Data Processing Agreement

Processor:WEB DIRECT SRL, a company incorporated under the laws of the Republic of Moldova, registered office at Calea Ieșilor 8, of.3, Chișinău, MD-2069, Moldova, fiscal code (IDNO) 1009600043829, VAT number 0506162 ("TryDirect", "we").

Controller: the natural or legal person who has accepted the TryDirect User Agreement and on whose behalf TryDirect processes Personal Data (the "Customer", "you").

By accepting the User Agreement and using the TryDirect platform to process Personal Data of data subjects, the Customer accepts the terms of this DPA without separate signature. A countersignable PDF version is available on request from privacy@try.direct.

• Personal Data - information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• Processing - any operation performed on Personal Data, as defined in GDPR Article 4(2).
• Data Subject - the identifiable natural person to whom Personal Data relates.
• Sub-processor- a processor engaged by TryDirect to process Personal Data on the Customer's behalf.
• SCCs - the Standard Contractual Clauses adopted by the European Commission for international transfers of personal data under Decision 2021/914.

TryDirect processes Personal Data on the Customer's behalf solely for the purpose of providing the TryDirect platform under the User Agreement. The categories of Personal Data, categories of Data Subjects, and processing operations are described in Annex I.

This DPA takes effect on the date the Customer first uses the TryDirect platform and remains in force for as long as TryDirect processes Personal Data on the Customer's behalf, including any retention period after termination described in section 14.

For Personal Data that the Customer uploads to the platform or that the platform processes on behalf of the Customer's end users, the Customer is the Controller and TryDirect is the Processor.

For Personal Data that TryDirect collects directly from the Customer (account holders, billing contacts, support correspondents), TryDirect acts as Controller. That processing is governed by our Privacy Policy, not by this DPA.

TryDirect processes Personal Data only on documented instructions from the Customer. The Customer's use of the platform's standard features and APIs constitutes documented instructions. Any additional instructions must be sent in writing to privacy@try.direct.

TryDirect will inform the Customer if, in its opinion, an instruction infringes GDPR or other applicable data protection law, before carrying it out.

TryDirect ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or statutory duty, and receive training on data protection.

The Customer grants TryDirect general authorisation to engage sub-processors. The current sub-processor list is published in Annex II and maintained on our Trust & Security page.

TryDirect notifies the Customer of intended changes to the sub-processor list at least 30 days in advance by email. The Customer may object to a new sub-processor on reasonable data-protection grounds. If the parties cannot agree on a resolution within 30 days, the Customer may terminate the User Agreement without penalty.

TryDirect imposes data-protection obligations on each sub-processor that are no less protective than this DPA, and remains liable to the Customer for the sub-processor's compliance.

TryDirect assists the Customer in fulfilling its obligation to respond to Data Subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection, automated decisions).

If TryDirect receives a Data Subject request that concerns the Customer's data, TryDirect will:

• promptly notify the Customer and not respond directly to the Data Subject unless legally required, and
• provide reasonable assistance to enable the Customer to respond within the GDPR 30-day window.

TryDirect is established in the Republic of Moldova, which is not subject to a European Commission adequacy decision under GDPR Article 45. Transfers of Personal Data from the EU/EEA to TryDirect therefore rely on the European Commission's Standard Contractual Clauses (SCCs) for controller-to-processor transfers, set out in Decision 2021/914 of 4 June 2021. The SCCs are incorporated into this DPA by reference and form part of it.

Module Two (Controller to Processor) applies. The SCCs are available at: eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

Some sub-processors listed in Annex II are established outside the EU/EEA. For onward transfers to those sub-processors, TryDirect enters into back-to-back SCCs or relies on the sub-processor's own approved transfer mechanism.

TryDirect makes available to the Customer information necessary to demonstrate compliance with this DPA, including by providing the most recent independent audit reports (when available) under reasonable non-disclosure terms.

The Customer may, no more than once per calendar year and on at least 30 days' prior written notice, request an on-site audit, conducted by the Customer or an independent third-party auditor approved by TryDirect. The Customer bears the costs of the audit. The audit must not disrupt TryDirect's normal operations or compromise the confidentiality of other customers' data.

TryDirect notifies the Customer without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data breach affecting the Customer's data.

The notification includes, to the extent known:

• the nature of the breach and categories and approximate number of Data Subjects affected;
• the likely consequences of the breach;
• the measures taken or proposed to address it;
• a contact point for further information.

TryDirect assists the Customer in meeting its own notification obligations to supervisory authorities and Data Subjects under GDPR Articles 33-34.

On termination of the User Agreement, TryDirect, at the Customer's choice, deletes or returns all Personal Data processed on the Customer's behalf, and deletes existing copies, within 30 days, unless retention is required by applicable law (for example, tax records under Moldovan law).

Encrypted backups containing Personal Data are overwritten on a rolling cycle and are fully purged within 30 days of the corresponding live-data deletion.

Each party's liability arising out of or relating to this DPA is subject to the limitations of liability set out in the User Agreement, except for liability that cannot be limited under applicable law.

In the event of conflict between this DPA and the User Agreement, this DPA prevails on matters concerning the processing of Personal Data. The SCCs (where applicable) prevail over both.

This DPA is governed by the laws of the Republic of Moldova. The courts of Chișinău, Moldova, have exclusive jurisdiction, subject to mandatory data-protection rights of Data Subjects in their country of residence.