DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") is entered into between:

1. Users of the Tern Trade-in app (the "Merchant" or "Data Controller"),

2. Tern Eco Ltd ("Data Processor"), a company registered in the United Kingdom of Great Britain and Northern Ireland, with its registered office at 159 Highstreet, Barnet, EN5 5SU, UK.

Collectively referred to as the "Parties."

WHEREAS:

1. The Data Controller, through use of Tern Eco Ltd's services, acknowledges and agrees to the terms of this Data Processing Agreement, thereby assuming the responsibilities of the Data Controller as outlined herein.

2. The Data Controller, as part of its business operations, may disclose certain Personal Data to the Data Processor for the purposes of processing as outlined in this agreement.

3. The Data Processor agrees to process Personal Data on behalf of the Data Controller in accordance with the Data Controller's instructions and in compliance with applicable data protection laws and regulations.

4. The Data Controller and Data Processor desire to outline their respective rights and obligations with respect to the processing of Personal Data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and any applicable data protection laws in other jurisdictions where the Data Controller operates.

NOW, THEREFORE, the Parties agree as follows:

1. Definitions

1.1. "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the GDPR and any applicable national data protection laws.

1.2. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Data Processor on behalf of the Data Controller in connection with the Services.

1.3. "Services" means the services provided by the Data Processor to the Data Controller as described in a separate agreement or statement of work.

2. Scope and Purpose

2.1. The Data Controller appoints the Data Processor to process Personal Data on behalf of the Data Controller for the purpose of providing the Services.

2.2. The Data Processor agrees to process the Personal Data only in accordance with the Data Controller's documented instructions and for the purposes defined in this DPA, unless required to do otherwise by applicable laws.

3. Data Processor's Obligations

3.1. Compliance with Data Protection Laws: The Data Processor shall process Personal Data in compliance with all applicable Data Protection Laws.

3.2. Confidentiality: The Data Processor shall ensure that any person authorised to process the Personal Data on its behalf is under appropriate obligations of confidentiality.

3.3. Security Measures: The Data Processor shall implement appropriate technical and organisational measures to protect the Personal Data from unauthorised access, accidental loss, destruction, alteration, or disclosure.

3.4. Sub-processing: In the course of providing the Services, the Data Controller acknowledges and hereby grant the Data Processor general written authorisation to use Subprocessors, listed online at: Tern Eco Ltd's Subprocessors (“Subprocessor List”), to Process the Personal Data.

3.5. Data Subject Requests: The Data Processor shall assist the Data Controller in responding to data subject requests and fulfil the Data Controller's obligations under applicable Data Protection Laws.

4. Data Controller's Obligations

4.1. Lawful Basis for Processing: The Data Controller shall ensure that it has a valid lawful basis for the processing of Personal Data and shall provide the necessary information to the Data Processor to fulfil its obligations under this DPA.

4.2. Data Subject Requests: The Data Controller shall be responsible for responding to any data subject requests concerning the exercise of data subjects' rights under applicable Data Protection Laws.

4.3. Instructions: The Data Controller shall provide the Data Processor with clear and documented instructions for the processing of Personal Data in connection with the Services.

5. International Transfers

5.1. The Data Processor may transfer Personal Data to countries outside the European Economic Area (EEA) or any other country deemed by the European Commission not to provide an adequate level of data protection, provided that appropriate safeguards are in place to ensure the security and protection of Personal Data in accordance with applicable Data Protection Laws.

6. Term and Termination

6.1. This DPA shall remain in effect until the completion of the Services or until terminated by either Party in accordance with the terms of the main agreement between the Parties.

6.2. Upon termination or completion of the Services, the Data Processor shall, at the Data Controller's option, delete, anonymise, or return all Personal Data, unless otherwise required by applicable law.

7. Governing Law and Jurisdiction

7.1. This DPA shall be governed by and construed in accordance with the laws of the United Kingdom of Great Britain and Northern Ireland. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the United Kingdom of Great Britain and Northern Ireland.

For any further questions, please reach out to us at support@tern.eco