Data ProcessingAgreement

This Data Processing Agreement ("DPA") forms part of, and supplements, the Terms of Service between Astrium Software Solutions CC ("Astrium", "we", "us", or "Operator") and the customer ("you", "your", "Customer", or "Responsible Party") using any Astrium SaaS product.

This DPA reflects the parties' agreement on the processing of personal information by Astrium on behalf of the Customer in accordance with the Protection of Personal Information Act 4 of 2013 ("POPIA"), specifically Sections 20 and 21.

1. Definitions

Terms used in this DPA have the meanings ascribed to them in POPIA. In particular:

• "Responsible Party" means the Customer who determines the purpose of and means for processing Personal Information.
• "Operator" means Astrium, processing Personal Information on behalf of the Responsible Party.
• "Personal Information" has the meaning given in POPIA Section 1.
• "Data Subject" means the person to whom Personal Information relates.
• "Sub-operator" means any third party engaged by Astrium to process Personal Information on behalf of the Responsible Party.
• "Services" means the SaaS products provided by Astrium under the Terms of Service.

2. Roles of the Parties

The parties agree that, for Personal Information uploaded, stored, or transmitted by the Customer through the Services:

• The Customer is the Responsible Party and determines the purpose and means of processing.
• Astrium is the Operator and processes Personal Information only on the documented instructions of the Customer.

For Personal Information that Astrium collects directly from the Customer (e.g. account registration data, billing information), Astrium acts as an independent Responsible Party, and such processing is governed by our Privacy Policy.

3. Scope and Duration

This DPA applies for the duration of the Customer's subscription to any Astrium SaaS product. The subject matter, nature, and purpose of the processing, the types of Personal Information, and the categories of Data Subjects are described in Schedule A below.

4. Astrium's Obligations as Operator

In accordance with POPIA Section 21, Astrium shall:

• Process Personal Information only with the knowledge or authorisation of the Customer and only for the purposes set out in the Services and this DPA.
• Treat Personal Information as confidential and ensure that persons authorised to process it are bound by confidentiality obligations.
• Implement and maintain appropriate technical and organisational security measures as required by POPIA Section 19 (see Schedule B).
• Not process Personal Information outside the Customer's instructions unless required to do so by law.
• Notify the Customer immediately where there are reasonable grounds to believe that Personal Information has been accessed or acquired by any unauthorised person (see clause 8).
• Assist the Customer in responding to data subject requests where reasonably possible.
• Return or delete all Personal Information at the end of the provision of the Services, as set out in clause 10.

5. Customer's Obligations as Responsible Party

The Customer warrants and undertakes that:

• It has a lawful basis under POPIA for processing any Personal Information uploaded to the Services.
• It has obtained all necessary consents and provided all required notices to Data Subjects.
• Its instructions to Astrium comply with POPIA and all other applicable laws.
• It will not upload or process any special personal information (as defined in POPIA Chapter 3, Part B) or information of children (POPIA Section 34) without ensuring the applicable legal basis is in place.
• It is responsible for the security of its account credentials and for controlling access by its users.

6. Sub-operators

The Customer provides a general authorisation for Astrium to engage Sub-operators to process Personal Information, subject to the following conditions:

• Astrium will impose data protection obligations on each Sub-operator that are at least equivalent to those in this DPA.
• Astrium remains responsible for the acts and omissions of its Sub-operators.
• Astrium will give the Customer at least 30 days' prior notice of the addition or replacement of a Sub-operator by updating the list in Schedule C and notifying active subscribers by email.
• The Customer may object to the appointment of a new Sub-operator on reasonable POPIA-related grounds by notifying enquiries@astrium.co.za within 14 days of the notice. If the objection cannot be resolved, the Customer may terminate the affected Service without penalty.

The current list of Sub-operators is set out in Schedule C.

7. Cross-Border Transfers

Where Sub-operators process Personal Information outside the Republic of South Africa, Astrium shall ensure that the transfer complies with POPIA Section 72, including by:

• Ensuring the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection; or
• Obtaining the Customer's consent; or
• Ensuring the transfer is necessary for the performance of a contract.

8. Security and Breach Notification

Astrium shall implement appropriate technical and organisational measures to protect Personal Information as set out in Schedule B.

If Astrium becomes aware of a security compromise affecting Customer Personal Information, Astrium shall:

• Notify the Customer within 72 hours of becoming aware of the compromise, by email to the Customer's registered administrator address.
• Provide reasonable details of the nature of the compromise, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the compromise.
• Assist the Customer with its own notification obligations under POPIA Section 22, where applicable.
• Take reasonable steps to contain and remediate the compromise.

9. Data Subject Requests

If Astrium receives a request from a Data Subject relating to Personal Information processed on behalf of the Customer (e.g. access, correction, or deletion requests under POPIA Sections 23–25), Astrium shall:

• Promptly forward the request to the Customer and not respond directly, unless authorised to do so.
• Provide reasonable assistance to the Customer in responding to the request, insofar as the Customer is unable to do so using the self-service features of the Services.

10. Return and Deletion of Personal Information

On termination or expiry of the Customer's subscription:

• The Customer may request an export of Personal Information stored in the Services, in a structured, commonly-used, machine-readable format, within 30 days of termination.
• Astrium will retain the Customer's Personal Information for 90 days after termination to allow for data export and reactivation, after which all Personal Information will be permanently deleted from production systems.
• Personal Information in backup systems will be overwritten in the ordinary course of Astrium's backup rotation, typically within a further 90 days.
• Where Astrium is required by law to retain specific Personal Information (e.g. financial records), such information will be archived securely and not used for any other purpose.

11. Audit Rights

On the Customer's written request, Astrium will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. Where the Customer reasonably requires further information, Astrium and the Customer will agree a reasonable scope and schedule for an audit, conducted at the Customer's cost and without causing material disruption to Astrium's business.

12. Liability

The liability of each party under this DPA is subject to the limitation of liability provisions set out in the Terms of Service.

13. Governing Law

This DPA is governed by the laws of the Republic of South Africa, and subject to the exclusive jurisdiction of the courts of the Republic of South Africa.

14. Contact

For questions about this DPA or to exercise Customer rights: