DATA PROCESSING TERMS

By using Gateway and Analytics System (as defined in Terms) provided by SIA Nordigen Solutions ("Nordigen"), Client agrees to the following personal data processing terms ("DPT").

1. DEFINITIONS

These terms in this DPT shall have the following meaning:

“Applicable data privacy laws” means any national or internationally binding data privacy laws or regulations applicable at any time during the term of this DPT on, as the case may be, the Data Controller or the Data Processor. The term “Applicable data privacy laws” includes the forthcoming European Union General Data Protection Regulation (hereinafter referred to as the GDPR) when it enters into force on the 25th May 2018. Before the GDPR enters into force the national privacy law in the member state in European Economic Area in which the Data Controller is established shall be applicable to this DPT.

"Data Controller(s)" means the legal entity/entities which, under this DPT, determines the purposes and means of the processing of Personal Data;

"Data Processor" means the legal entity processing Personal Data on behalf of the Data Controller(s) under this DPT;

"Personal Data” means any information relating to an identified or identifiable natural person;

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sub-processor” means a third party subcontractor engaged by the Data Processor which, as part of the subcontractor’s role of delivering the services, will process Personal Data on behalf of the Data Controller.

2. SCOPE AND PURPOSE OF THE DPT

2.1. This DPT concerns the services provided by the Data Processor to the Data Controller detailed in the Terms.

2.2. In respect of the provision of the services and on behalf of the Controller, the Processor processes the data of natural persons (hereinafter referred to as the Data), i.e. performs commissioned Data processing in the sense of Section 2 (2) Latvian Act on Processing of Personal Data, and the GDPR 4 (2).

2.3. The DPT regulates the procedures by which the Data Processor processes the Data on behalf of the Data Controller, including Data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This DPT applies to all types of data processed under the Terms.

2.4. The tasks performed and supported by the Processor mainly involve the processing, including storage of Data. The Processor must ensure the safeguards of the Data stored. Hence, the Processor is responsible for the correct and appropriate safeguards for the protection of the storage, database, networking, computing and the infrastructure necessary for the security of the Data.

3. SUBJECT MATTER OF THE DPT

3.1. The Data Controller undertakes to provide the Data Processor with the Data specified in the clause 4.2. of the DPT, while the Data Processor undertakes to use the provided Data for the purposes specified in the clause 4.2. of the DPT in the accordance with the terms and conditions of the DPT and applicable laws and regulations;

3.2. The Data Processor may not process the Data received from the Data Controller for the purposes that do not correspond to the purposes specified in the DPT and Terms.

3.3. By signing this DPT The Data Controller warrants that:

3.3.1. Data Controller has informed respective data subjects and received explicit consent from data subjects on the following matters:

3.3.1.1. The identity and the contact details of the Data Controller;

3.3.1.2. The contact details of the data protection officer (if applicable);

3.3.1.3. The purposes of the processing for which the data are intended as well as the legal basis for the processing;

3.3.1.4. The recipients or categories of recipients of the data;

3.3.1.5. The period for which the data will be stored, or if that is not possible, the criteria used to determine that period;

3.3.1.6. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

3.3.1.7. Where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

3.3.1.8. the right to lodge a complaint with a supervisory authority;

3.3.1.9. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

3.3.1.10. The existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3.3.2. The consent of the data subjects to the data procession is freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

4. PROCESSING OF PERSONAL DATA

4.1. The Data Processor undertakes to only process Personal Data in accordance with documented instructions communicated from time to time by the Data Controller.

4.2. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are:

    **Purposes**
        All purposes for which the Data will be processed by the Data Processor
    1. To provide transaction categorisation, behaviour identification and insights generation services to
        Data Controller. Processing also occurs to carry out support, maintenance and other operational services as
        well as in order to derive statistical models, for future data enrichment purposes.</p>
    2. To improve the performance and accuracy of Nordigen's Gateway and Analytics System (as defined in
            Terms).
    3. To transfer account information from Account Information Service Providers after Account Aggregation
            (as defined in Terms) to Data Controller which includes the transfer and normalization of financial data
            for consistent storage and display purposes, enrichment (categorization), statistics calculation and
            insights generation, changing data formats. Processing also occurs to carry out support, maintenance and
            other operational services as well as in order to derive statistical models, for future data enrichment
            purposes.

    **Categories of data**
        The Data that will be processed by the Data Processor

        Data Controller’s potential and/or existing client's name, personal identity number, the borrower's
            bank account number and bank account records (transaction date, amount and/or payment
            recipient/sender, transaction details), information on loans and their repayment status, information
            on other financial products;

    **Categories of data subjects**
        The categories of data subjects (e.g. customers, employees etc.), whose Data will be processed by
            Data Processor

        Data Controller’s potential and/or existing clients (natural persons);

    **Processing operations**
        All processing activities to be conducted by Data Processor

        Data entry recognition and data entry sorting pursuant to the pre-set entries into categories of
            payments, behaviour factor generation with respect to the Data and the return of the reorganised
            data to the Data Controller in visual and/or non-visual form, as requested;

    **Location of processing operations**
        Locations where the Data will be processed by Data Processor and - when applicable – by
            Sub-processor.
        1) SIA Nordigen Solutions, registration number 40103982535, address Jaunā Teika "Teodors", Gustava
        Zemgala gatve 74, LV-1039, Riga, Latvia
        2) Amazon Web Services EMEA SARL, registered address 5 rue Plaetis, L-2338, Luxembourg, data centres
            located in Dublin, Ireland (European Union).

    **Retention requirements**
        The retention time of Personal Data stored by the Data Processor.
        To the extent of retention according to the purpose of the Data procession.

4.3 The Data Processor shall, when processing Personal Data under this DPT, comply with any Applicable data privacy laws and applicable recommendations by the supervisory authorities or other competent authorities. The Data Processor shall accept to make any changes and amendments to this DPT that are required under Applicable data privacy laws.

4.4. The Data Processor is entitled to process the Data to the extent of retention according to the purpose of the Data procession. The Data Processor is entitled to immediately delete all Data as soon as they are no longer needed for the purpose of processing.

4.5. The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable data privacy laws, including but not limited to the Data Controller’s obligation to exercise the data subject's rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased at their request.

4.6. The Data Processor shall in addition not carry out any act that causes the Data Controller to act in breach of Applicable data privacy laws.

4.7. The Data Processor shall immediately inform the Data Controller if the Data Processor does not have an instruction for how to process Personal Data in a particular situation or if an instruction provided under this DPT infringes applicable data privacy laws or is in any way misleading or confusing.

4.8. If data subjects, supervisory authorities or any other third parties request information from the Data Processor regarding the processing of Personal Data covered by this DPT, the Data Processor shall refer such request to the Data Controller. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party. In the event Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that Data Processor processes on behalf of the Data Controller, Data Processor shall be obliged to inform the Data Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.

4.9. The Data Processor for cloud computing, data storage and service hosting services may engage a sub-processor Amazon Web Services EMEA SARL, registered address 5 rue Plaetis, L-2338, Luxembourg, with data centres located in Dublin, Ireland (European Union). The Data Controller by signing this DPT warrants and confirms his general written consent that the Data Processor may engage previously mentioned sub-processor in processing of the Data.

4.10. To support Account Aggregation and provide Gateway services (as outlined in Annex 3), the Data Processor may engage the following sub-processors:

4.10.1. Tink AB, company registration number 556898-2192, with office address Vasagatan 11, 111 20 Stockholm, Sweden.

4.10.2. KONTOMATIK UAB with its registered office in Vilnius at Upės 23, LT-08128 Vilnius, Lithuania, holding a legal entity identifier: 304852516, VAT number: LT100011837810, a payment institution providing only the account information service, supervised by the Bank of Lithuania;

4.10.3. KONTOMATIK Sp. z o.o. with its registered office in Warsaw at Prosta 51, 00-838 Warsaw, Poland, registered in the Business Register of the National Court Register kept by the District Court for the capital city of Warsaw, 12th Commercial Division of the National Court Register under number KRS 0000338706, holding Tax Identification Number (NIP): 5213542911, Statistical Number (REGON): 142043500.

4.11. The Data Processor may not engage any other sub-processors without a prior specific or general written consent of the Data Controller. Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors, with a right for the Data Controller to object to such changes.

4.12. The Data Processor shall ensure that approved Sub-processors are bound by written agreements that require them to comply with corresponding Personal Data processing obligations to those contained in this DPT and applicable data privacy laws. The Data Processor shall remain fully liable to the Data Controller for the performance of the Sub-processor's obligations.

4.13. The Data Controller bear all responsibility for the precision, correctness and protection of the Data until the transfer to the Data Processor.

5. TRANSFER TO 3RD COUNTRIES

5.1. The Data Processor may not, without the prior written consent of the Data Controller, transfer Personal Data outside the European Economic Area. If the Data Controller approves of such transfer, the parties shall enter into a binding agreement based on the applicable EU model clauses (Commission Decision on standard contractual clauses for the transfer of Data to third countries). Adherence to ”the Privacy Shield Framework”, adopted by the European Commission on 12 July 2016, form an alternative to the EU model clauses for the Data Processors located in the U.S. For avoidance of doubt, Data Controller acknowledges and approves that the sub-processors mentioned in clauses 4.9. and 4.10. may transfer data outside the European Economic Area if legal grounds under applicable data protection laws for such transfers exist. The Data Controller gives the Data Processor a mandate to, on the Data Controller’s behalf, enter into the European Commission’s model clauses with sub-processors.

6. SAFETY OF THE INFORMATION AND PERSONAL DATA

6.1. The Data Processor shall, in order to assist the Data Controller to fulfil its legal obligations, including but not limited to, security measures and privacy risk assessments, be obliged to take appropriate technical and organizational measures to protect the Data that is processed. The measures shall at least result in a level of security which is appropriate taking into consideration:

6.1.1. existing technical possibilities;

6.1.2. the costs for carrying out the measures;

6.1.3. the particular risks associated with the processing of Personal Data; and

6.1.4. the sensitivity of the Personal Data which is processed

6.2. The Data Processor shall maintain adequate security for the Data. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by the Data Processor shall include as appropriate:

6.2.1. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing the Data;

6.2.2. the ability to restore the availability and access to the Data in a timely manner in the event of a physical or technical incident; and

6.2.3. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

6.3. The Data Processor shall be obliged to ensure that only personnel that directly require access to the Data in order to fulfil the Data Processor’s obligations in accordance with this DPT have access to such information. The Data Processor shall ensure that such personnel are bound by a confidentiality obligation concerning this Data to the same extent as the Data Processor in accordance with this DPT and that they are informed how they may process the Data.

6.4. The Data Processor shall take all necessary actions to assist and shall promptly notify the Data Controller in relation to any accidental or unauthorized access to Personal Data or any other security incidents (Personal Data breach) immediately if possible – but in no case later than 24 hours upon becoming aware of such incidents. The notification shall at least:

6.4.1. describe the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;

6.4.2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

6.4.3. describe the likely consequences of the Personal Data breach;

6.4.4. describe the measures taken and proposed to be taken by the Data Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.5. The duties of confidentiality set forth in this section shall survive the expiry or termination of the DPT.

7. TERM OF THE DPT

7.1. The provisions in this DPT shall apply during the duration of the Terms and during such time that the Data Processor processes the Data in respect of which the Data Controller is the data controller;

7.2. The Data Controller shall be entitled to terminate this DPT immediately and prohibit the Data Processor to further process Personal Data if the Data Processor doesn’t fulfil its obligations mentioned in this DPT, including but not limited to: breach of Personal Data processing instructions, doesn’t pass audit, isn’t compliant with Applicable data privacy laws.

8. GOVERNING LAW AND DISPUTES

8.1. This DPT shall be governed by the same laws and regulations, as is the Terms and in the order specified in the terms and conditions of the Terms.

8.2. Any disputes resulting from this DPT shall be determined by the same laws and regulations, as is the Terms and in the order specified in the terms and conditions of the Terms.

9. THE COMPLETITION OF DATA PROCESSION

9.1. Upon expiry of the Terms and this DPT, the Data Processor shall, at the choice of the Data Controller as communicated to the Data Processor, delete or return all Data to the Data Controller and shall ensure that any Sub-processor does the same. Upon request by the Data Controller, the Data Processor shall provide a written notice of the measures taken regarding the Data upon the completion of the processing.

10. COMPENSATION

10.1. The Data Processor shall not be entitled to any compensation for carrying out its obligations under this DPT. The Data Processor is entitled to compensation for provision of services according to the Terms.

11. LIABILITY

11.1. The Data Processor and the Data Controller each independently are entitled to take measures necessary to verify that respective Party is able to comply with its obligations under this DPT and respective governing laws, including but not limited to the Latvian Personal Data Protection Act and its subordinate legislation as well as to the GDPR and other binding laws and regulations, and that respective Party has in fact undertaken the measures to ensure such compliance. Nordigen's liability hereunder shall be limited to a total sum equal to the fees paid by Client during the calendar year of the damaging event. Under no circumstances shall Nordigen be liable for loss of profit or any other indirect damages or loss, including any liability of the other party to compensate a third party.

11.2. The Parties undertake to coordinate and interact with each other in the Data processing process.

12. NOTICES

12.1. All notices and other communications under this DPT from one party to the other shall be done as described in Terms. If Terms does not describe it then all notices and other communications under this DPT from one party to the other shall be done in writing and delivered by email, messenger or registered mail to the parties’ above-mentioned addresses or to the addresses last notified.