Processing Details

Subject Matter	Provision of customer service platform and related services
Duration	Duration of the Agreement plus data retention period
Nature & Purpose	Processing customer communications, support tickets, and related data to enable customer service operations
Types of Data	Contact information, communication content, usage data, device information
Categories of Data Subjects	Customer's employees (agents), Customer's customers (end users)