SUB-PROCESSING AGREEMENT

(A) The Processor is a third party contractor that acts as a data processor on behalf of its customer who is the data controller ("Controller", and being the "Customer" as identified in the relevant Sales and Licence Agreement) and wishes to engage the Sub-processor to Process Personal Data on its behalf in connection with the Services.

(B) The Processor provides supply, installation, and related services to the Controller (who is its customers) and requires the Sub-processor to provide the Cliq WebManager cloud-hosted platform (the "Services") for the purpose of managing the Controller access solution system.

(C) The Personal Data will be hosted on Amazon Web Services ("AWS") servers located in Ireland, and the Sub-processor engages Onward Sub-processors located in Finland, Malta, Poland, and Sweden.

(D) The Parties wish to enter into this Agreement to ensure compliance with applicable Data Protection Laws, including the UK GDPR and the EU GDPR, and to set out their respective rights and obligations in relation to the Processing of Personal Data.

(E) This Agreement is supplemental to and forms part of the sales and licence agreement entered into between the Parties pursuant to which the Sub-processor provides the Services to the Processor and grants the Processor a licence to use the platform for the benefit of Controllers (the "Sales and Licence Agreement").

(F) The Processor warrants that it has entered into, or shall enter into, appropriate data processing agreements with the Controller (being its customer) that comply with Applicable Data Protection Laws and that authorise the Processor to engage sub-processors (including the Sub-processor) to Process Personal Data on behalf of the Controller.

(G) The Parties acknowledge that the Customer (as identified in the relevant Sales and Licence Agreement between the Processor and the Customer) is the data controller in respect of Controller Personal Data, and that the Processor acts as a data processor on behalf of such Customer.

(H) This Agreement shall take effect on the date on which the Sales and Licence Agreement is executed by both Parties or, if later, the date on which the Processor first accesses or uses the Services (the "Effective Date").

NOW IT IS AGREED as follows:

1.1 Definitions

In this Agreement, unless the context otherwise requires, the following terms shall have the meanings set out below:

"Applicable Data Protection Laws" means all laws and regulations relating to data protection, the processing of personal data, and privacy that apply to the Processing of Personal Data under this Agreement, including: (a) the UK GDPR; (b) the Data Protection Act 2018; (c) the Privacy and Electronic Communications Regulations 2003; (d) the EU GDPR (to the extent applicable); and (e) any other applicable national implementing legislation, as amended, replaced, or superseded from time to time.

"Controller" means the Customer (as identified in the relevant Sales and Licence Agreement between the Processor and such Customer), being the data controller on whose behalf the Processor processes Personal Data and for whose benefit the Processor has engaged the Sub-processor to provide the Services.

"Customer" means any customer of the Processor who is identified as the customer in a Sales and Licence Agreement between the Processor and such customer, and who is the data controller in respect of the Personal Data processed in connection with such Sales and Licence Agreement.

"Controller Personal Data" means any Personal Data Processed by the Sub-processor on behalf of the Processor (acting on behalf of one or more Controllers) pursuant to or in connection with this Agreement.

"Main Processing Agreement" means the data processing agreement entered into between the Processor and the relevant Controller (being the Customer) governing the Processing of Personal Data by the Processor on behalf of that Controller.

"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Controller Personal Data transmitted, stored, or otherwise Processed by the Sub-processor or any Onward Sub-processor.

"Data Protection Impact Assessment" means an assessment by the Controller (or the Processor on behalf of the Controller) of the impact of the envisaged Processing on the protection of Personal Data as required under Article 35 of the UK GDPR and/or Article 35 of the EU GDPR.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Data Subject Request" means a request made by a Data Subject to exercise any of their rights under Applicable Data Protection Laws in respect of their Personal Data.

"EEA" means the European Economic Area.

"EU GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

"EU SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, supplemented, or replaced from time to time.

"International Data Transfer" means any transfer of Controller Personal Data from the United Kingdom to a country outside the United Kingdom, or from the EEA to a country outside the EEA, where such transfer is not covered by an adequacy decision or adequacy regulations (as applicable).

"Personal Data" has the meaning given to it in the UK GDPR and, where the EU GDPR applies, includes personal data as defined in the EU GDPR.

"Processing" has the meaning given to it in the UK GDPR and "Process", "Processes", and "Processed" shall be construed accordingly.

"Restricted Transfer" means: (a) where the UK GDPR applies, a transfer of Controller Personal Data from the United Kingdom to a country outside the United Kingdom which is not the subject of UK Adequacy Regulations; and (b) where the EU GDPR applies, a transfer of Controller Personal Data from the EEA to a country outside the EEA which is not the subject of an EU adequacy decision.

"Onward Sub-processor" means any third party (including any Sub-processor Affiliate, but excluding employees of the Sub-processor) appointed by or on behalf of the Sub-processor to Process Controller Personal Data.

"Processor" means the contractor identified in the Sales and Licence Agreement that processes Personal Data on behalf of one or more Controllers (who are its customers) and engages the Sub-processor to Process Personal Data on its behalf.

"Sales and Licence Agreement" means the sales and licence agreement, subscription agreement, order form, or other commercial agreement entered into between the Sub-processor and the Processor pursuant to which the Sub-processor agrees to provide the Services to the Processor, together with any schedules, appendices, or annexes thereto. References to the "Sales and Licence Agreement" in relation to a particular Controller (Customer) means the agreement between the Processor and that Customer pursuant to which the Processor provides services to that Customer utilising the Services provided by the Sub-processor.

"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

"Sub-processor" means ASSA ABLOY Limited, being the Party to this Agreement that Processes Controller Personal Data on behalf of the Processor.

"Supervisory Authority" means: (a) the Information Commissioner's Office in respect of the UK GDPR; and (b) any supervisory authority with competent jurisdiction under the EU GDPR.

"Technical and Organisational Measures" means the technical and organisational security measures implemented by the Sub-processor as set out in Appendix 2 to this Agreement.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Information Commissioner under Section 119A of the Data Protection Act 2018, as amended, supplemented, or replaced from time to time.

"UK Adequacy Regulations" means regulations made pursuant to Section 17A of the Data Protection Act 2018 specifying that a third country, territory, or international organisation ensures an adequate level of protection for Personal Data.

"UK GDPR" means the retained EU law version of the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended).

1.2 Interpretation

In this Agreement, unless the context otherwise requires:

(a) references to clauses and appendices are to clauses of and appendices to this Agreement;

(b) headings are for convenience only and shall not affect the interpretation of this Agreement;

(c) words in the singular include the plural and vice versa;

(d) a reference to a statute or statutory provision is a reference to it as amended, extended, or re-enacted from time to time, and includes any subordinate legislation made under it;

(e) any obligation on a Party not to do something includes an obligation not to allow that thing to be done;

(f) the terms "include", "including", "in particular", "for example", or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms; and

(g) any words following the terms "other" or "otherwise" shall not be given a restrictive meaning because they follow more specific words.

2.1 Scope and Purpose of Processing

The Sub-processor shall Process Controller Personal Data only for the purposes of providing the Services to the Processor as specified in the Sales and Licence Agreement and as further described in Appendix 1 to this Agreement, unless Processing is required by Applicable Data Protection Laws to which the Sub-processor is subject, in which case the Sub-processor shall, to the extent permitted by Applicable Data Protection Laws, inform the Processor of that legal requirement before the relevant Processing of that Controller Personal Data.

2.2 Details of Processing

The subject matter, duration, nature, and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects are as set out in Appendix 1. The Processor acknowledges that Appendix 1 provides an accurate description of the Processing to be carried out under this Agreement.

2.3 Processor Instructions

The Sub-processor shall Process Controller Personal Data only on documented instructions from the Processor (which instructions shall reflect and be consistent with the instructions received by the Processor from the relevant Controller), including with regard to transfers of Controller Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Laws to which the Sub-processor is subject. Where the Sub-processor is required to Process Controller Personal Data by Applicable Data Protection Laws, the Sub-processor shall inform the Processor of such requirement prior to Processing, unless Applicable Data Protection Laws prohibit such notification on important grounds of public interest.

2.4 Written Instructions

The Processor's instructions as at the Effective Date are set out in Appendix 1 and include the provision of the Services in accordance with the Sales and Licence Agreement. The Processor may issue additional written instructions to the Sub-processor from time to time, provided that such instructions are consistent with the terms of this Agreement, the Sales and Licence Agreement, and the relevant Main Processing Agreement. If the Sub-processor considers that any instruction from the Processor infringes Applicable Data Protection Laws, it shall promptly notify the Processor and shall be entitled not to comply with that instruction until the Processor has confirmed or modified it in writing.

2.5 Sub-processor's Compliance

The Sub-processor warrants and undertakes that it shall:

(a) comply with all Applicable Data Protection Laws in the Processing of Controller Personal Data;

(b) not Process Controller Personal Data other than on the Processor's documented instructions unless Processing is required by Applicable Data Protection Laws to which the Sub-processor is subject;

(c) take all measures required pursuant to Article 32 of the UK GDPR and Article 32 of the EU GDPR (to the extent applicable); and

(d) not transfer Controller Personal Data to a country outside the United Kingdom or the EEA except as permitted under Clause 9 of this Agreement.

4.1 Confidentiality Obligations

The Sub-processor shall ensure that all persons authorised to Process Controller Personal Data:

(a) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(b) Process Controller Personal Data only in accordance with the Processor's instructions; and

(c) are informed of the confidential nature of the Controller Personal Data and of any security obligations under this Agreement or Applicable Data Protection Laws.

4.2 Training

The Sub-processor shall ensure that all personnel who have access to and/or Process Controller Personal Data are adequately trained in data protection and are aware of their obligations under this Agreement and Applicable Data Protection Laws.

4.3 Access Limitation

The Sub-processor shall ensure that access to Controller Personal Data is limited to those personnel who need access to the Controller Personal Data to meet the Sub-processor's obligations under this Agreement and the Sales and Licence Agreement.

5.1 Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Sub-processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:

(a)the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services;

(b) the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident; and

(c) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

5.2 Specific Security Measures

Without prejudice to the generality of Clause 5.1, the Sub-processor shall implement and maintain the Technical and Organisational Measures set out in Appendix 2 to this Agreement. The Sub-processor may update or modify the Technical and Organisational Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processing.

5.3 Processor Acknowledgement

The Processor acknowledges that the Technical and Organisational Measures are subject to technical progress and development and that the Sub-processor may update or modify such measures from time to time, provided that such updates or modifications do not result in a material decrease in the level of protection afforded to Controller Personal Data.

5.4 AWS Hosting

The Parties acknowledge that Controller Personal Data will be hosted on AWS servers located in Ireland. The Sub-processor shall ensure that appropriate contractual arrangements are in place with AWS that are consistent with the Sub-processor's obligations under this Agreement and Applicable Data Protection Laws.

6.1 Authorised Onward Sub-processors

The Processor provides a general authorisation to the Sub-processor to engage Onward Sub-processors to Process Controller Personal Data, subject to the requirements of this Clause 6. The Processor warrants that it has obtained, or shall obtain, the necessary authorisations from each relevant Controller (being its Customer) to permit the engagement of Onward Sub-processors in accordance with the terms of this Clause 6. The Onward Sub-processors authorised by the Processor as at the Effective Date are listed in Appendix 3 to this Agreement.

6.2 Onward Sub-processor Requirements

Before engaging any Onward Sub-processor, the Sub-processor shall:

(a) carry out adequate due diligence to ensure that the Onward Sub-processor is capable of providing the level of protection for Controller Personal Data required by this Agreement and Applicable Data Protection Laws;

(b) enter into a written contract with the Onward Sub-processor that imposes on the Onward Sub-processor data protection obligations that are no less onerous than those imposed on the Sub-processor under this Agreement, including in particular the obligation to implement appropriate technical and organisational measures; and

(c) remain fully liable to the Processor for the performance of the Onward Sub-processor's obligations in respect of the Processing of Controller Personal Data.

6.3 Onward Sub-processor Locations

The Parties acknowledge that the Sub-processor engages Onward Sub-processors located in Finland, Malta, Poland, and Sweden. The Processor hereby authorises such Onward Sub-processors to Process Controller Personal Data in those locations, subject to the terms of this Agreement and Applicable Data Protection Laws, and warrants that it has obtained (or shall obtain) the necessary authorisations from the relevant Controllers (being its Customers) for such Processing.

7.1 Data Subject Requests

The Sub-processor shall promptly, and in any event within 5 Business Days, notify the Processor if it receives any request from a Data Subject in respect of Controller Personal Data, including any request to exercise any of the following rights under Applicable Data Protection Laws:

(a) right of access;

(b) right to rectification;

(c) right to erasure (right to be forgotten);

(d) right to restriction of processing;

(e) right to data portability;

(f) right to object; and

(g) rights in relation to automated decision-making and profiling.

The Processor shall be responsible for promptly forwarding any such notification to the relevant Controller (being its Customer) in accordance with the terms of the relevant Main Processing Agreement.

7.2 Sub-processor Assistance

The Sub-processor shall, taking into account the nature of the Processing, assist the Processor by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Processor's obligation to assist the relevant Controller (being its Customer) to respond to Data Subject Requests.

7.3 No Direct Response

The Sub-processor shall not respond directly to any Data Subject Request without the Processor's prior written authorisation, unless required to do so by Applicable Data Protection Laws, in which case the Sub-processor shall, to the extent permitted by Applicable Data Protection Laws, inform the Processor of that legal requirement before responding.

7.4 Costs

The Processor shall reimburse the Sub-processor for any reasonable costs incurred in providing assistance under this Clause 7, calculated at the Sub-processor's then-current professional services rates, provided that the Sub-processor shall provide the Processor with a reasonable estimate of such costs before incurring them.

8.1 Notification

The Sub-processor shall notify the Processor without undue delay after becoming aware of a Data Breach affecting Controller Personal Data. Such notification shall include, to the extent then known:

(a) a description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) the name and contact details of the Sub-processor's data protection officer or other contact point where more information can be obtained;

(c) the likely consequences of the Data Breach; and

(d) the measures taken or proposed to be taken by the Sub-processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor shall be responsible for promptly notifying the relevant Controller (being its Customer) of any Data Breach in accordance with the terms of the relevant Main Processing Agreement.

8.2 Ongoing Updates

Where, and insofar as, it is not possible to provide all the information referred to in Clause 8.1 at the same time, the Sub-processor shall provide such information in phases without further undue delay as it becomes available.

8.3 Sub-processor Obligations

Following a Data Breach, the Sub-processor shall:

(a) take all reasonable steps to mitigate the effects of the Data Breach and to prevent recurrence;

(b) cooperate with the Processor (and, where reasonably required, the relevant Controller, being its Customer) and provide such information and assistance as the Processor may reasonably require to enable the Processor to assist the relevant Controller to comply with its notification obligations under Applicable Data Protection Laws;

(c) not make any public statement or notification concerning the Data Breach without the Processor's prior written consent, unless required to do so by Applicable Data Protection Laws; and

(d) maintain a written record of Data Breaches comprising the facts relating to each Data Breach, its effects, and the remedial action taken, and provide a copy of such record to the Processor upon request.

8.4 Controller Notification Obligations

The Processor acknowledges that the relevant Controller shall be responsible for determining whether any Data Breach requires notification to a Supervisory Authority and/or to affected Data Subjects, and for making such notifications in accordance with Applicable Data Protection Laws. The Processor shall ensure that each Main Processing Agreement contains appropriate provisions to facilitate such notifications.

9.1 General Prohibition

The Sub-processor shall not transfer or otherwise Process Controller Personal Data in a country outside the United Kingdom or the EEA unless:

(a) the transfer is to a country, territory, sector, or international organisation that has been deemed to provide an adequate level of protection under Applicable Data Protection Laws;

(b) the transfer is made pursuant to appropriate safeguards in accordance with Article 46 of the UK GDPR and/or Article 46 of the EU GDPR (as applicable);

(c) the transfer is subject to binding corporate rules approved in accordance with Article 47 of the UK GDPR and/or Article 47 of the EU GDPR (as applicable); or

(d) one of the derogations for specific situations set out in Article 49 of the UK GDPR and/or Article 49 of the EU GDPR (as applicable) applies.

9.2 UK to EEA Transfers

The Parties acknowledge that Controller Personal Data will be transferred from the United Kingdom to Ireland (where the Sub-processor's AWS servers are located) and to Finland, Malta, Poland, and Sweden (where Onward Sub-processors are located). As at the Effective Date, the United Kingdom has determined that the EEA provides an adequate level of protection for Personal Data. In the event that such adequacy determination is withdrawn, modified, or no longer applies, the Parties shall enter into appropriate transfer mechanisms to ensure that such transfers continue to comply with Applicable Data Protection Laws.

9.3 EEA to UK Transfers

Where Controller Personal Data is transferred from the EEA to the United Kingdom, such transfers shall be made in reliance upon: (a) the adequacy decision adopted by the European Commission in relation to the United Kingdom (as may be extended, modified, or replaced from time to time); or (b) in the absence of such adequacy decision, appropriate safeguards in accordance with Article 46 of the EU GDPR.

9.4 Transfer Mechanisms

Where Restricted Transfers are made in reliance on appropriate safeguards, the following transfer mechanisms shall apply:

(a) UK GDPR: For Restricted Transfers subject to the UK GDPR, the Parties agree to be bound by the UK Addendum as set out in Appendix 4, which shall be deemed incorporated into and form part of this Agreement.

(b) EU GDPR: For Restricted Transfers subject to the EU GDPR, the Parties agree to be bound by the EU SCCs as set out in Appendix 5, which shall be deemed incorporated into and form part of this Agreement.

9.5 Future Adequacy Changes

In the event of any change to the adequacy status of any relevant country or territory, or any change to Applicable Data Protection Laws affecting the lawfulness of International Data Transfers, the Parties shall cooperate in good faith to implement such additional measures or alternative tr