1.1 “Data Controller“ means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

1.2 “Data Processor“ means the natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of Data Controller.

1.3 “Data Protection Laws“ means all applicable laws and regulations regarding the Processing of Personal Data.

1.4 “Data Subject“ means an identified or identifiable natural person.

1.5 “Data Subject Request“ means requests or objections made by Data Subjects pursuant to Data Protection Laws.

1.6 “Personal Data“ means any information relating to a Data Subject, uploaded by or for Customer or Customer's agents, employees, or contractors to the Services as Customer Data.

1.7 “Process,” “Processed,” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.8 “Security Incident“ means a breach of Project Hafnia's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

1.9 “Sub-Processor“ means any legal person or entity engaged in the Processing of Personal Data by Data Processor.

2.1 Roles. We will act as Data Processor to Customer. Customer will act as Data Controller (unless Customer is a Data Processor, in which case we will act as a Sub-Processor to Customer). Each party will comply with Data Protection Laws in the performance of this DPA. Customer acts as a single point of contact and will obtain any relevant authorizations, consents and permissions for our processing of Personal Data in accordance with this DPA.

2.2 Instructions. The Terms constitutes Customer's initial written instructions to us for Processing Personal Data. Customer may issue additional or alternate instructions provided that such instructions are agreed in writing between Customer and us.

2.3 Processing Nature, Scope, and Purpose. We will only Process Personal Data in accordance with Customer's instructions, as explicitly authorized in writing, or as required under applicable law, provided that we will inform Customer of the legal requirements before Processing. Customer acknowledges all Personal Data it instructs us to Process for the purpose of providing Services must be limited to Customer Data Processed within the Services. Customer Data Processing details conducted under this DPA are set forth in Appendix 1.

3.1 Data Controller's Instructions. Given the nature of the processing, Customer agrees that it is unlikely that Project Hafnia would be aware that compliance with Customer's instructions would result in a violation of Data Protection Laws. However, Project Hafnia will promptly notify Customer if Project Hafnia believes compliance with Customer's instructions would result in a violation of Data Protection Laws.

3.2 Data Processor Personnel. Persons authorized by Project Hafnia to Process Personal Data will be bound by appropriate confidentiality obligations.

3.3 Data Security Measures. Project Hafnia will maintain appropriate technical and organizational safeguards to protect the security, confidentiality, and integrity of Customer Data, including any Personal Data contained therein, as set forth in Section 6.

3.4 Data Processor Assistance. Project Hafnia will assist Customer as reasonably requested by Customer to facilitate Customer's compliance with obligations under Data Protection Laws in connection with Project Hafnia's Processing of Personal Data, at Customer's cost, taking into account the nature of Processing and information available to Project Hafnia.

4.1 Data Subject Rights. Each party will abide by Data Protection Laws and will ensure transparent information and appropriate channels for the exercise of Data Subject Rights, including during the collection of Personal Data or when responding to Data Subject Requests.

4.2 Requests From Data Subjects. Unless prohibited by law, Project Hafnia will promptly notify Customer of any Data Subject Requests and Customer hereby authorizes Project Hafnia to inform the Data Subject that Customer has been notified.

4.3 Responses. Customer will be solely responsible for responding to Data Subjects regarding any Data Subject Requests. Project Hafnia will reasonably support Customer in relation to Data Subject Requests, such as by forwarding any Data Subject Requests to Customer.

4.4 Requests From Authorities. In the case of a government body, data protection authority, or law enforcement agency notice, audit, inquiry, or investigation regarding the Processing of Personal Data, Project Hafnia will promptly notify Customer unless prohibited by applicable law. If any government body, data protection authority, or law enforcement agency sends Project Hafnia a demand for Customer Data, Project Hafnia will attempt to redirect such authority to request that data directly from Customer. As part of this effort, Customer authorizes Project Hafnia to provide Customer's basic contact information to such authority. If Project Hafnia is legally required to disclose Customer Data to a government body, data protection authority, or law enforcement agency, then Project Hafnia will notify Customer without undue delay of the demand to allow Customer to seek a protective order or other appropriate remedy unless Project Hafnia is legally prohibited from doing so.

4.5 Assistance. At Customer's request, Project Hafnia will provide reasonable assistance and cooperation to Customer in the preparation of any response to Data Subject Request or to requests from authorities taking into account the nature of the Processing by Project Hafnia.

5.1 Notification. Project Hafnia will notify Customer of a Security Incident commensurate with applicable laws and regulations, without undue delay after becoming aware of the Security Incident that relates to Customer Data. Project Hafnia will take appropriate measures to investigate and address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident. Project Hafnia's notification of, or response to, a Security Incident is not an acknowledgment by Project Hafnia of any fault or liability with respect to the Security Incident.

5.2 Project Hafnia Assistance. To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), Project Hafnia will cooperate with and assist Customer by including in the notification under Section 5.1 such information about the Security Incident as Project Hafnia is able to disclose to Customer, taking into account the nature of the processing, the information available to Project Hafnia, and any restrictions on disclosing the information, such as confidentiality.

5.3 Unsuccessful Security Incidents. Customer agrees that an unsuccessful Security Incident will not be subject to this Section 5. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Project Hafnia's equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.

5.4 Communication. Notification of Security Incidents to impacted Customer, if any, will be delivered to one or more of Customer's administrators by any means Project Hafnia selects, including via encrypted email or other secured method. It is Customer's sole responsibility to ensure Customer's administrators maintain accurate contact information on Project Hafnia Services all times.

Project Hafnia will implement and maintain appropriate technical and organizational measures (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Personal Data as well as the risks to individuals) as set forth in the Security Standards in Appendix 2. Given the nature of the Processing, Customer is solely responsible for making an independent determination as to whether the technical and organizational measures for Services as described in the Security Standards meet Customer's requirements, including any of its security obligations under applicable Data Protection Laws. By entering into this DPA, Customer acknowledges and agrees that the technical and organizational measures implemented and maintained by Project Hafnia provide a level of security appropriate to the risk with respect to its Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls. Project Hafnia may change the technical and organizational measures as described in the Security Standards at any time without notice so long as any new or additional measures serve the same purpose without diminishing the security level protecting Personal Data.

7.1 Use of Sub-Processors. Customer authorizes Project Hafnia to engage Sub-Processors appointed in accordance with this Section 7. Project Hafnia engages, as applicable, the Sub-Processers listed in Appendix 3 below for the Services.

7.2 New Sub-Processors. Prior to Project Hafnia engaging a new Sub-Processor for existing Services that Customer has purchased, Project Hafnia will (a) notify Customer via the Services or by email; and (b) provide the notice described in the preceding sentence at least 30 days before engaging a Sub-Processor. If a Sub-Processor is engaged to support new Services or a new feature of the existing Services, then the notice described in this Section will be provided at or before the time such feature or Services are made generally available. You further acknowledge that an electronic notification satisfies any applicable legal notification requirements, including that such notification will be in writing. Any notice to you will be deemed given upon receipt of delivery.

7.3 Right to Object. To object to a Sub-Processor, Customer can terminate the Terms by providing a written notice to Project Hafnia, which termination will take effect no later than 30 days from the date of Project Hafnia's notice to Customer informing Customer of the new Sub-Processor. If Customer does not terminate the Terms within this 30 day period, Customer will be deemed to have accepted the new Sub-Processor, or should cease using the Services for which Project Hafnia has engaged the Sub-Processor.

7.4 Sub-Processor Obligations. Where Project Hafnia authorizes a Sub-Processor as described in Section 7.1: (a) Project Hafnia will restrict the Sub-Processor's access to Customer Data only to what is necessary to provide or maintain the Services, and Project Hafnia will prohibit the Sub-Processor from accessing Customer Data for any other purpose; (b) Project Hafnia will enter into a written agreement with the Sub-Processor and, to the extent that the Sub-Processor performs the same data Processing Services provided by Project Hafnia under this DPA, Project Hafnia will impose on the Sub-Processor the same data protection obligations that Project Hafnia has under this DPA; and (c) Project Hafnia will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause Project Hafnia to breach any of Project Hafnia's obligations under this DPA.

8.1 Transfer Mechanism. If and to the extent there is a transfers of Customer Data as necessary to operate Services, including trouble shooting, the transfer of Personal Data from the European Economic Area (“EEA“), the United Kingdom, or Switzerland to a country located outside of the EEA which is not subject to an adequacy decision (a “Data Transfer“) will be subject to the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as annexed to Commission Implementing Decision 2021/914 (“SCCs“), which are incorporated into this DPA by this reference (and, in relation to the United Kingdom or Switzerland, as amended or supplemented in accordance with this Section 8).

8.2 Application of SCCs.

8.2.1 Modules. Module Two (Data Controller to Data Processor) will apply to a Data Transfer when Customer is a Data Controller. Module Three (Data Processor to Data Processor) will apply to a Data Transfer when Customer is a Data Processor.

8.2.2 Optional Provisions. Where the SCCs identify optional provisions
(a) in Clause 7 (Docking Clause) - the optional provision does not apply;
(b) in Clause 9(a) (Use of Sub-Processors) - Option 2 applies (and the parties will follow the process and timings agreed in this DPA to appoint Sub-Processors;
(c) in Clause 11(a) (Redress) – the optional provision does not apply;
(d) in Clause 17 (Governing law) – option 1 applies, and where the Terms is governed by the laws of an EU Member State, the laws of that EU Member State apply; otherwise, law of Denmark applies; and
(e) in Clause 18(b) (Choice of forum and jurisdiction) – where the Terms is subject to the jurisdiction of the courts of an EU Member State, the courts of that EU Member State have jurisdiction; otherwise, the courts of Denmark, Copenhagen have jurisdiction.

8.2.3 Annexes of SCCs.
(a) In Annex 1A: the data exporter(s) is Project Hafnia and its Affiliates making the Data Transfer (the “Data Exporter“) and the data importers are Customers outside the EEA receiving the Data Transfer (the “Data Importer“). The full name, address, and contact details for the Data Exporter and the Data Importer are set out in the Terms, or can be requested by either party.
(b) In Annex 1B: the relevant details are those set out in the Terms, including Appendix 1 “Details of Processing“ of this DPA.
(c) In Annex 1C: the competent supervisory authority is the supervisory authority applicable to Project Hafnia.
(d) In Annex 2: the security provisions contained in Appendix 2 or other security related provisions in the Terms apply.\

8.3 Interaction with the Terms. All notices, requests, monitoring/audit rights, conduct of claims, liability, and erasure or return of data relating to the SCCs will be provided/managed/interpreted, as applicable, in accordance with the relevant provisions in the Terms, to the extent that such provisions do not conflict with the SCCs.

8.4 Transfers Subject to Swiss Data Protection Law. If there is a Data Transfer subject to Data Protection Laws of Switzerland, then the SCCs will apply with the following modifications: the competent supervisory authority in Annex 1.C under Clause 13 will be the Federal Data Protection and Information Commissioner; references to a “Member State“ and “EU Member State“ will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR“ in the SCCs will be understood as references to Data Protection Laws of Switzerland.

8.5 Transfers Subject to UK Data Protection Law. If there is a Data Transfer subject to Data Protection Laws of the United Kingdom, then the International Data Transfer Addendum to the SCCs (“UK IDTA“), as issued by the Information Commissioner in the United Kingdom will apply and is incorporated by reference into this DPA. The information needed to complete the Tables to the UK IDTA is set out in the Terms, including Appendix 1 “Details of Processing“ of this DPA.

8.6 Execution. Notwithstanding the fact that the SCCs and/or UK IDTA are incorporated herein by reference without the signature pages of the SCCs actually being signed by the Data Exporter or Data Importer, the parties agree that its respective execution of the Terms is deemed to constitute its execution of the SCCs and/or the UK IDTA on behalf of the Data Exporter/Data Importer (as applicable).

8.7 Alternative Mechanisms. If an alternative transfer mechanism, such as Binding Corporate Rules, is adopted by Project Hafnia, or the Trans-Atlantic Data Privacy Framework (an “Alternative Mechanism“) becomes necessary during the term of the Terms for the provision of Services, Project Hafnia will notify Customer and the parties will rely on the Alternative Mechanism.

In addition to the terms of this DPA, if and to the extent Project Hafnia Processes Personal Data that is subject to the California Consumer Privacy Act, as amended (including, without limitation, by the California Privacy Rights Act) hereafter (“CCPA“) then the following terms apply. For the purposes of this Section 9, “business“, “business purpose“, “collects“, “consumer“, “person“, “personal information“, “processing“, “sell“, “service provider“ and “share“ have their respective meanings as set forth in the CCPA.
(a) Project Hafnia will comply with all applicable obligations under the CCPA, including by providing the same level of privacy protection as required by the CCPA;
(b) Customer may take those reasonable and appropriate steps set forth in this DPA and the Terms to ensure that Project Hafnia uses the personal information in a manner consistent with Customer's obligations under the CCPA;
(c) Project Hafnia will notify Customer if Project Hafnia makes a determination that Project Hafnia can no longer meet its obligations under the CCPA;
(d) Customer may, upon notice (including a notice described in (c) immediately above), take those reasonable and appropriate steps set forth in this DPA and the Terms to stop and remediate unauthorized use of personal information;
(e) Project Hafnia will not sell or share any personal information;
(f) Project Hafnia will not retain, use, or disclose any personal information for any purpose other than the business purposes specified in this DPA, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purpose specified in this DPA, or as otherwise permitted by the CCPA;
(g) Project Hafnia will not retain, use, or disclose personal information for any purpose other than for the direct business relationship between Project Hafnia and Customer;
(h) Project Hafnia will not combine any personal information with personal information that is not in the Controller Data that it receives from, or on behalf of, another person or business, or that Project Hafnia collects from its own interactions with the consumer outside of the business purposes and the direct business relationship between Project Hafnia and Customer, except as permitted by the CCPA; the parties acknowledge and agree that any combining contemplated by the Services is being performed by Project Hafnia for the business purposes and the direct business relationship between Project Hafnia and Customer; and
(i) Customer may monitor Project Hafnia's compliance with this Section in accordance with the audit terms set forth in this DPA.

Project Hafnia will make available to Customer on request information reasonably necessary to demonstrate compliance with this DPA in the form of certification or audit reports where available. In the absence of certification or audit reports or if compliance with this DPA cannot be reasonably ascertained through certification or audit reports, Project Hafnia and Customer will mutually agree, at Customer's cost, on the scope and timing of any additional requests not to exceed once every 12 months. Information shared including any reports are subject to confidentiality requirements.

This DPA will remain in effect until termination of the Terms. Upon termination of the Terms, or at Customer's written request, Project Hafnia will delete Customer Data in its possession or control within 30 days unless Project Hafnia is required by applicable law to retain Customer Data or an alternative agreement is agreed upon. Project Hafnia will certify compliance upon Customer's written request.

Details of Processing

1 Subject matter. The subject matter of the data processing under this DPA is Personal Data included in Customer Data.

2 Duration. As between Project Hafnia and Customer, the duration of the data processing under this DPA is the term of the Terms.

3 Purpose and nature. Project Hafnia shall Process Personal Data for the following purposes: (a) in accordance with the Terms; (b) in connection with its provision of the Services; (c) to comply with Customer’s reasonable and documented instructions, where such instructions are consistent with the Terms, and regard the manner in which the Processing shall be performed; (d) to share Personal Data with, or receive Personal Data from, third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g., integrations between the Services and any services provided by third parties as configured by or on behalf of Customer); (e) rendering Personal Data anonymous; and (f) as required under the laws applicable to Project Hafnia, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority.

4 Type of Personal Data. Personal Data included in Customer Data which is uploaded to the Services.

5 Categories of data subjects. The data subjects could include Customer’s customers, employees, suppliers, agents, partners, and/or end users.

Organizational Security

Quarterly and ad hoc review of:

• Periodic Accesses
• Security measures

Storage and processing Model

Tenancy model based on data classification and criticalness

• Siloed approaches for highly sensitive data
• Bridge model with separated storage and processing layer for the rest

Systematic segregation of Control plane - data processing and modification - and Data plan - data transfer and storage.

Data and Network perimeter

Preventive controls following the principles that only our trusted identities are accessing trusted resources from expected networks.
Segregation of users, application and data layer, applying the 0 trust principle for API actions, authentication, authorization and network controls.
The same approach is applied between micro services present in each layer and the environments defined by our development lifecycle: development staging and production.
Our controls also cover intrusion detections and prevention.
Intrusion detection and prevention

Access Management

Strict fine grained IAM:

• Role Based Access Controls
• Multi-Factor Authentication
• Privilege Identity Management
• Just-In-Time access
• Short-Lived Credentials

Data Encryption

Encryption:

• At rest - AES-256
• In transit - TLS

Data Consistency

Regular proceeding of Integrity checks
Implementation of automated retention mechanisms

Vulnerability Management and Monitoring

Vulnerability checks:

• Ransomware Protection applied
• Vulnerability Scanning for infrastructure and code
• Regular penetration tests

Established processes for vulnerability discovery mitigation

Logging and Monitoring

Comprehensive and alert enabled logging and auditing for:

• System logs
• Application logs
• Access logs
• Configuration change
• Anomaly detection and response

Incident Management

Controls for detection of and processes for responses related to incidents
Defined procedures for data and infrastructure breach.
Established processes for continuous improvement and incident mitigations

Supplier Risk Management

Vendor and partner due diligence

Sub processors List

Project Hafnia engages with the following Sub-Processors in respect of the Services:
Sub-Processor - Activity - Location
AWS - Hosting & compute - US