DATA PROCESSING AGREEMENT

BETWEEN:

The Customer (the “Controller”)

AND

CNTXT (the “Processor”)

This Data Processing Agreement (“DPA”) is entered into in connection with the subscription by the Customer to any of the products offered by CNTXT (including Google Cloud and SaaS products such as Insafe, Cognite Data Fusion, etc.) (“Subscription Items”) and/or the performance of professional services, support services, or consultancy services related to the Subscription Items (collectively “Services”) by CNTXT.

This DPA is an integrated part of the Google Cloud Reseller Agreement, Collaboration and Services Agreement, Master Service Agreement, or such other agreement entered into between the Controller and Processor pertaining to the subscription to the Subscription Items and/or performance by CNTXT of Services (the “Agreement”). Any capitalized terms not specifically defined in this DPA shall have the meaning set forth in the Agreement.

This DPA is governed by and shall be construed in accordance with the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law issued by Royal Decree M/19 on 9/2/1443H and its Implementing Regulations (collectively, the “PDPL”), and the Cloud Computing Services Provisioning Regulations (“CCSPR”).

To the extent that European Data Protection Legislation applies to the Processor's Processing of any Personal Data, the Processor shall act as a processor, and the Controller as the controller of such Personal Data. In such cases, the parties shall enter into an amendment to this DPA that complies with the requirements set out in Appendix 2.

1. DEFINITIONS

In this DPA:

• “Controller” has the meaning given to the term “Controlling Entity” in the PDPL.
• “Processor” has the meaning given to the term “Processing Entity” in the PDPL.
• “Personal Data” has the meaning given in the PDPL.
• “Competent Authority” means the Saudi Data & AI Authority (SDAIA) or any other authority designated for the regulation and enforcement of the PDPL.
• “Data Subject” has the meaning given in the PDPL.
• “Processing” has the meaning given in the PDPL, and its cognates shall be construed accordingly.
• “Sub-processor” means a third party engaged by the Processor for carrying out specific Processing activities on behalf of the Processor.
• “Personal Data Breach” means any event that leads to the destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, whether accidental or unlawful.
• “Personal Data Protection Law” means, the law issued by Royal Decree M/19 on 9/2/1443H and its Implementing Regulations (collectively, the “PDPL”),
• “European Data Protection Legislation” means, as applicable, (a) Regulation (EU) 2016/679 (“GDPR”); (b) the Swiss Federal Act on Data Protection of 25 September 2020 (as revised and in force); and/or (c) any other applicable data protection or privacy legislation in force within the European Economic Area (EEA) or Switzerland.
• “CDF” means Cognite Data Fusion, a software system made and implemented by or on behalf of CNTXT, the core functionality of which is to collect, process, and store personal data and to make such personal data available for consumption. The term "CDF'' shall include CDF API and Extractors. A further description of CDF shall be maintained at https://www.cognite.com/en/product/cognite_data_fusion_industrial_dataops_platform
• “InSafe”  means CNTXT InSafe, a software system developed and implemented by or on behalf of CNTXT, the core functionality of which is to digitize, manage, and monitor the full lifecycle of industrial safety processes, including but not limited to work permits, job safety analyses, gas testing, lockout/tagout, and joint site inspections. The term “InSafe” shall include the InSafe application, API, and associated modules or configurations deployed for customer environments. A further description of InSafe shall be maintained at https://cntxt.com/insafe/ .

The Processor’s provision of the Subscription Items and Services may include the Processing of Personal Data on behalf of the Controller. In accordance with the PDPL, the obligations of the Processor are set out in this DPA.

If the Customer has entered into an agreement with a reseller or another party offering Subscription Items or Services from CNTXT, such reseller shall be the “Processor” and CNTXT, to the extent it acts as a Sub-processor, shall be the “Sub-processor” for the purpose of this DPA. The Customer hereby consents to the engagement of CNTXT as a Sub-processor, and this DPA shall apply equally between the reseller (as Processor) and CNTXT (as Sub-processor).

2. SCOPE AND PURPOSE OF PROCESSING

2.1. This DPA governs the Processor’s Processing of Personal Data on behalf of the Controller. The details of the Processing activities are set out in Appendix 1.

2.2. The Processor shall only Process Personal Data for the purposes described in Appendix 1 and strictly in accordance with the documented instructions of the Controller, including as set forth in the Agreement, unless required to do so by applicable law.

2.3. The Controller acknowledges that the Processor may Process Personal Data relating to the operation, support, or use of the Subscription Items for its own legitimate business purposes (e.g., billing, account management, technical support, product development, and legal compliance). For such Processing, the Processor acts as a Controller and will Process such data in accordance with the PDPL and its own privacy policy.

3. CONTROLLER'S OBLIGATIONS

3.1. The Controller represents and warrants that: a) It has a valid legal basis for the Processing of Personal Data as required by the PDPL, including obtaining the explicit consent of the Data Subject where necessary. b) It is responsible for the legality, accuracy, integrity, and reliability of the Personal Data provided to the Processor. c) It has provided all necessary notices and information to Data Subjects regarding the Processing of their Personal Data in accordance with the PDPL. d) It is responsible for assessing whether the security measures offered by the Processor meet its own requirements under the PDPL.

4. PROCESSOR'S OBLIGATIONS

4.1. Compliance with Instructions: The Processor shall Process Personal Data only on documented instructions from the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the PDPL.

4.2. Confidentiality: The Processor shall ensure that all personnel authorized to Process Personal Data are subject to a strict duty of confidentiality, both during and after their employment.

4.3. Security Measures: The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. Such measures shall include, at a minimum: a) Pseudonymization and encryption of Personal Data. b) Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. c) Procedures for regularly testing, assessing, and evaluating the effectiveness of the security measures. d) Access controls to ensure that only authorized individuals can access the Personal Data. e) Maintaining records of its Processing activities carried out on behalf of the Controller.

4.4. Personal Data Breach Notification: The Processor shall notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach. The notification shall include all available information to assist the Controller in meeting its own breach notification obligations to the Competent Authority and Data Subjects.

4.5. Assistance to Controller: The Processor shall provide reasonable assistance to the Controller, at the Controller’s expense, to: a) Respond to requests from Data Subjects exercising their rights under the PDPL (including rights of access, correction, and destruction). b) Conduct Data Protection Impact Assessments (DPIAs) where required by the PDPL. c) Fulfill the Controller's obligation to notify the Competent Authority and Data Subjects of a Personal Data Breach.

4.6. Audits: The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and the PDPL. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable prior notice and confidentiality undertakings. The scope, timing, and duration of such audits shall be agreed upon by the parties to minimize disruption to the Processor's business operations.

5. SUB-PROCESSORS

5.1. The Controller provides a general written authorization for the Processor to engage Sub-processors to perform specific Processing activities. The Processor shall maintain an up-to-date list of its Sub-processors and shall make it available to the Controller upon request.

5.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes.

5.3. Where the Processor engages a Sub-processor, it shall do so by way of a written contract that imposes on the Sub-processor the same data protection obligations as set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

6. CROSS-BORDER DATA TRANSFERS

6.1. The Processor shall not transfer any Personal Data outside the Kingdom of Saudi Arabia without the prior written consent of the Controller.

6.2. Any transfer of Personal Data outside the Kingdom of Saudi Arabia shall only be conducted in full compliance with the conditions stipulated in the PDPL, which may include: a) Ensuring the destination country provides an adequate level of data protection as determined by the Competent Authority. b) Obtaining explicit consent from the Data Subject for the transfer. c) Implementing appropriate safeguards, such as binding corporate rules or standard contractual clauses approved by the Competent Authority. d) Obtaining approval from the Competent Authority for the transfer where required.

6.3. The Processor shall be responsible for ensuring that any such transfer complies with the PDPL and for documenting the legal basis and safeguards for the transfer.

7. DATA DELETION AND RETURN

7.1. Upon termination of the Agreement, or upon the Controller’s written request, the Processor shall, at the choice of the Controller, either return all Personal Data to the Controller or securely delete all existing copies.

7.2. The Processor may retain Personal Data to the extent required by applicable law, provided that it shall ensure the confidentiality of all such Personal Data and shall ensure that it is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

8. LIABILITY AND INDEMNITY

8.1. The Processor's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

8.2. The Controller shall indemnify and hold the Processor harmless against all claims, actions, third-party claims, losses, damages, and expenses incurred by the Processor arising from any breach of this DPA or the PDPL by the Controller.

9. TERM AND TERMINATION

This DPA shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller under the Agreement.

10. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by the laws of the Kingdom of Saudi Arabia. Any dispute arising in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of the Kingdom of Saudi Arabia.

APPENDIX 1 – DETAILS OF PROCESSING

• Services Performed by Processor: Provision of Subscription Items and Services as described in the Agreement.
• Purpose and Nature of the Processing: Processing Personal Data for the provision of the Subscription Items and Services as described in the Agreement, including providing access to CNTXT products such as Insafe,CDF, Academy or Robotics or Google Products and support for the same.
• Categories of Personal Data: Personal Data transferred by the Controller to enable use of the Subscription Items and Services (including data uploaded to SaaS servers). This may include, but is not limited to (depending on the Subscription Items and Services provided):
  • Names
  • Job titles
  • National identity numbers
  • Addresses, e-mail addresses
  • Log data, IP addresses
  • Dates of birth
  • Telephone numbers
  • Invoice information, tax information
  • Bank account and credit card details
  • Any other Personal Data the Controller chooses to upload or process via the Services.
• Categories of Data Subjects:
  • Controller’s employees and consultants.
  • Controller’s business contacts.
  • Controller’s customers and potential customers.
  • Other third parties whose Personal Data is submitted by the Controller.
• Data Retention Period: For the duration of the Agreement, unless otherwise agreed or required by law. Upon termination, data will be deleted or returned in accordance with Clause 7 of this DPA.
• Frequency of Transfer: Personal Data will be transferred on a continuous basis throughout the term of the Agreement.
• Competent Supervisory Authority: The Saudi Data & AI Authority (SDAIA) and, for matters related to cloud computing, the Communications, Space and Technology Commission (CST).

APPENDIX 2 – REQUIREMENTS OF EUROPEAN DATA PROTECTION LEGISLATION

To the extent that European Data Protection Legislation applies, this Data Processing Agreement shall be amended by CNTXT and the Customer to reflect the following obligations of CNTXT, or otherwise contains data processing terms that meet the requirements of Article 28(3) of the GDPR:

• To only process personal data in relation to which the Customer is the data controller in accordance with written instructions from or on behalf of that Customer, unless EU or EU Member State law to which CNTXT is subject requires other processing of that personal data, in which case CNTXT will inform the Customer (unless that law prohibits CNTXT from doing so on important grounds of public interest);
• To not process that personal data for any purpose other than for the performance of CNTXT’s obligations under the Strategic Alliance Agreement between CNTXT and Google or the Customer Agreement;
• To ensure that appropriate technical and organisational measures are taken to avoid unauthorised or unlawful processing of that data and against loss or destruction of, or damage to, that personal data;
• To ensure all of CNTXT’s employees, agents and contractors who will have access to that personal data have committed themselves to confidentiality or are otherwise under an appropriate obligation of confidentiality;
• To not, by any act or omission, place that Customer in breach of the European Data Protection Legislation;
• To inform that Customer promptly and without undue delay of any data protection breaches or unauthorised or unlawful processing, loss, or destruction of, or damage to, that personal data;
• To obtain prior consent to engage any third party subcontractor to process that personal data on behalf of the Customer, and ensure such third party subcontractor only uses and accesses that data in accordance with the terms of the Customer Agreement and is bound by written obligations requiring it to provide at least the level of data protection required under the Strategic Alliance Agreement between CNTXT and Google;
• Taking into account the nature of the processing, to assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligations under the European Data Protection Legislation to respond to requests for exercising the data subject's rights;
• To assist the Customer in ensuring compliance with any applicable obligations under the European Data Protection Legislation related to security; breach notification; data protection impact assessments and prior consultation with the supervisory authorities, taking into account the nature of processing and the information available to CNTXT;
• At the choice of the Customer, to delete or return all the personal data to Customer after the end of the provision of the Services, and delete existing copies unless prohibited from doing so by applicable EU or EU member state law;
• To make available to the Customer all information necessary to demonstrate CNTXT’s compliance with the obligations imposed by the Customer Agreement in respect of the personal data and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer; and
• To not process, or cause to be processed, that personal data outside the European Economic Area unless CNTXT adopts a compliance solution that achieves compliance with the terms of Article 25 of the Directive or Article 44 of the GDPR (as applicable).

Interpretation. The terms “processing”, “personal data”, “processor” and “controller” as used in this Exhibit 1 have the meanings given in the European Data Protection Legislation.