THIS AGREEMENT is made on [25-09-2019]

PARTIES

GmbH., a company incorporated in Germany whose registered office is at GmbH c/o SCHULZ NOACK BÄRWINKEL,Baumwall 7, 20459 Hamburg , (Supplier); and

UP Global Sourcing UK Ltd, a company incorporated in England and Wales under number 03357718 whose registered office is at Manor Mill, Victoria Street, Chadderton, Oldham, OL9 0DD (Customer),

each of the Supplier and the Customer being a party and together the Supplier and the Customer are the parties.

BACKGROUND

The Supplier is a skilled and experienced provider of data processing services, including Apps for controlling IoT Devices.

The Customer is the owner of a number of brands that bring sought after products to the mass market.

The Customer has sourced a number of IoT Devices and wishes to engage the Supplier to provide an Intempo branded App (The App) for users to control these devices for the purpose of the Customer’s business. Such data may include Personal Data.

The Supplier is willing to provide data processing services to the Customer on the terms and conditions of this Agreement.

THE PARTIES AGREE:

Definitions

In this Schedule:

Data Protection Laws

means any applicable law relating to the processing, privacy and/or use of Personal Data, as applicable to either party or the Services, including:

the GDPR;

the Data Protection Act 2018;

any laws which implement any such laws;

any laws that replace, extend, re-enact, consolidate or amend any of the foregoing; and

GDPR

IoT Device

means an Internet of Things Device which is any device that can be controlled remotely using a smart phone or other similar connected device through the internet.

Unless otherwise expressly stated in this Agreement the Supplier’s obligations and the Customer’s rights and remedies under this Schedule are cumulative with, and additional to, any other provisions of this Agreement.

Compliance with data protection laws

The parties agree that the Customer is a Controller and that the Supplier is a Processor for the purposes of processing Protected Data pursuant to this Agreement. The Supplier shall, and shall ensure its Sub-Processors and each of the Supplier Personnel shall, at all times comply with all Data Protection Laws in connection with the processing of Protected Data and the provision of the Services and shall not by any act or omission cause the Customer (or any other person) to be in breach of any of the Data Protection Laws. Nothing in this Agreement relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.

Supplier indemnity

The Supplier shall indemnify and keep indemnified the Customer against:

all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to Data Subjects (including compensation to protect goodwill and ex gratia payments), demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a Data Protection Supervisory Authority) arising out of or in connection with any breach by the Supplier of its obligations under this Schedule; and

all amounts paid or payable by the Customer to a third party which would not have been paid or payable if the Supplier’s breach of this Schedule had not occurred.

Instructions

The Supplier shall only process (and shall ensure Supplier Personnel only process) the Protected Data in accordance with Part A of Schedule 1, this Agreement and the Customer’s written instructions from time to time except where otherwise required by applicable law (and in such a case shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). The Supplier shall immediately inform the Customer if any instruction relating to the Protected Data infringes or may infringe any Data Protection Law.

Security

The Supplier shall at all times implement and maintain appropriate technical and organisational measures to protect Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set out in Part B of Schedule 1 and shall reflect the nature of the Protected Data.

Sub-processing and personnel

The Supplier shall only permit processing of Protected Data by those Sub-Processors listed in Part C of Schedule 1 and shall not permit any processing of Protected Data by any agent, subcontractor or other third party (except its own employees that are subject to an enforceable obligation of confidence with regards to the Protected Data) without the prior specific written authorisation of that Sub-Processor by the Customer and only then subject to such conditions as the Customer may require.

The Supplier shall ensure that access to Protected Data is limited to the authorised persons who need access to it to supply the Services.

The Supplier shall ensure any relevant Sub-Processor carrying out any processing activities in respect of the Protected Data is appointed under a binding written contract containing the same obligations as under this Schedule in respect of Protected Data that is enforceable by the Supplier and ensure each such Sub-Processor complies with all such obligations.

The Supplier shall remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own.

The Supplier shall ensure that all persons authorised by the Supplier or any Sub-Processor to process Protected Data are reliable and:

adequately trained on compliance with this Schedule as applicable to the processing;

informed of the confidential nature of the Protected Data and that they must not disclose Protected Data;

subject to a binding and enforceable written contractual obligation to keep the Protected Data confidential; and

provide relevant details and a copy of each agreement with a Sub-Processor to the Customer on request.

Assistance

The Supplier shall (at its own cost and expense) promptly provide such information and assistance (including by taking all appropriate technical and organisational measures) as the Customer may require in relation to the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws).

The Supplier shall (at its own cost and expense) provide such information, co-operation and other assistance to the Customer as the Customer requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with the Customer’s obligations under Data Protection Laws, including with respect to:

security of processing;

data protection impact assessments (as such term is defined in Data Protection Laws);

prior consultation with a Data Protection Supervisory Authority regarding high risk processing; and

any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including (subject in each case to the Customer’s prior written authorisation) regarding any notification of the Personal Data Breach to Data Protection Supervisory Authorities and/or communication to any affected Data Subjects.

Data subject requests

The Supplier shall (at no cost to the Customer) record and refer all requests and communications received from Data Subjects or any Data Protection Supervisory Authority to the Customer which relate (or which may relate) to any Protected Data promptly (and in any event within three days of receipt) and shall not respond to any without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by law.

International transfers

The Supplier shall not process and/or transfer, or otherwise directly or indirectly disclose, any Protected Data in or to countries outside the European Union or to any International Organisation without the prior written consent of the Customer (which may be refused or granted subject to such conditions as the Customer deems necessary).

Records

The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer. Such records shall include all information necessary to demonstrate its and the Customer’s compliance with this Schedule, the information referred to in Articles 30(1) and 30(2) of the GDPR and such other information as the Customer may reasonably require from time to time. The Supplier shall make copies of such records available to the Customer promptly (and in any event within five business days on request from time to time.

Audit

The Supplier shall promptly make available to the Customer (at the Supplier’s cost) such information as is required to demonstrate the Supplier’s and the Customer’s compliance with their respective obligations under this Schedule and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections or testing of the devices or App, by the Customer (or another auditor/tester mandated by the Customer) for this purpose at the Customer’s request from time to time. The Supplier shall provide (or procure) access to all relevant premises, systems, personnel and records controlled by the Supplier during normal business hours for the purposes of each such audit, inspection or test upon reasonable prior notice (not being less than thirty days) and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.

Breach

The Supplier shall promptly (and in any event within 24 hours) notify the Customer if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Protected Data.

The Supplier shall promptly (and in any event within 24 hours) provide all information as the Customer requires to report the circumstances referred to in paragraph REF _NotifyTheCustomerIfItorAnyOfItsSub--05882559AG01 \d " " \h \n 12.1 (above) to a Data Protection Supervisory Authority and to notify affected Data Subjects under Data Protection Laws.

Deletion/return

The Supplier shall (and shall ensure that each of the Sub-Processors and Supplier Personnel shall) without delay (and in any event within 3 working days), at the Customer’s written request, either securely delete or securely return all the Protected Data to the Customer in such form as the Customer reasonably requests after the earlier of:

the end of the provision of the relevant Services related to processing of such Protected Data; or

once processing by the Supplier of any Protected Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under this Agreement,

and securely delete existing copies (except to the extent that storage of any such data is required by applicable law and, if so, the Supplier shall inform the Customer of any such requirement).

Survival

This Schedule shall survive termination or expiry of this Agreement for any reason.

Cost

The Supplier shall perform all its obligations under this Schedule at no cost to the Customer.

AGREED by the parties on the date set out at the head of this Agreement

FOR THE SUPPLIER FOR CUSTOMER

Position __Data Protection Officer__ Position _______________________

Signature ___Jason Wang ________ Signature _______________________

Print Name __Wang Songnian (Jason) Print Name ______________________

Schedule 1
Data processing and security details

Part A — Data processing details

Processing of the Protected Data by the Supplier under this Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Part A of this Schedule 1.

Subject-matter of processing:

To allow users of The App to communicate with their IoT Device remotely using a smart phone or other device.

Duration of the processing:

For the length of this contract and for each individual user for as long as an account remains open on The App.

Nature and purpose of the processing:

To store personal data of the user on a cloud server but only where this is required for the functionality of The App

To allow users of The App to securely connect to their IoT device

To allow users of The APP to switch on and off their IoT Device remotely

To ensure the confidentiality, integrity and availability of The App

To allow users of The App to [insert]access, rectify, delete and object any of the information related to the data subject

Type of Personal Data:

Name (including nick names)

Email address

Head portrait

Password

Language

Geo-location

A unique identifier of the IoT Device

A unique identifier of the device to which the App is installed

[insert]Phone number (as you may offer the call notification (service)to the user when sensitive video is monitored)

Error information for using the device

Categories of Data Subjects:

Users of The App for controlling Internet of Things Devices

Users registered on the IoT websites

Users of the Devices for utilizing the Service

Obtain certain information about users from publicly or commercially-available sources and from third parties who perform services

[Specific processing instructions:

[Insert]]

Part B — Minimum technical and organisational security measures

1 Without prejudice to its other obligations, the Supplier shall implement and maintain at least the following technical and organisational security measures to protect the Protected Data:

In accordance with the Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with this Agreement, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted, stored or otherwise processed, the Supplier shall implement appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR.

The Supplier shall ensure at all times the App is only available via official App stores, the App complies with any terms laid down by the official App stores and does not make The App available via any other means.

Part C — Sub-Processors authorised by the Customer

The Customer expressly agrees to the use of the following Sub-Processors for the purpose of storing the Protected Data within the European Union

Amazon Web Services EMEA SARL

PAGE \* MERGEFORMAT 7

This is straightforward, just enter the date of the agreement

Insert the address of Gizwits. See also Note 2 of the SCC Document

You can change the details to whoever the App supplier is. See also Note 3 of the SCC Document

Required by the GDPR:

GmbH. c/o SCHULZ NOACK BÄRWINKEL,Baumwall 7, 20459 Hamburg

Your details, these can be changed if you are entering the contract with a different legal entity. See also Note 1 of the SCC Document

You can change this to whatever brand this contract will apply to

Since it will be uploaded and apply to the UP official site, we’d prefer name it ‘UP banded’, Robert/Janice please confirm.

The brand name Intempo does not have to be mentioned at all.

The App Co is the Supplier

Up Global Sourcing UK Ltd is the Customer

You need to state how long they are going to be processing the personal data for, this entry is standard but you may want to change it if it is different.

As long as Services are still being provided to such user

This number 3 together with number 4 should tie in together, these are both very crucial as this is where you tell the processor exactly what personal data they can process, for what reason and what they can do with it. The same also has to be reflected at Note 5 of the Privacy Notice Document and reflected at Note 7 of the SCC Document

This is where you need to add in anything else the user can do on the App and that would process personal data and any other reason for the processor to process the data. This needs to be reflected at Note 7 of the SCC Document, see also Note 5 of the Privacy Notice Document

See note 9 above, again this is crucial as this is where you need to put any other types of personal data the App collects which must tie in with the reason for collecting above, also this will need to be reflected at Note 5 the Privacy Notice Document and at Note 8 of the SCC Documents

This is fairly straightforward, if there ae any other categories of data subjects add them in. This also needs to be reflected at Note 6 of the SCC Document

This is optional and you can just add in any other very specific instructions, if none this number 6 can be deleted

If with any other suppliers it is agreed they can use a further sub-processor or are not using Amazon then add or change their details here. This also needs to be reflected at Note 9 of the SCC Document