Data Processing Agreement

Capitalized terms used in this DPA have the meanings assigned in the Agreement or, if not defined there, the meanings given in the GDPR. "Personal Data," "Processing," "Controller," "Processor," "Data Subject," "Supervisory Authority," "Personal Data Breach," and "International Organisation" each have the meanings assigned in Article 4 of the GDPR.

"Services" means the ATMList products and professional services identified in the Agreement, including but not limited to ATM location data, fee intelligence, currency conversion, card-network token resolution, and any related application programming interfaces (APIs), dashboards, analytics consoles, and implementation support provided by ATMList. "Customer Content" means Personal Data submitted to the Services by or on behalf of Customer, including data ingested via API calls, files uploaded through any console or integration layer, and support communications.

"Subprocessor" means any third party engaged by or on behalf of ATMList that processes Customer Content in the course of delivering the Services, including affiliates and cloud infrastructure providers, but excluding incidental telecommunications carriers and postal services acting as mere conduits. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for international transfers adopted by the European Commission under Decision 2021/914, including the four modules set out in the Annex thereto.

"UK Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses issued by the Information Commissioner under section 119A of the Data Protection Act 2018, version B1.0 in force as of 21 March 2022. "Restricted Transfer" means a transfer of Customer Content to a country or territory outside the European Economic Area, the United Kingdom, or Switzerland that has not received a finding of adequacy from the relevant data protection authority.

This DPA applies from the earlier of (i) the effective date of the Agreement, (ii) the date Customer first submits Customer Content to the Services, or (iii) the date Customer accepts this DPA by continuing to use the Services. It remains in force for the duration of the Agreement plus any post-termination period during which ATMList retains Customer Content pursuant to documented instructions or applicable law.

This DPA is incorporated by reference into the Agreement. Except as expressly modified by this DPA, the Agreement remains in full force and effect. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. For matters not addressed by this DPA, the governing law and dispute resolution provisions of the Agreement shall apply.

Where Customer processes Personal Data within the scope of this DPA as a Processor acting on behalf of one or more third-party Controllers, Customer warrants that its documented instructions to ATMList reflect those Controllers' instructions and that Customer has entered into a valid data processing agreement with each Controller that permits onward processing by ATMList consistent with this DPA.

Customer is the Controller (or Processor acting on duly documented instructions of a Controller). Customer determines the purposes and means of the processing of Customer Content. ATMList shall process Customer Content only on Customer's documented instructions as set out in the Agreement, this DPA, and any configuration choices Customer makes within the Services, unless processing is required by Union or Member State law to which ATMList is subject.

ATMList shall promptly inform Customer if, in ATMList's reasonable opinion, an instruction infringes any provision of the GDPR or other applicable data protection law, provided that such notification does not require ATMList to provide legal advice to Customer. ATMList shall not be liable for any failure to perform where Customer's instructions are unlawful or technically impossible, provided ATMList has notified Customer in writing of the relevant issue without undue delay.

Customer acknowledges and agrees that ATMList may process Customer Content to the limited extent necessary for ATMList's own legitimate business purposes when carrying out billing, account management, fraud prevention, security operations, service improvement analytics carried out on anonymized or aggregated data, and compliance with legal obligations. Such processing shall at all times be conducted in a manner consistent with the GDPR and the confidentiality obligations set out in Section 4.

The subject matter, duration, nature, and purpose of the processing activities carried out by ATMList on behalf of Customer are described in this Section 4 and Annex A (Processing Description). The parties acknowledge that this description is not exhaustive and that further details may be set out in the Agreement or applicable order forms.

• Subject matter: delivery of ATM location, fee intelligence, currency conversion, card-network token resolution, and related API-based data services as described in the Agreement, plus any professional services, technical support, and infrastructure operations ancillary thereto.
• Duration: the term of the Agreement, plus any retention period permitted under Customer's documented instructions or Section 15 (Return and deletion) of this DPA, and such further period as may be required by applicable law.
• Nature and purpose: ingestion, storage, retrieval, transformation, enrichment, transmission, logging, backup, and deletion of Customer Content to deliver the functionality contracted by Customer, to provide technical support, to maintain and improve the Services, and to comply with legal obligations.
• Categories of data subjects: end users of Customer's applications (consumers, cardholders, travelers, business users), Customer's own employees and contractors who access the Services, and any other category of natural person whose Personal Data Customer submits to the Services.
• Types of Personal Data: coarse and fine geolocation data (latitude, longitude, altitude where available); device identifiers such as IDFA, IDFV, AAID, or browser fingerprint hashes; IP addresses; application identifiers and SDK version strings; card-network identifiers (BINs and BIN-derived tokens); issuer identification numbers; requested currency and amount parameters; user-agent strings; support and feedback messages submitted by Customer; and any other Personal Data Customer elects to include in API payloads, file uploads, or support tickets.
• Sensitive data: unless Customer obtains prior written agreement from ATMList, Customer shall not submit Special Categories of Personal Data as defined in Article 9 GDPR or the equivalent provisions of the UK GDPR or Swiss FADP. ATMList does not intentionally process sensitive data through the standard service offering.

Customer warrants that it has a lawful basis for processing Customer Content under Article 6 GDPR (or equivalent provisions of other applicable data protection law) and for instructing ATMList to process Customer Content as contemplated by this DPA. Customer shall provide all necessary notices to data subjects and obtain all necessary consents, to the extent required by applicable law, before submitting Customer Content to the Services.

Customer is solely responsible for the accuracy, quality, and legality of Customer Content and the means by which Customer acquired it. Customer shall not submit Customer Content to the Services that infringes the rights of any third party or that contains Personal Data collected in violation of applicable law.

Customer shall ensure that its use of the Services complies with the Agreement and this DPA. Customer shall implement appropriate technical and organizational measures within its own systems to protect Customer Content before submission and after retrieval, and shall maintain its own data processing records as required by Article 30 GDPR.

Where Customer acts as a Processor of a third-party Controller, Customer shall provide ATMList with the identity and contact details of that Controller upon request and shall be solely responsible for all obligations owed to such Controller under the Agreement and applicable law.

ATMList shall process Customer Content only on the documented instructions of Customer as set out in Section 3, unless required to do so by Union or Member State law to which ATMList is subject. In such a case, ATMList shall inform Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

ATMList shall ensure that all personnel authorized to process Customer Content have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. ATMList shall take steps to ensure the reliability of any employee, contractor, or agent who may have access to Customer Content, including conducting background checks to the extent permitted by applicable law.

ATMList shall implement and maintain the technical and organizational measures described in Annex C, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. ATMList shall regularly test, assess, and evaluate the effectiveness of those measures.

ATMList shall assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to ATMList. Such assistance includes, without limitation, the obligations set out in Sections 11 (Data subject rights assistance), 12 (DPIA and prior consultation assistance), and 13 (Breach notification) of this DPA.

ATMList shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in accordance with Section 17 (Audits and certifications) of this DPA.

ATMList shall maintain a record of all categories of processing activities carried out on behalf of Customer in accordance with Article 30(2) GDPR and shall make such record available to any Supervisory Authority upon request. ATMList shall inform Customer immediately if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

ATMList shall promptly notify Customer if ATMList receives a legally binding request from a public authority to disclose Customer Content, unless such notification is otherwise prohibited by law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation. In any event, ATMList shall use reasonable endeavours to redirect the authority to request the data directly from Customer.

ATMList shall treat all Customer Content as confidential information and shall not disclose or transfer Customer Content to any third party except as expressly authorized by this DPA or the Agreement. This obligation survives termination of this DPA and continues for so long as ATMList retains Customer Content.

ATMList shall ensure that any person acting under its authority who has access to Customer Content processes it only in accordance with Customer's documented instructions and the terms of this DPA. ATMList shall maintain a current list of all personnel with access to Customer Content and shall regularly review and update that list.

Where Customer Content is subject to legal hold, litigation, or regulatory inquiry, the parties shall cooperate in good faith to preserve Customer Content in accordance with applicable legal obligations, provided that the party claiming legal hold notifies the other in writing of the scope and duration of the preservation requirement.

ATMList may process aggregated, de-identified, or anonymized data derived from Customer Content for purposes of analytics, benchmarking, product improvement, and publication of industry statistics, provided that such data cannot reasonably be re-identified by ATMList or by any third party to whom it is disclosed and does not constitute Personal Data under applicable law.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ATMList shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

Such measures shall include, without limitation: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

A high-level summary of the measures currently implemented by ATMList is set out in Annex C (Technical and Organizational Measures). ATMList reserves the right to update and modify those measures from time to time, provided that any such updates or modifications do not materially diminish the overall level of protection afforded to Customer Content. ATMList shall notify Customer of any material reduction in security measures without undue delay.

ATMList shall conduct periodic penetration testing, vulnerability assessments, and security audits of its Service infrastructure by independent third-party assessors, and shall produce a summary report describing the scope, methodology, and key findings of each such assessment. ATMList shall provide Customer with an executive summary of the most recent assessment upon reasonable written request, subject to appropriate confidentiality undertakings.

Customer provides general written authorization under Article 28(2) GDPR for ATMList to engage the subprocessors currently listed in Annex B (Subprocessors) for the processing of Customer Content. ATMList shall impose data protection terms on each Subprocessor that are no less protective of Customer Content than the terms set out in this DPA and that include, at a minimum, provisions addressing confidentiality, security, breach notification, data subject rights assistance, and the obligation to delete or return Customer Content upon termination of the subprocessing engagement.

Where ATMList engages a Subprocessor for carrying out specific processing activities on behalf of Customer, ATMList shall impose the same data protection obligations as set out in this DPA on that Subprocessor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that Subprocessor fails to fulfil its data protection obligations, ATMList shall remain fully liable to Customer for the performance of that Subprocessor's obligations.

ATMList shall notify Customer in writing of any intended addition or replacement of Subprocessors at least thirty calendar days before the change takes effect. Customer may object to a new Subprocessor on reasonable grounds related to the protection of Customer Content within fifteen calendar days of receiving the notice. If the parties are unable to resolve Customer's objection within thirty calendar days thereafter, such that ATMList cannot reasonably accommodate Customer's objection by alternative means, Customer may terminate the affected portion of the Services as its sole and exclusive remedy, without penalty and without prejudice to any fees accrued or payable for services already rendered.

ATMList shall maintain and make available an up-to-date list of Subprocessors at a publicly accessible URL referenced in Annex B. Subprocessors engaged for ancillary services such as email delivery, helpdesk ticketing, or internal collaboration tools that do not routinely process Customer Content shall also be listed, with a notation as to whether they process Customer Content in the ordinary course of the engagement.

Taking into account the nature of the processing, ATMList shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including rights of access, rectification, erasure, restriction, data portability, and objection.

If ATMList receives a request from a data subject directly, ATMList shall promptly redirect the data subject to Customer and shall not respond to that request substantively unless authorized to do so by Customer in writing or required by applicable law. ATMList shall notify Customer of any such direct request without undue delay, and in any event no later than three business days after receipt.

ATMList shall provide Customer with self-service functionality, APIs, or export mechanisms to enable Customer to access, correct, delete, restrict, or port Customer Content in response to data subject requests. Where Customer requires assistance beyond such self-service capabilities, ATMList shall cooperate in good faith and may charge reasonable fees for any such assistance that is disproportionate or not contemplated by the standard Service offering.

Customer is responsible for verifying the identity of any data subject submitting a request before forwarding instructions to ATMList and for ensuring that any restriction or deletion of Customer Content is lawful and does not conflict with any legal hold or retention obligation communicated by Customer to ATMList.

ATMList shall provide reasonable assistance to Customer with any data protection impact assessment (DPIA) that Customer is required to conduct under Article 35 GDPR and with any prior consultation required of Customer under Article 36 GDPR, in each case solely to the extent that such DPIA or consultation relates to the processing of Customer Content by ATMList and taking into account the nature of the processing and the information available to ATMList.

Such assistance may include providing: (a) a description of the processing operations carried out by ATMList on behalf of Customer; (b) information about the technical and organizational measures implemented by ATMList as described in Annex C; (c) information about subprocessors and any international transfers of Customer Content; (d) risk assessments, security audit summaries, and penetration test executive summaries to the extent they are available without breaching ATMList's confidentiality obligations to other customers; and (e) such other information as ATMList can reasonably make available.

ATMList shall inform Customer without undue delay if, in ATMList's opinion, the processing activities requested by Customer present a high risk to the rights and freedoms of natural persons that ATMList has identified and that Customer may not have addressed in its own DPIA.

ATMList shall notify Customer without undue delay, and in any event no later than forty-eight hours after becoming aware of a Personal Data Breach affecting Customer Content. The notification shall, as a minimum: (a) describe the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; (b) communicate the name and contact details of ATMList's data protection officer or other contact point where more information can be obtained; (c) describe the likely consequences of the Personal Data Breach; and (d) describe the measures taken or proposed to be taken by ATMList to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and to the extent that, it is not possible to provide all of the information referred to in paragraph (a) at the time of the initial notification, ATMList shall provide that information in phases without further undue delay. ATMList shall document any Personal Data Breaches affecting Customer Content, their effects, and the remedial action taken, and shall make that documentation available to Customer upon request.

ATMList shall cooperate in good faith with Customer's investigation of any Personal Data Breach and shall take all reasonable steps requested by Customer to mitigate the effects of the breach. ATMList shall not notify any data subject, regulator, or third party of a Personal Data Breach without Customer's prior written consent, unless required to do so by applicable law, in which case ATMList shall give Customer reasonable prior notice of such notification.

ATMList maintains a documented security incident response plan that is tested at least annually. Upon detecting a security incident that may affect Customer Content, ATMList shall promptly activate its incident response procedures and assign appropriate personnel to contain, investigate, and remediate the incident.

At Customer's reasonable request, ATMList shall provide a post-incident summary setting out the root cause (to the extent determined), timeline, impact on Customer Content, and remediation steps completed and planned. ATMList shall preserve all logs and forensic evidence relevant to the incident for a period of not less than twelve months from the date of resolution.

Customer shall provide ATMList with a current security contact for incident notification purposes. ATMList shall use commercially reasonable efforts to deliver breach notifications through the contact mechanism designated by Customer. Failure by Customer to maintain current contact information shall not relieve ATMList of its notification obligations but may affect the timeliness of delivery.

Upon termination or expiry of the Agreement, or upon Customer's written request at any time during the term, ATMList shall, at Customer's election and within sixty calendar days, either (a) return a complete copy of all Customer Content in a reasonably accessible, machine-readable format, or (b) securely delete all Customer Content from all systems under ATMList's control, including backups, logs, and any test or staging environments.

ATMList shall certify the completion of deletion in writing within thirty calendar days of completing the deletion process. Deletion from archival and backup systems may be delayed for up to ninety calendar days where technically necessary, provided that such retained copies remain subject to the security and confidentiality obligations of this DPA and are not processed for any purpose other than storage pending final deletion.

ATMList may retain Customer Content beyond the periods specified above solely to the extent required by Union or Member State law to which ATMList is subject, provided that ATMList shall (a) limit such retention to the minimum period required by law, (b) maintain the confidentiality and security of the retained data, and (c) process the retained data only for the specific purpose required by law and not for any other purpose.

ATMList shall make available to Customer, upon written request and subject to reasonable confidentiality undertakings, information reasonably necessary to demonstrate compliance with this DPA. This may be satisfied by providing: (a) an executive summary of the most recent SOC 2 Type II examination report or equivalent third-party assurance report; (b) the most recent penetration test summary; (c) ISO 27001 certificate or equivalent certification, if held; and (d) written responses to a reasonable security questionnaire submitted by Customer.

To the extent the information described in paragraph (a) is not sufficient for Customer to verify compliance, Customer may, no more than once per twelve-month period and upon not less than forty-five calendar days' prior written notice, conduct an on-site audit of ATMList's premises and systems used to process Customer Content. Any such audit shall be conducted during normal business hours, shall not unreasonably disrupt ATMList's operations, and shall be at Customer's sole expense. Customer shall engage an independent third-party auditor mutually agreed by the parties and subject to a non-disclosure agreement acceptable to ATMList.

Notwithstanding the foregoing, Customer may conduct an on-site audit more frequently or on shorter notice where required by a Supervisory Authority or where ATMList has suffered a confirmed Personal Data Breach affecting Customer Content. Nothing in this Section limits ATMList's obligation to cooperate with any audit mandated by a competent Supervisory Authority, which shall be governed by applicable law.

Customer acknowledges that ATMList may transfer, store, and process Customer Content in any country in which ATMList or its Subprocessors maintain facilities, including Japan, the United States, and other jurisdictions. Where Customer Content is transferred from the European Economic Area to a third country or international organisation that has not received an adequacy decision under Article 45 GDPR (a "Restricted Transfer"), the parties shall ensure that adequate safeguards are in place as required by Article 46 GDPR.

For Restricted Transfers from the EEA, the European Commission Standard Contractual Clauses adopted under Decision 2021/914 of 4 June 2021 (the "EU SCCs") shall apply. Where Customer is the Controller and ATMList is the Processor, Module Two (Transfer Controller to Processor) of the EU SCCs is incorporated by reference. Where Customer is a Processor and ATMList is a sub-Processor, Module Three (Transfer Processor to Processor) applies. The parties select Option 2 (General Written Authorization) under Clause 9(a), the thirty-day objection period under Clause 9(a), Option 1 under Clause 11(a) (independent dispute resolution body), and the laws of Ireland under Clause 17 (governing law) with the courts of Ireland under Clause 18(b) (choice of forum and jurisdiction).

For Restricted Transfers from the United Kingdom, the UK Addendum to the EU SCCs is incorporated by reference. The information required by Part 1 of the UK Addendum is set out in Annex D. For Restricted Transfers from Switzerland, the EU SCCs shall apply with the following modifications: (a) references to the GDPR shall be read as references to the Swiss Federal Act on Data Protection; (b) the Swiss Federal Data Protection and Information Commissioner (FDPIC) shall be the competent Supervisory Authority; and (c) the parties agree that the laws of Switzerland shall govern the SCCs for Swiss transfers solely to the extent Swiss law requires.

ATMList shall, upon Customer's reasonable request and taking into account the nature of the processing and the information available to ATMList, make available information relevant to a transfer risk assessment (TRA) and shall describe any supplementary measures implemented to protect Customer Content in the recipient jurisdiction. ATMList warrants that, at the time of agreeing the SCCs, it has no reason to believe that the laws and practices in the third country of destination applicable to the processing of Customer Content by ATMList prevent ATMList from fulfilling its obligations under the SCCs.

The liability of each party and each party's affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Neither party excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot lawfully be limited or excluded under applicable law.

To the extent that any provision of this DPA conflicts with or is inconsistent with the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to the international transfer of Personal Data. With respect to all other processing of Personal Data, this DPA shall prevail over any conflicting provisions of the Agreement.

Each party's liability to data subjects under the GDPR or other applicable data protection law is determined by that law. Nothing in this DPA shall be interpreted as limiting either party's liability to any data subject under applicable data protection legislation, or as limiting a data subject's right to claim damages under the GDPR or other applicable law.

This DPA shall commence on the effective date set out above and shall continue in full force and effect for so long as ATMList processes Customer Content on behalf of Customer under the Agreement, and for such further period as ATMList retains Customer Content in accordance with Section 14 (Return and deletion of Customer Content).

Either party may terminate this DPA upon thirty calendar days' written notice if the other party is in material breach of any provision of this DPA and fails to cure such breach within that period, provided that termination of this DPA shall automatically constitute termination of the Agreement with respect to the Services to which this DPA relates, and vice versa.

The following provisions shall survive termination or expiry of this DPA: Section 1 (Definitions), Section 5 (Controller obligations) to the extent relating to Customer's warranties, Section 7 (Confidentiality), Section 14 (Return and deletion), Section 15 (Audits and certifications) for the period necessary to verify deletion, Section 17 (Liability and precedence), Section 18 (Term, termination, and survival), Section 19 (Amendments), Section 20 (Governing law), and any provisions necessary for the interpretation or enforcement of rights accrued before termination.

ATMList may amend this DPA from time to time to reflect changes in applicable data protection law, changes to its processing activities, or changes to the Services. ATMList shall notify Customer of any material amendment by posting the updated DPA at the publicly accessible URL at which it is maintained and by sending an email notification to the address associated with Customer's account.

Material amendments shall take effect thirty calendar days after the date of notification, unless Customer objects in writing within that period on reasonable data protection grounds. If Customer objects, the prior version of the DPA shall continue to govern the parties' relationship for a transition period of up to ninety calendar days, during which the parties shall negotiate in good faith to resolve the objection. If the objection cannot be resolved within the transition period, Customer may terminate the Agreement without penalty as its sole and exclusive remedy.

Amendments required to comply with a change in applicable law or a binding order of a Supervisory Authority shall take effect on the date specified in the relevant notice, which shall not be less than five business days from notification, and no objection right shall apply. ATMList shall clearly identify any such mandatory amendment in its notification.

This DPA and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with the same law as the Agreement. To the extent required by the GDPR or other applicable data protection law, the governing law of the relevant EU Member State shall apply to the extent necessary to ensure the effectiveness of the data protection obligations under this DPA.

If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court or Supervisory Authority of competent jurisdiction, the validity, legality, and enforceability of the remaining provisions shall not be affected, and the parties shall negotiate in good faith to replace the invalid provision with a valid provision that most closely reflects the original intent.

No waiver of any term, provision, or condition of this DPA shall be effective unless made in writing and signed by an authorized representative of the waiving party. No failure or delay by either party in exercising any right under this DPA shall operate as a waiver. This DPA may be executed in counterparts, each of which shall be deemed an original.

This Annex A forms an integral part of the DPA and describes the processing of Personal Data by ATMList on behalf of Customer in accordance with Article 28(3) GDPR and the equivalent provisions of other applicable data protection law. The descriptions set out below are supplemented by the processing details set out in Section 4 of the DPA.

• Data exporter (Controller): Customer, as identified in the Agreement and the account record associated with the Customer.
• Data importer (Processor): ATMList, Inc., with registered address at Otemachi Financial City South Tower 12F, 1-9-7 Otemachi, Chiyoda-ku, Tokyo 100-0004, Japan.
• Categories of data subjects: end users of Customer's applications, employees and contractors of Customer, and any other individuals whose Personal Data is submitted by Customer to the Services.
• Categories of Personal Data transferred: geolocation data, device and application identifiers, IP addresses, card-network BINs and tokens, user-agent strings, support communications, and other data as described in Section 4.
• Sensitive data transferred: none, unless agreed otherwise in writing and subject to additional safeguards.
• Frequency of transfer: continuous or as determined by Customer's use of the Services.
• Nature of processing: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, depending on Customer's instructions and configuration of the Services.
• Purpose of transfer and further processing: to provide the Services to Customer in accordance with the Agreement.
• Period for which Personal Data will be retained: the duration of the Agreement plus the retention and deletion periods specified in Section 14.
• Competent Supervisory Authority: determined in accordance with the GDPR based on Customer's establishment.

ATMList maintains a current list of Subprocessors at the URL specified below. The subprocessors listed therein are authorized under the general written authorization granted by Customer in Section 9. The list identifies each Subprocessor's name, country of processing, function performed, and whether the Subprocessor processes Customer Content in the ordinary course of business.

By executing or acceding to this DPA, Customer authorizes the subprocessors listed at that URL as of the effective date. The notice and objection process set out in Section 9 shall apply to any addition or replacement of Subprocessors thereafter.

[Subprocessor list URL — maintained at atm-list.com/legal/subprocessors. Contact [email protected] to request a current copy.]

The following is a high-level summary of the technical and organizational measures (TOMs) implemented by ATMList pursuant to Article 32 GDPR. A more detailed matrix of measures may be provided to Customer subject to a non-disclosure agreement and is available to qualified enterprise customers through the procurement contact set out in the Legal Portal.

Measures of pseudonymization and encryption of Personal Data: TLS 1.3 for data in transit; AES-256 encryption at rest for all production databases, object stores, and backup media; pseudonymization of API payload identifiers where feasible without degrading service functionality.

Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services: role-based access control (RBAC) with least-privilege principles; multi-factor authentication for all personnel with administrative access; network segmentation and firewalls; intrusion detection and prevention systems; continuous security monitoring and logging; automated alerting on anomalous activity; redundant infrastructure across multiple availability zones; disaster recovery plan tested at least annually.

Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident: encrypted, geographically distributed backups performed daily; point-in-time recovery capability; documented recovery time objective (RTO) of four hours and recovery point objective (RPO) of one hour for critical services; annual disaster recovery testing with after-action reports.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures: annual independent penetration testing by a CREST-accredited or equivalent assessor; annual SOC 2 Type II audit; quarterly vulnerability scanning; continuous static and dynamic application security testing integrated into the CI/CD pipeline; annual internal risk assessment; annual employee security awareness training; incident response plan testing at least annually.

Vendor and personnel controls: background checks for all personnel with access to production systems (where legally permissible); signed confidentiality undertakings; formal security onboarding and offboarding procedures; annual security training; Subprocessor due diligence review prior to engagement and at least annually thereafter.

Physical and environmental controls: ISO 27001 or SOC 2 certified data center providers; biometric and badge-based access controls; video surveillance; redundant power and environmental controls; formally documented physical security policies.

SDLC and change management: peer-reviewed code changes; automated security testing in CI/CD pipeline; separation of development, staging, and production environments; change management process requiring approval before production deployment; vulnerability disclosure program and bug bounty.

This Annex D forms an integral part of the DPA and specifies the parties' selections and supplemental information for the EU Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum (version B1.0).

Module selection under the EU SCCs: where Customer is a Controller, the parties agree that Module Two (Transfer Controller to Processor) of the EU SCCs applies. Where Customer is a Processor acting on behalf of a third-party Controller, the parties agree that Module Three (Transfer Processor to Processor) of the EU SCCs applies, and Customer warrants that it is authorized by the relevant Controller to enter into Module Three.

Clause 7 (Docking Clause): the optional docking clause under Clause 7 shall not apply.

Clause 9 (Use of subprocessors): Option 2 (General Written Authorization) is selected. The time period for prior specific authorization under Clause 9(a) is thirty calendar days, as set out in Section 9 of this DPA.

Clause 11 (Redress): the optional language under Clause 11(a) (independent dispute resolution body) shall not apply.

Clause 17 (Governing law): the governing law for the EU SCCs shall be the laws of Ireland.

Clause 18 (Choice of forum and jurisdiction): any dispute arising from the EU SCCs shall be resolved by the courts of Ireland.

Annex I.A — List of Parties: Data exporter is Customer. Data importer is ATMList, Inc., with registered office and contact details as set out in Annex A and the Agreement. Data importer's activities relevant to the data transferred: provider of ATM location, fee intelligence, and related API services.

Annex I.B — Description of Transfer: as set out in Annex A of this DPA.

Annex I.C — Competent Supervisory Authority: determined in accordance with the GDPR based on Customer's establishment.

Annex II — Technical and organisational measures: as described in Annex C of this DPA and the detailed TOMs matrix available under NDA.

UK Addendum: where the UK Addendum is incorporated, Part 1 of the UK Addendum shall be completed as follows: Table 1 (Parties): as described in Annex I.A above. Table 2 (Selected SCCs, Modules, and Clauses): the approved EU SCCs (Decision 2021/914) with Module Two (Controller to Processor) or Module Three (Processor to Processor) as applicable, with the modifications set out in this Annex D. Table 3 (Appendix Information): Annex I.A, Annex I.B, and Annex II of the EU SCCs as described above. Table 4 (Ending the UK Addendum): neither party may end the UK Addendum as set out in Section 19 of Part 2 of the UK Addendum.