Data Processing Agreement

1.1 Customer as a controller. If the Customer is a controller of that Customer Data under Applicable Privacy Law:

1.1.1 the subject-matter and details of the processing are described in Section 2;

1.1.2 CHCNAV is a processor of that Customer Data under Applicable Privacy Law;

1.1.3 each party will comply with the obligations applicable to it under Applicable Privacy Law with respect to the processing of that Customer Data.

1.2  Controller requests. During the term of this DPA, if CHCNAV receives a request or instruction from a third party purporting to be a controller of Customer Data, CHCNAV will advise the third party to contact the Customer.

2.1 Subject-matter. The subject-matter of the processing is the provision of the Services to the Customer by CHCNAV.

2.2 Duration. The duration of the processing will be the Terms of Use plus the period from the end of the Terms of Use until the deletion of all Customer Data in accordance with this DPA.

2.3 Nature and purpose of the processing. The nature and purpose of the processing is computing, storage and other cloud services available on the CHCNAV network to ensure the Customer’s access to and use of the Services under the the Terms of Use.

2.4 Types of personal data. The types of personal data are data relating to individuals about whom data is provided to CHCNAV by (or at the direction of) the Customer or by End Users.

2.5 Categories of data subjects. The categories of data subjects include individuals about whom data is provided to CHCNAV by (or at the direction of) the Customer or by End Users, in particular the Customer’s (i) employees, (ii) suppliers, (iii) End Users, (iv) clients.

3.1 Lawfulness. Each Party will comply with Applicable Privacy Laws in relation to the performance of this DPA. Each Party will be able to demonstrate such compliance.

3.2 Information. CHCNAV will make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA.

3.3 Customer’s instructions. The parties agree that this DPA and the the Terms of Use constitute the Customer’s documented instructions regarding CHCNAV’s processing of Customer Data (“Instructions”). CHCNAV will process Customer Data only in accordance with the Instructions.

3.4 Notification. Taking into account the nature of the processing, the Customer agrees that it is unlikely that CHCNAV can form an opinion on whether Instructions infringe Applicable Privacy Law. However, if CHCNAV forms such an opinion, CHCNAV will immediately notify the Customer if, in CHCNAV’s opinion: (a) Applicable Privacy Law prohibits CHCNAV from complying with the Instructions; (b) the Instructions do not comply with Applicable Privacy Law; or (c) CHCNAV is otherwise unable to comply with the Instructions, in each case unless such notice is prohibited by Applicable Privacy Law. This Section does not limit either party’s rights or obligations elsewhere in the the Terms of Use.

3.5 Scope of Instructions. As a processor, CHCNAV will process Customer Data as necessary to provide, secure and monitor the Services, and will not collect, use, retain, access, share, sell, transfer, or otherwise process Customer Data for any purpose not related to providing such Services, for any purpose other than as set out in the the Terms of Use, this DPA or otherwise required by Applicable Privacy Law.

4.1 Personnel. CHCNAV will ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Disclosure. Without prejudice to Sections 3.5 above and 9 below, CHCNAV will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order by a competent public authority (such as a subpoena or court order). If CHCNAV is summoned by the competent public authorities to disclose Customer Data, CHCNAV will try to redirect such summons to the Customer. This may include providing the Customer’s basic contact information to the competent public authority. If CHCNAV is legally obliged to disclose Customer Data to a competent public authority, CHCNAV will provide the Customer with reasonable notice of the order to allow the Customer to take necessary remedies, unless CHCNAV is legally prohibited from doing so.

5.1 Security Measures. CHCNAV will implement and maintain the Security Measures. The Security Measures include measures to encrypt personal data; to help ensure the ongoing confidentiality, integrity, availability and resilience of CHCNAV’s systems and services; to help restore timely access to personal data following an incident; and to test effectiveness regularly. CHCNAV may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the Services.

5.2 Access to Customer Data. CHCNAV will (a) authorize its employees, contractors and Sub-Processors to access Customer Data only as strictly necessary to comply with Instructions; and (b) take appropriate steps to ensure that its employees, contractors and Sub-Processors comply with the Security Measures to the extent applicable to their scope of performance.

5.3 Additional Security Controls. CHCNAV will make Additional Security Controls available to: (a) allow the Customer to take steps to secure Customer Data; and (b) provide the Customer with information about securing, accessing and using Customer Data.

5.4 Security Assistance. CHCNAV will assist the Customer in ensuring compliance with its obligations pursuant to Articles 32 to 34 of the GDPR, taking into account the nature of the processing of Customer Data and the information available to CHCNAV, by:

5.4.1 implementing and maintaining the Security Measures in accordance with Sections 5.1 and 5.2;

5.4.2 making Additional Security Controls available to the Customer in accordance with Section 5.3;

5.4.3 complying with the terms of Section 6;

5.4.4 providing the Customer with additional reasonable cooperation and assistance, at the Customer’s request, if subsections 5.4.1 - 5.4.3 above are insufficient for the Customer (or the relevant controller) to comply with such obligations. Any reasonable costs incurred by CHCNAV in complying with this Section will be borne solely by the Customer.

5.5 Customer’s Security Responsibilities. Without prejudice to CHCNAV’s obligations under Sections 5.1 - 5.4, Section 6 and elsewhere in the DPA or the the Terms of Use, the Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside CHCNAV’s or Sub-Processors’ systems, including:

5.5.1 using the Services and Additional Security Controls to ensure a level of security appropriate to the risk to the Customer Data;

5.5.2 securing the Account authentication credentials, systems and devices the Customer uses to access the Services; and

5.5.3 backing up its Customer Data as appropriate.

6.1 Notification. CHCNAV will notify the Customer without undue delay after becoming aware of a personal data breach. Such notification(s) will be delivered using the contact information provided by the Customer by any means CHCNAV selects, including but not limited to email, SMS, etc. It is the Customer’s sole responsibility to ensure that the Customer’s administrators/personnel maintain accurate contact information in the Account at all times.

6.2 Assistance. In case of a personal data breach, CHCNAV will assist the Customer in ensuring compliance with the obligations pursuant to Article 33 and/or Article 34 of the GDPR, taking into account the nature of the processing and the information available to CHCNAV.

CHCNAV shall deal about the Processing of Personal Data in accordance with this DPA. The Customer may exercise its audit rights or empower a third-party to do so on its behalf. In order to exercise this right, the Customer will notify CHCNAV by written notice at least 30 days in advance of the intended commencement of any audit. If CHCNAV declines to comply with Customer audits or inspections as provided for under applicable Data Protection regulations, the Customer is entitled to terminate this DPA and the the Terms of Use. Unless otherwise agreed in writing, any reasonable costs incurred by CHCNAV in complying with this Section (excluding routine compliance audits that CHCNAV is obligated to conduct under Applicable Privacy Law) will be borne solely by the Customer. 'Reasonable costs' are defined as those costs that are necessary and appropriate for the completion of the audit process. This includes administrative burdens, such as efforts in providing (redacted) copies of reports and documents to the Customer that are not publicly available. If the Standard Contractual Clauses apply, nothing in this Section varies or modifies the Standard Contractual Clauses or affects any Supervisory Authority’s or data subject’s rights under the Standard Contractual Clauses.

8.1 Compliance. In addition to the assistance obligations under Section 5.4 above, CHCNAV will assist the Customer in ensuring compliance with its obligations pursuant to Articles 35 and 36 of the GDPR, taking into account the nature of the processing of Customer Data and the information available to CHCNAV.

8.2 Data subject rights. CHCNAV, taking into account the nature of the processing, will assist the Customer in fulfilling its obligations to respond to data subjects’ requests to exercise their rights as laid down in Chapter III GDPR. CHCNAV offers the Customer, via the functionalities of the Account, the possibility to take actions necessary to respond to any data subject request related to Customer Data. The assistance required under the GDPR from CHCNAV is exhausted by offering the functionalities of the Account, and because CHCNAV will forward data subjects’ requests received to the Customer. The specific technical and organisational measures for such assistance, as well as the scope and extent of the assistance, are set out in Annex II of the SCCs attached hereto.

8.3 Data subject requests. CHCNAV, using commercially reasonable efforts, will promptly forward to the Customer any request it has received from a data subject. If customer want to exercise the privacy rights, or wish to raise or consult CHCNAV on data subject request please connect us via datacompliance@huace.cn. Any reasonable costs incurred by CHCNAV in complying with this Section will be borne solely by the Customer.

9.1 General authorisation. The Customer agrees that CHCNAV may engage Sub-Processors for carrying out specific processing activities on behalf of the Customer.

9.2 Changes to the Sub-Processors List. CHCNAV will make available to the Customer information of any intended changes to the Sub-Processors List including the identity and the general location of the Sub-Processor, at least 15 days in advance by updating the Sub-Processors List and sending notice to the Customer.

9.3 Obligations regarding Sub-Processors. Where CHCNAV engages a Sub-Processor as set out in Sections 9.1 CHCNAV will:

9.3.1 ensure via a written contract that:

9.3.1.1 the Sub-Processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the the Terms of Use (including this DPA); and

9.3.1.2 the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are imposed on the Sub-Processor; and

9.3.2 remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processor.

10.1 Data storage and processing facilities. The region in which Customer Data will be processed can only be specified by the Customer. In EU region, CHCNAV data centers are located in Ireland - Dublin. If customer choose EU region, all the customer data will be stored in Ireland-Dublin.

In Non-EU region, CHCNAV data centers are located in the Sub-Processors List. If customer choose Non-EU region, all the customer data will be stored in the Customer’s selected Non-EU region located in the Sub-Processors List.

10.2 Transfers to Third Countries. Where a Customer wishes to process personal data in a Non-EU region, this can only be achieved at the direction and specification of the Customer by means of a written instruction from customer to CHCNAV.

Any transfer of the Customer Data from the Customer’s selected region(s) can be done by CHCNAV only if: (a) this is necessary to provide the Services requested by the Customer, in particular to investigate a security incident or violation of the the Terms of Use, or (b) as necessary to comply with applicable laws and regulations or a binding order issued by a court or competent public authority.

Where transfers to a third-country outside of the EEA may take place at the behest of a customer by means of written Service the Terms of Use, this will only be done on the basis appropriate safeguards as set out in the GDPR, in particular the signature the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 and the implementation of sufficient technical and organizational measures.

The selection of appropriate Clauses shall be determined based on the role of the Customer in the context of the corresponding personal data processing.

Where the Customer is an EU-established Data Controller that engages CHCNAV to act as a Data Processor in respect of the Personal Data, the Controller-to-Processor (C2P) SCCs (Module 2) adopted by Commission Implementing Decision (EU) 2021/914 shall apply mutatis mutandis.

Where the Customer acts as a Data Processor engaging CHCNAV to perform further Processing of the Personal Data in connection with the Services, the Processor-to-Processor (P2P) SCCs (Module 3) adopted by Commission Implementing Decision (EU) 2021/914 shall apply mutatis mutandis.

10.3 Transfers to Adequate Countries. The parties acknowledge that Applicable Privacy Law does not require Standard Contractual Clauses in order for Customer Data to be processed in or transferred to an Adequate Country.

11.1 Return or Deletion of Personal Data. Via the functionalities of the Account, CHCNAV will provide the Customer with the ability to delete Customer Data in its entirety at any time, subject to the terms of the the Terms of Use, unless the Applicable Privacy Law requires storage of the Customer Data. CHCNAV will delete Customer Data if required by the Customer, or the Customer closes its Account, or as otherwise described in the the Terms of Use (e.g., upon termination of an extended and/or retention period).

11.2 Deletion authorization. The Customer instructs CHCNAV to delete all Customer Data as set out in Section 11.1.

12.1 Processing records. CHCNAV will keep appropriate documentation of its processing activities as required by the Applicable Privacy Law. To the extent the Applicable Privacy Law requires CHCNAV to collect and maintain records of certain information relating to the Customer, the Customer will use the controls and functionalities provided by CHCNAV to supply such information and keep it accurate and up-to-date. CHCNAV may make any such information available to the Supervisory Authorities if required by the Applicable Privacy Law.

In consideration of the mutual obligations in this DPA, the Parties agree that this DPA is subject to the governing law and jurisdiction set out in the the Terms of Use.

Unless otherwise defined in the the Terms of Use, all capitalized terms used in this DPA will have the meanings given to them below:

“Additional Security Controls” means security resources, features, functionality and/or controls that the Customer may use at its option and/or as it determines, including encryption, logging and monitoring, identity and access management, security scanning, and firewalls.

“Adequate Country” means (a) for data processed subject to the GDPR – the members states of the EEA or a country or territory that is the subject of an adequacy decision issued by the European Commission under Article 45(1) of the GDPR; (b) for data processed subject to the FDPA – Switzerland, or a country or territory that (i) is included in the list of states whose legislation ensures an adequate level of protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) is the subject of an adequacy decision by the Swiss Federal Council under the FDPA, (c) for data processed subject to other Applicable Privacy Law – countries or territories considered as assuring adequate protection in line with such law.

“Applicable Privacy Law” means, as applicable: (a) the GDPR; and/or (b) the FDPA and/or (c) the Serbian DP Law, and / or, (d) the Ukrainian DP Law, and other data protection or privacy laws in force in the member states of the EEA and/or Switzerland, Serbia or Ukraine, and any legislation and/or regulation which amends, replaces, re-enacts or consolidates any of them, relating to the processing of Customer Data under this DPA and the the Terms of Use.

"Customer" means the party entering into this DPA, acting either in its personal capacity or on behalf of a legal entity, together with its Authorized Affiliates which shall include End Users.

“End User”means any person the Customer allows to access and use the Services and/or Your Content.

“Customer Data” means personal data contained in Your Content.

“EEA” means the European Economic Area.

“FDPA” means the Swiss Federal Data Protection Act of 19 June 1992 and the new Swiss Act on Federal Data Protection of 25 September 2020.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). A reference to the particular GDPR provisions also relates to the respective provisions of Applicable Privacy Law that provide for substantially similar rights or obligations in the respective provisions of the GDPR.

“SCCs” or “Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to third countries adopted by the European Commission implementing decision (EU) 2021/914 of 4 June 2021.

“SCCs (Module 2)” means the terms of the Standard Contractual Clauses Module Three: Transfer controller to processor, available at: [insert the SCCs-CP link].

“SCCs (Module 3)” means the terms of the Standard Contractual Clauses Module Three: Transfer processor to processor, available at:  [insert the SCCs-PP link].

“Security Measures” means technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

“Serbian DP Law” means the Serbian Law on Personal Data Protection (“Official Gazette of the Republic of Serbia”, No. 87/2018)/

“Sub-Processor” means a third party engaged by CHCNAV and authorized as another processor to have logical access to and process Customer Data in order to provide parts of the Services.

“Sub-Processors List” means a list of approved Sub-Processors available at: Appendix 1. CHCNAV will only provide services from some or all of the Sub- Processors specified by the customers.

“Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the GDPR; and/or (b) the “Commissioner” as defined in the FDPA.

“Third Country” means a country that is not an Adequate Country.

“Ukrainian DP Law” means the Law of Ukraine on Personal Data Protection as of 1 June 2010 No. 2297-VI (as amended) and subordinate legislation adopted thereunder.

In addition, the terms “personal data”, “personal data breach”, “data subject”, “processing”, “controller” and “processor” have the meanings given to them in the Applicable Privacy Law.

Updated: [2025/12/15]

Appendix 1: Sub-Processors List