2.2 Customer’s Processing of Personal Data. Customer shall (a) collect and Process Personal Data. (b) use the Services, and (c) give RELAYTO LIMITED instructions regarding the Processing of Personal Data for Customer, in all cases, in accordance with all applicable laws, rules, and regulations, including the Data Protection Laws and Regulations. The customer is solely liable and responsible for the accuracy, quality, and legality of Personal Data. 2.3 Service Provider’s Processing of Personal Data. Effective as of 25 May 2018, RELAYTO LIMITED shall Process Personal Data in accordance with the GDPR requirements directly applicable to RELAYTO LIMITED’s provision of its Services. Personal Data shall be considered Customer’s Confidential Information under the Agreement. RELAYTO LIMITED shall only Process Personal Data on behalf of and in accordance with Customer’s instructions set forth in this DPA and the Agreement for the following purposes: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Users in their use of the Services; and (c) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. The subject-matter and purpose of Processing of Personal Data by RELAYTO LIMITED is solely so RELAYTO LIMITED can provide the Services to Customer pursuant to the Agreement. 2.4 Personnel. RELAYTO LIMITED shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written industry standard confidentiality agreements. RELAYTO LIMITED shall ensure that RELAYTO LIMITED’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement. RELAYTO has implemented a formal training program as part of the onboarding process, which includes a dedicated section on cybersecurity & information security to ensure all RELAYTO developers are informed and aligned with our security policies and practices. 2.5 Data Protection Officer. RELAYTO LIMITED has appointed a data protection officer. The appointed person may be reached at [email protected] 3. Rights of data subjects RELAYTO LIMITED shall, to the extent legally permitted, promptly notify Customer if RELAYTO LIMITED receives a request from a Data Subject to exercise the Data Subject’s under the GDPR (“Data Subject Request”). Taking into account the nature of the Processing, RELAYTO LIMITED shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. 18 of 52