1. The Customer provides peaq with Personal Data of the Customer (the “Customer Data” ) in connection with the usage of the SAM4H Software (the “Software” ) by the Customer based on an agreement related to the Software between the Customer on one part and peaq, a distributor, a reseller or another a third party on the other part (the “Agreement” ).
2. In order to ensure compliance with applicable data protection laws, which may include, but not be limited to the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (together the “Applicable Data Protection Laws” ), in the Processing of Customer Data by peaq, the Parties enter into this Data Processing Agreement.
3. In the context of this Data Processing Agreement the Customer is the Controller and peaq is the Processor in the sense of Applicable Data Protection Laws.

THEREFORE, in consideration of the mutual covenants contained below, the Parties agree as follows:

1. General
   1. Subject Matter. In this Data Processing Agreement, the Parties only regulate the relationship between the Parties concerning Applicable Data Protection Laws. They do not intend to extend or restrict services to be provided under the agreements concerning the Software.
   2. Precedence. In the event of conflicts between contractual parts of this Data Processing Agreement, this Data Processing Agreement shall take precedence over the Annexes.
   3. Definitions. Any capitalized terms used in this Data Processing Agreement shall have the meanings set forth in this Data Processing Agreement. Legal terms such as "Personal Data" and "Processing" , shall have the meaning defined in the Applicable Data Protection Laws.
2. Subject and Duration of Processing
   1. Subject of Processing. In connection with the Software, peaq Processes Customer Data on behalf of the Customer. The subject matter of the Processing, its nature and its purpose are set out in the Agreement. The categories of persons affected by the Processing and the categories of Customer Data affected are described in Annex 1.
   2. Other Services. Insofar as peaq takes on further services for the Customer in the course of the collaboration, this Data Processing Agreement shall also apply to these services with regard to all matters of data protection.
   3. Duration. This Data Processing Agreement begins with the Effective Date and ends with the termination of the Agreement. Moreover, every Party is entitled to terminate this Data Processing Agreement at any time in its free discretion with immediate effect in writing (including emails).
   4. Responsibility of the Customer. The Customer is aware that the legal responsibility for the permissibility of the collection and other Processing of the Customer Data and for the fulfilment of the rights of data subjects in connection with the Software to be provided by peaq lies with the Customer. It ensures that peaq’s Processing of Customer Data according to this Data Processing Agreement does not violate Applicable Data Protection Laws.
3. Obligations of peaq
   1. Compliance with Instructions
      1. peaq is obliged to use the Customer Data exclusively for the services to be provided in the context of the Software and to follow the Customer's instructions when Processing them, subject to deviating obligations under applicable laws and binding orders issued by competent authorities, about which the Customer must be informed to the extent permitted. The right to issue instructions is limited by the Agreement and this Data Processing Agreement.
      2. Customer's instructions shall be issued in text form, although in urgent cases they may also be issued verbally and confirmed thereafter in text form.
   2. Register of Processing Activities. peaq undertakes to keep a register of Processing activities in relation to the Customer Data in accordance with the Applicable Data Protection Laws. peaq shall grant the Customer access to this register at any time upon request to the extent required under mandatory Applicable Data Protection Laws.
   3. Place of Processing. The Processing and the use of the Customer Data shall take place exclusively in Switzerland and the EU. Any Processing of Customer Data outside Switzerland or the EU (including the granting of access rights to Customer Data) is only permitted with the prior consent of the Customer and in accordance with the applicable legal and contractual provisions.
   4. Obligation to Return and Delete
      1. After termination of the Agreement, peaq must delete the Customer Data. Data deletions must be final and the deletion must be confirmed to the Customer upon request.
      2. If peaq is legally obliged to store Customer Data due to statutory provisions, it must inform the Customer accordingly at an early stage, and the concerned Customer Data may only be stored on non- productive systems for as long as necessary and appropriately secured.
4. Data Security
   1. Security Measures. peaq shall take appropriate technical and organizational measures as required under Applicable Data Protection Laws (the "Security Measures" ). During the term of the Data Processing Agreement, the Processor shall be authorized to adapt the Security Measures, provided that the level of security is not lowered, and shall be obliged to adapt the Security Measures insofar as this is necessary to maintain the level of protection in accordance with the Applicable Data Protection Laws.
   2. Reporting of Breaches
      1. In the event of specific security breaches that lead to the destruction, loss, alteration or disclosure of Customer Data, peaq shall inform the Customer immediately, but at the latest within 24 hours.
      2. peaq is obliged to provide the Customer with further relevant information on the security breach upon request, insofar as this is possible without violating the contractual or statutory confidentiality obligations of peaq.
5. Sub-Processors
   1. Permissibility
      1. For the provision of the services in the context of the Software, peaq shall be authorized to make Customer Data available to sub-processors (the “Sub-Processors” ) at its own discretion, provided that peaq complies with this Section 5 and has entered into agreements with the concerned Sub-Processors that contain at least as strict provisions as this Data Processing Agreement.
      2. A Sub-Processor within the meaning of this Data Processing Agreement is any service provider whose services relate directly to the Processing of Customer Data. In the case of outsourced ancillary services, peaq is also obliged to enter into appropriate and legally compliant contractual agreements to ensure data protection and data security for the Customer, to take control measures and to document these measures to the Customer on request.
   2. Approval of Sub-Processors. A list of the Sub-Processors with access to Customer Data existing at the Effective Date and hereby authorized by the Customer can be found in Annex 2. The Customer shall be informed before a Sub-Processor is changed. Any change shall be considered approved by the Customer upon information.
   3. Sub-Processors outside Switzerland and the EU. If, in connection with the authorized involvement of a Sub-Processor, Customer Data is transferred to or received from a country without an adequate level of data protection, peaq is obliged to obtain appropriate guarantees in accordance with the Applicable Data Protection Law (e.g. the applicable EU standard contractual clauses) before the first disclosure of Customer Data to the concerned Sub-Processor.
6. Supporting Obligations
   1. Data Security. peaq shall support the Customer in a reasonable manner in complying with Customer’s legal obligations to ensure adequate data security and to report data breaches, as well as in carrying out data protection impact assessments to the extent mandatory under Applicable Data Protection Laws.
   2. Rights of Data Subjects. If a Data Subject contacts peaq in connection with claims under Applicable Data Protection Laws (e.g. with a request for information or deletion) and these claims are related to the Software, peaq shall forward the corresponding request to the Customer without delay. peaq shall provide the Customer with appropriate support in Processing such requests.
   3. Obligation to Inform. Inspections and other measures by data protection supervisory authorities must be reported to the Customer immediately (to the extent permitted) if they affect the Customer Data or systems used for the Processing of Customer Data.
   4. Limitation of Obligations. The obligations set out above shall only be performed by peaq to the extent required under mandatory Applicable Data Protection Laws and peaq shall be remunerated for the services to be provided hereunder on a time and material basis. The invoices of peaq for the services shall be paid in advance by the Customer.
   5. Contact Information. For data protection issues, the following persons should be contacted in the first instance:
      • Customer: Contact information as provided in the context of the acceptance process of this Data Processing Agreement by the Customer.
      • peaq: -privacy@peaq.ch
      Each Party is entitled to update the contact information, but only in writing (including emails).
7. Confidentiality
   1. Customer Data. peaq undertakes to treat Customer Data as strictly confidential and to make it accessible within and outside its organization only to persons who require access to the Customer Data in order to fulfil their duties. Section 5 above is reserved. peaq shall ensure that all persons with access to Customer Data are subject to a statutory or contractual duty of confidentiality with regard to the Customer Data.
   2. Other Information. Both Parties are also subject to any confidentiality obligations agreed between them in writing, if any, with regard to Customer Data perceived in the context of this Data Processing Agreement.
8. Miscellaneous
   1. Liability. peaq shall only be liable to the Customer if it fails to perform its obligations in any respect pursuant to this Data Processing Agreement and its failure or lack of performance is due to peaq's gross negligence or wilful intent. The liability for auxiliary persons shall be excluded. Any other liability of peaq under or in connection with this Data Processing Agreement is excluded.
   2. Notifications. Notifications provided for in this Data Processing Agreement must be made expressly and in text form (e.g. by email or mail), unless otherwise agreed in writing.
   3. Annexes. The annexes to this Data Processing Agreement are integral parts thereof.
   4. Entire Agreement and Amendments. This Data Processing Agreement including its Annexes constitutes the entire agreement between the Parties as to the subject matter hereof, and supersede all prior oral and written correspondence, memoranda, letters of intent, or agreements between the Parties, unless otherwise specifically provided in this Data Processing Agreement. Amendments and other changes to this Data Processing Agreement must be in text form in order to be valid.
   5. Applicable Laws and Jurisdiction. All disputes arising out of or in connection with this Data Processing Agreement shall be governed by substantive Swiss law excluding the conflict of law rules and the Laws in treaties including but not limited to the Uniform Law on Purchases (Vienna treaty). The courts of Zurich, Switzerland shall have exclusive jurisdiction to settle any dispute which may arise out of or in connection with this Agreement.

1. Categories of Data
   Any data provided by Customers to peaq in the context of the Agreement, such as names, email addresses and communication data.
2. Categories of concerned Persons
   Data of the Customer and end users determined by the Customer.

The following persons are deemed to be approved Sub-Processors within the meaning of this Data Processing Agreement at the Effective Date: