Telit Cinterion - Customer Data Protection Addendum

This Data Protection addendum (“DPA”) is made by and between Telit IoT Solutions Holding Ltd. and/or its affiliates, subsidiaries, and any other entity within the Telit Cinterion group of companies (“Telit Cinterion”) and the legal entity that has entered into an agreement with Telit Cinterion for the provision of Telit Cinterion’s services (“Customer”) (each a “Party” and together the “Parties”).

This DPA forms an integral part of the applicable terms and conditions of sale, service agreements, or other contractual arrangements between Telit Cinterion and the Customer (collectively referred to as the “Service Agreement”), including any purchase orders or other written agreements executed by the Parties. This DPA governs matters of data protection between the Parties, supplementing the Service Agreement with respect to such matters, and will remain in effect for the duration of the processing of Personal Data by the Parties.

1. Interpretation and Definitions

1.1 Words used in the singular include the plural and vice versa, as the context may require.

1.2 Capitalized terms not otherwise defined herein, as well as the terms “data subject”, “processing”, “controller” and “processor” shall take the meaning ascribed to them by GDPR.

1.3 The terms of this DPA will apply only to the extent that they are required under Data Protection Laws.

1.4 Definitions:

(i) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“EU GDPR”) and the UK Data Protection Law 2018 (“UK GDPR”) (together “GDPR”), the Federal Act on Data Protection of June 19, 1992 of Switzerland (as revised September 1, 2023) and its implementing ordinances (“Swiss FADP”), the California Consumer Privacy Act of 2018 together with any amending or replacement legislation, including the California Privacy Rights Act of 2020 and any regulations promulgated thereunder (“CCPA”), the Chinese Personal Information Protection Law (“PIPL”), and any other data protection or privacy laws, all as applicable.

(ii) "Personal Data" means any information relating to an identified or identifiable natural person, including without limitation any data which is defined under the Data Protection Laws as personal or private.

(iii) “Customer Personal Data” means Personal Data provided by or on behalf of the Customer for the purpose of provision of the Services, and which is processed by Telit Cinterion as a data processor (or data sub-processor, as relevant) on behalf of the Customer.

(iv) “Telit Cinterion Personal Data” means Personal Data that is collected, stored, or processed by Telit Cinterion in connection with the Services, in its capacity as a data controller for its own purposes.

(v) “Services” means the services provided by Telit Cinterion to the Customer, as specified in the applicable Service Agreement. For the avoidance of doubt, this definition includes situations where the Customer acts as a distributor of Telit Cinterion’s services or resells such services to its own customers, unless otherwise agreed by the Parties in writing.

(vi) “Restricted Transfer" means (i) where the EU GDPR applies, a transfer of Personal Data from the European Economic Area to a third party outside of the European Economic Area which does not benefit from an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to a third party outside the UK which does not benefit from adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss FADP applies, a transfer of Personal Data from Switzerland to a third party outside of Switzerland which does not benefit from an adequacy determination by Switzerland.

(vii) “EU SCCs” means the standard contractual clauses published by the EU Commission on June 4, 2021 (https://ec.europa.eu/info/sites/default/files/sccs_word.zip).

(viii) “UK SCCs” means the EU SCCs as amended by the United Kingdom’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses dated March 21, 2022 (https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).

2. Roles of the Parties

2.1 Telit Cinterion as Processor:

2.1.1 The Parties hereby acknowledge and agree that, in relation to the processing of Customer Personal Data, the Customer shall be deemed the data controller, and Telit Cinterion shall be deemed the data processor.

2.1.2 In instances where the Customer is acting as a data processor on behalf of a third-party data controller (the "Third-Party Controller"), Telit Cinterion shall assume the role of sub-processor (an “other processor” under GDPR Article 28(4)) and the following shall apply:

a. Any references in this DPA to the Customer’s obligations or rights as the data controller shall be interpreted as applying to the Third-Party Controller, including but not limited to the determination of the purposes and means of the processing of Customer Personal Data.

b. Telit Cinterion shall process Customer Personal Data in accordance with the Customer’s documented instructions, which must be consistent with the instructions of the Third-Party Controller.

c. For the sake of convenience, this DPA will continue to refer to the Customer as the "data controller" and Telit Cinterion as the "data processor," with necessary adjustments made to reflect these roles as processor and sub-processor, respectively.

2.2 Telit Cinterion as Controller:

2.2.1 The Parties acknowledge and agree that Telit Cinterion may process certain categories of Personal Data as an independent data controller for its own purposes, including Personal Data necessary for the following purposes:

a. billing and invoicing;

b. administration and management of the business relationship with the Customer; and,

c. providing access to, operating and delivering updates through Telit Cinterion’s online technical documentation portal (the ‘Download Zone’).

For the sake of convenience, such Personal Data shall be referred to as "Telit Cinterion Data."

2.2.2 In relation to the processing of Telit Cinterion Data, Telit Cinterion shall comply with its obligations as a Data Controller under applicable Data Protection Laws. This includes, but is not limited to, ensuring the lawful basis for processing and implementing appropriate security measures.

3. Customer Obligations

3.1 The Customer represents and warrants that:

a. It has obtained all necessary consents, permissions, authorizations, or other valid legal bases under Data Protection Laws to allow for the lawful collection, processing, and transfer of Personal Data to Telit Cinterion (or any sub-processors) in accordance with this DPA and the Service Agreement.

b. The processing instructions provided to Telit Cinterion under this DPA, including any instructions related to a Restricted Transfer, comply with Data Protection Laws.

c. It has provided the relevant data subjects with all required notices and information regarding the processing of their Personal Data under this DPA as required under Data Protection Laws.

3.2 In instances where the Customer is acting as a data processor on behalf of a Third-Party Controller, the Customer represents and warrants that it is authorized by the Third-Party Controller to instruct Telit Cinterion in the processing of Personal Data as specified in this DPA and to enter into this DPA on the Third-Party Controller’s behalf.

3.3 The Customer agrees to inform the relevant data subjects, including its authorized representatives, about Telit Cinterion's processing of Telit Cinterion Data and to direct them to Telit Cinterion’s Privacy Policy, available at https://www.telit.com/privacy-policy/, to facilitate Telit Cinterion in fulfilling its transparency obligations under Data Protection Laws.

3.4 Customer shall indemnify and hold harmless Telit Cinterion against any claim, fine, or penalty resulting from Customer’s failure to obtain necessary consents, permissions, authorizations or other valid legal bases for the processing of Customer Personal Data or provide required notices to data subjects.

4. Processing Instructions

4.1 Customer hereby instructs Telit Cinterion to process Customer Personal Data for the purpose of providing the Services as described in the Service Agreement. Telit Cinterion shall process Customer Personal Data only pursuant to Customer’s lawful documented instructions, including the Service Agreement and other instructions communicated in writing directly to Telit Cinterion and in accordance with the Description of Processing, attached hereto as Exhibit A.

4.2 Telit Cinterion may also Process Customer Personal Data where required by applicable laws to which Telit Cinterion is subject, in which case Telit Cinterion shall inform Customer of that legal requirement before the relevant Processing of that Personal Data, unless prohibited from doing so by law.

5. Security and Confidentiality:

5.1 Telit Cinterion's personnel engaged in Processing Customer Personal Data are and will remain committed to confidentiality. Taking into account the nature, scope, context, purpose and risk of processing of Customer Personal Data under this DPA, Telit Cinterion shall take not less than reasonable industry-appropriate technical and organizational measures to ensure the security of its processing of Customer Personal Data, in accordance with Data Protection Laws.

5.2 Without derogating from the foregoing, Telit Cinterion shall implement appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, as detailed in Exhibit B of this DPA. Such measures shall include, as appropriate:

a. the encryption of Personal Data;

b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

c. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

d. regular re-evaluation of Telit Cinterion’s technical and organizational measures for ensuring the security of the processing.

6. Sub-processors:

6.1 Telit Cinterion has Customer's general authorization for the engagement of sub-processors. Telit Cinterion’s current list of approved sub-processors is available online at https://www.telit.com/sub-processor-vendors/ (“the Sub-processor List”), and is hereby approved by Customer.

6.2 To the extent required under Data Protection Laws, Telit Cinterion will provide written notification to Customer of any intended changes concerning the addition or replacement of other sub-processors, at least 15 days prior to such changes. If Customer objects to Telit Cinterion's intended appointment of a new sub-processor on reasonable grounds related to data protection, then the Parties will make a good faith effort to resolve Customer’s objection. In the absence of a resolution, Telit Cinterion will at its sole discretion, either not appoint the new sub-processor, or permit Customer to suspend or terminate the affected service in accordance with the termination provisions in the Service Agreement).

6.3 Telit Cinterion shall ensure that its arrangement with each sub-processor is governed by a written contract including terms which offer at least substantially similar level of protection of the Customer Personal Data as those set out in this DPA. As between Telit Cinterion and Customer, Telit Cinterion will be and remains responsible for the acts and omissions of each Telit Cinterion sub-processor and for such sub-processor’s compliance with Data Protection Laws and the terms of this DPA.

7. Cooperation:

7.1 Telit Cinterion shall reasonably assist the Customer in responding to data subject requests for exercising their rights under Data Protection Laws. Telit Cinterion shall promptly inform the Customer upon receiving any such request. Additionally, Telit Cinterion shall provide reasonable assistance to the Customer in fulfilling its obligations under Data Protection Laws, including but not limited to data security measures, conducting data protection impact assessments, and managing breach notifications. The Customer shall bear the costs of such assistance to the extent that it exceeds ordinary expenses incurred by Telit Cinterion in the regular course of business.

7.2 If Telit Cinterion is required by applicable law, court order, or governmental authority to disclose or provide access to Customer Personal Data, Telit Cinterion shall promptly notify the Customer and provide a copy of the request, unless prohibited by law from doing so. Telit Cinterion will reasonably cooperate with the Customer to allow it to respond to or contest the request where applicable.

8. Personal Data Breach:

8.1 In the event of a Personal Data Breach (as this term is defined and used in Data Protection Laws or regulatory guidelines) affecting Customer Personal Data, Telit Cinterion shall, without undue delay after becoming aware of the breach, notify the Customer. The notification shall include, to the extent available:

(i) A description of the nature of the breach, including the categories and approximate number of data subjects and data records concerned.

(ii) The likely consequences of the breach.

(iii) Measures taken or proposed to be taken by Telit Cinterion to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.2 Telit Cinterion shall promptly take all necessary steps to contain, investigate, and mitigate the effects of the Personal Data Breach and to remedy the breach as soon as reasonably possible. Telit Cinterion shall further cooperate with the Customer in fulfilling its obligations regarding notifications to relevant supervisory authorities and affected data subjects under Data Protection Laws.

8.3 Telit Cinterion will document the facts relating to the Personal Data Breach, its effects, and any remedial action taken and will provide such documentation to the Customer upon request.

8.4 Each Party shall bear its own costs related to managing and remediating a Personal Data Breach unless the breach was caused by a violation of this DPA or Data Protection Laws by one Party, in which case the violating Party shall bear the costs of any necessary remediation and regulatory notifications.

9. Audits:

9.1 Telit Cinterion will make available all information reasonably necessary to demonstrate compliance with Data Protection Laws. Telit Cinterion will allow for and contribute to audits and inspections in this regard.

9.2 Customer (or its designated auditor, subject to a confidentiality agreement) is entitled to reasonably verify Telit Cinterion’s compliance with this DPA. Such audits shall be conducted no more than once annually, unless a Personal Data Breach occurs or there is substantiated evidence of a material breach of Data Protection Laws or this DPA by Telit Cinterion. Audits shall take place during normal business hours, with reasonable prior written notice of at least thirty (30) days. Customer will ensure that such audits do not unreasonably interfere with or damage Telit Cinterion’s business activities, information, or network systems.

9.3 Audits may include a review of Telit Cinterion’s relevant data processing systems, controls, and documentation necessary to verify compliance with Data Protection Laws and this DPA. Audits shall not extend to unrelated business records, proprietary information not related to the processing of Customer Personal Data, or facilities not used for such processing.

9.4 Any information obtained during an audit shall be treated as confidential by the Customer and used solely for the purpose of assessing Telit Cinterion’s compliance with this DPA and Data Protection Laws.

9.5 Customer shall bear all costs and expenses of audits, including its own auditor and travel costs. Telit Cinterion shall bear only its own internal costs of cooperation. If an audit verifies and substantiates an undisclosed material breach of Data Protection Laws by Telit Cinterion, Telit Cinterion shall reimburse the Customer’s reasonable external audit costs directly related to such audit.

9.6 As an alternative to conducting an on-site audit, Telit Cinterion may provide the Customer with audit reports from independent third-party auditors, such as ISO certifications or SOC 2 reports, which attest to Telit Cinterion’s compliance with its data protection obligations. Customer agrees that reliance on such reports shall be deemed sufficient evidence of compliance and the primary means of audit, unless a Supervisory Authority or other competent regulator requires additional verification, or the Customer provides reasonable documented reasons why such reports are insufficient.

10. Deletion:

10.1 Upon the Customer’s request and/or upon expiration or termination of the Service Agreement, Telit Cinterion shall, within sixty (60) calendar days of receiving such a request or upon expiration or termination, securely destroy or, if instructed in writing by the Customer, return all Customer Personal Data in its possession or control.

10.2 Any returned Customer Personal Data shall be provided in a commonly used, industry-standard format and media. Upon the Customer’s request, Telit Cinterion shall provide written certification confirming the destruction of the Customer Personal Data.

10.3 Notwithstanding the above, Telit Cinterion may retain Customer Personal Data under the following conditions:

10.3.1 Archived copies of Customer Personal Data solely for backup and/or log purposes in the ordinary course of business. Such archived data will remain subject to the ongoing obligations of this DPA and shall be securely deleted upon the expiration of Telit Cinterion’s standard retention period for backup or log files, in accordance with its data retention policies.

10.3.2 Personal Data necessary for the establishment, exercise, or defense of legal claims or as required under applicable laws, regulations, or by a governmental or regulatory authority. Such data shall be retained only as necessary and in full compliance with applicable Data Protection Laws.

10.3.3 Personal Data required for Telit Cinterion’s billing and invoicing purposes, with retention strictly limited to what is necessary and in compliance with applicable Data Protection Laws.

11. Anonymized and Aggregated Data:

11.1 Telit Cinterion may retain and process data that has been irreversibly anonymized or aggregated from Customer Personal Data, provided that such data:

(a) has been subject to technical and organizational measures that ensure it cannot identify or be reasonably associated with any individual;

(b) is maintained and used without any attempt to re-identify it; and

(c) is processed solely for Telit Cinterion’s legitimate business purposes, including statistical analysis, research, product development, and improvement of services.

11.2 For the avoidance of doubt, once Customer Personal Data has been irreversibly anonymized in accordance with applicable Data Protection Laws, such data shall no longer be considered Customer Personal Data and shall fall outside the scope of this DPA.

12. International Transfers:

12.1 Each Party shall comply with applicable data export and cross-border transfer requirements under Data Protection Laws that apply to it in its role.

12.2 If, and to the extent, the processing of Customer Personal Data and/or Telit Cinterion Data by Telit Cinterion involves Restricted Transfers protected by the GDPR or the Swiss FADP, the Parties agree that such transfers shall be undertaken on the basis of the applicable standard contractual clauses which are incorporated herein by reference and construed in accordance with Exhibit C of this DPA, unless another mechanism provided for in the Data Protection Laws of the applicable country applies.

12.3 Onward Transfers. To the extent that Telit Cinterion's use of sub-processors involves a Restricted Transfer, Telit Cinterion will ensure that such Restricted Transfer complies with Data Protection Laws relating to the Restricted Transfer including, but not limited to, subscribing to a transfer mechanism permitted under Data Protection Laws.

13. CCPA:

13.1 As used in this section, “Sell, “Share”, “Service Provider” and “Personal Information” shall have the meaning assigned to them in the CCPA.

13.2 To the extent the CCPA applies, Telit Cinterion shall be considered a Service Provider processing personal information on behalf of Customer, who shall be considered a Service Provider or Business, as applicable. Customer and Telit Cinterion shall comply with the obligations required of Businesses and Service Providers, as applicable, pursuant to the CCPA. The purposes of processing set forth in the Service Agreement are considered Business Purposes.

13.3 Telit Cinterion is prohibited from:

(i) Selling or Sharing Personal Information.

(ii) Retaining, using or disclosing Personal Information for any purpose other than for the business purposes specified in the Service Agreement, including retaining, using or disclosing Personal Information for a commercial purpose other than the business purposes specified in the Service Agreement or as otherwise permitted by the CCPA.

(iii) Retaining, using or disclosing the Personal Information outside of the direct business relationship between Customer and Telit Cinterion.

(iv) Combining the Personal Information, it receives from Customer with Personal Information it receives from or on behalf of another person or entity, or that it collects from its own interactions with individuals, unless expressly permitted by the CCPA.

14. Limitation of Liability:

14.1 Notwithstanding anything to the contrary in the Service Agreement and to the maximum extent permitted by law:

14.1.1 Telit Cinterion’s total aggregate liability under or in connection with this DPA, the processing of Personal Data, or any Data Protection Laws, including any indemnification obligations, shall not exceed the amounts paid by Customer to Telit Cinterion under the Agreement in the twelve (12) months preceding the event giving rise to the claim;

14.1.2 In no event will Telit Cinterion and/or its third-party providers, be liable for: (i) indirect, special, consequential, incidental, punitive, or exemplary damages; (ii) loss of profits, business, or anticipated savings; (iii) loss of or damage to data, goodwill, or reputation; or (iv) costs of procuring substitute goods or services.

14.1.3 The foregoing limitations and exclusions apply: (a) even if Telit Cinterion or its providers knew or should have known of the possibility of such damages; (b) even if any remedy fails of its essential purpose; and (c) regardless of the form, basis, or theory of liability (whether in contract, tort, or otherwise). These limitations shall not apply to liability arising from Telit Cinterion’s willful misconduct or fraud.

15 General Provisions:

15.1 The terms of this DPA will prevail over any conflicting terms in other agreements between the Parties including the Service Agreement. Any alteration or modification of this DPA is not valid unless made in writing and executed by duly authorized personnel of both Parties.

15.2 Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced, to the extent possible, by such valid provisions which achieve essentially the same objectives.

15.3 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Service Agreement, unless required otherwise by Data Protection Laws.

15.4 Telit Cinterion’s data protection personnel may be contacted at privacy@telit.com.

15.5 This DPA forms an integral part of the Service Agreement between the Parties and is effective and binding upon execution of the Service Agreement. Signature of this DPA is not mandatory for its validity.

* * * * *

LIST OF EXHIBITS

I. Exhibit A – DESCRIPTION OF PROCESSING

II. Exhibit B – TECHNICAL AND ORGANIZATIONAL MEASURES

III. Exhibit C – STANDARD CONTRACTUAL CLAUSES

 

Exhibit A

Description of Processing

Duration of the Processing of Personal Data For the term of the Service Agreement between the Parties, and thereafter for as long as required under applicable Data Protection Laws or Telit Cinterion’s Data Retention Policy (e.g., limited retention in backups, logs, billing records, or as necessary to establish, exercise, or defend legal claims). Certain Services may allow the Customer to configure data retention periods within the Service environment, subject to the other terms of this DPA.
Purpose of the Processing

Processing is carried out as necessary for the provision of the Services under the Service Agreement, including but not limited to:

  • Provision and operation of the Services, as relevant;

  • Provision of support in relation to the Services, which may include limited, temporary access to Customer’s own systems or cloud environments as instructed by Customer;

  • Account setup, administration, billing, and invoicing;

  • Monitoring, troubleshooting, and ensuring performance, resilience, and security of the Services;

  • Compliance with legal, regulatory, and contractual obligations;

  • Limited use of anonymized/aggregated data for research, statistics, product development, and service improvement.

Nature of the Processing

The processing activities Telit Cinterion may perform on Customer Personal Data include, as applicable:

  • Collection and receipt (data provided by Customer or entered into the Services).

  • Storage and hosting in Telit’s secure environments and approved sub-processor systems.

  • Access by authorized personnel for the provision of Services, including customer support.

  • Use and transmission as necessary to provide the Services.

  • Analysis and troubleshooting to monitor, maintain, and improve the performance, resilience, and security of the Services.

  • Disclosure to approved sub-processors or as legally required.

  • Retention and deletion in accordance with the Service Agreement, this DPA, and Telit’s Data Retention Policy.

  • Anonymization and aggregation of data for research, statistical, and product improvement purposes, provided such data can no longer identify an individual.

Types of Personal Data to be Processed & Data Subjects

Depending on the Services purchased and used by Customer, Telit Cinterion may process the following categories of Personal Data, including but not limited to:

A. Customer User Data

Data Subjects: Authorized users of the Services acting on behalf of Customer (employees, contractors, representatives).

Personal Data (as applicable depending on the Service):

  • Account Data: login credentials (email, password), name, work title, company name, country, phone number.

  • Activity Log Data: logins, timestamps, file downloads, and other service-related activity.

  • Support Data: support tickets, correspondence, case history, communications, and any data disclosed during support engagements.

B. IoT End User Data

Data Subjects: End users of Customer’s (or Customer’s customers’) IoT devices, to the extent such individuals are natural persons.

Personal Data (depending on the Service and Customer’s configuration): Pseudonymized device-level data that may indirectly relate to individuals. Such data may include:

  • Device identifiers (e.g. SIM/eSIM identifiers, IMEI, IMSI, ICCID, EID, device certificates);

  • Connectivity and transmission metadata (e.g. session duration, volume, source/destination number, IP address, cell tower data, signaling information, GPS location);

  • Operational and log data (e.g. device activity logs, geolocation history, driver behavior indicators, operational alerts);

  • Customer-defined metadata (e.g. free-text fields, labels, or identifiers entered by Customer).

Disclaimer:

Telit Cinterion does not receive or process directly identifying information of IoT End Users (such as names or contact details) and cannot reasonably identify such individuals. The determination of whether IoT End User Data can be linked to specific persons rests solely with the Customer, and Telit Cinterion processes such data strictly for the provision of Services, not for identifying individuals.
Special Category Data Telit Cinterion does not intentionally process Special Category Data. Customers are instructed not to provide such data in connection with the Services. If Special Category Data is nevertheless processed, Telit Cinterion will only do so under documented instructions and with safeguards required by Data Protection Laws.

 

Exhibit B

Technical and Organizational Measures (TOMs)

Telit Cinterion implements a comprehensive information security program to protect the confidentiality, integrity, and availability of personal data, in line with industry standards (including ISO 27001 and related certifications) and GDPR requirements. Measures are regularly reviewed and updated.

1. Governance and Personnel Security

  • Documented information security policies apply to all personnel.

  • Access to personal data is strictly limited to authorized individuals under confidentiality obligations.

  • Employees receive mandatory security and privacy training.

  • A Data Protection Officer and dedicated security roles oversee compliance with applicable data protection legal and regulatory requirements (GDPR, CCPA etc.)

2. Physical and Environmental Security

Facilities and server rooms are protected by controlled access, visitor management, alarm systems, video surveillance, fire detection, climate control, and redundant power.

3. Access and Authentication Controls

  • Role-based access control and least privilege principles are enforced.

  • Multi-factor authentication is used for sensitive systems and remote access.

  • User access is managed through structured provisioning and de-provisioning with periodic reviews and audits.

  • Access to data is governed by defined authorization concepts, logging and security monitoring tools.

4. System and Network Security

  • Networks and systems are protected using firewalls, intrusion detection/prevention, endpoint protection and continuous monitoring.

  • Regular vulnerability management, security patching and system hardening are performed.

  • Customer environments are logically and physically separated.

5. Data Protection and Encryption

  • Personal data is encrypted at rest and in transit using industry-standard protocols.

  • Cryptographic keys are securely managed.

  • Pseudonymization is applied where appropriate.

  • Backups are encrypted, stored securely and tested for restoration.

6. Data Handling, Retention, and Deletion

  • Data is retained only as necessary to provide services or as required by law, consistent with the Data Retention and disposition Policy.

  • Upon termination or customer request, personal data is securely deleted or anonymized.

  • Media and backups are disposed of or erased using industry-standard methods.

7. Vendor and Sub-Processor Management

  • Sub-processors undergo security and privacy due diligence and are contractually required to maintain adequate safeguards.

  • Service providers are selected and monitored based on data security criteria.

  • An up to date list of authorized sub processors is maintained, with notice of changes provided as required.

8. Incident Response and Business Continuity

  • Documented incident response, business continuity, and disaster recovery procedures are in place.

  • Security events are investigated promptly and customers are notified without undue delay in accordance with applicable law.

  • Redundant systems and tested recovery processes support service resilience.

9. Testing and Assurance

  • Regular risk assessments, internal reviews, independent audits, and penetration testing validate the effectiveness of controls.

  • Controls are continuously improved based on testing results and emerging risks.

  • Internationally recognized certifications (ISO 27001, 27017, 9001, 28000, 22301) demonstrate commitment to best practices.

 

Exhibit C

Standard Contractual Clauses

EU SCCs:

1. The Parties agree that where data is transferred outside of the EEA to a recipient that is not located in a jurisdiction deemed adequate by the EU Commission, the EU SCCs are hereby incorporated by reference and shall apply to such transfers. Module 1 (Controller to Controller), Module 2 (Controller to Processor), Module 3 (Processor to Processor) and/or Module 4 (Processor to Controller) shall apply, as applicable. In Clause 7 of the EU SCCs, the optional docking clause shall apply. For the purposes of Clause 9: option 2 (General Authorization) shall apply, authorization period will be 15 days. In Clause 11 the optional language will not apply. For the purposes of Clause 13(a) and Annex I.C, the competent supervisory authority shall be the supervisory authority of the Member State where the Data Exporter is established or has a representative or, if the exporter is not established in any EU member state, then the supervisory authority of Ireland is selected; for the purposes of Clause 17: option 2 applies, and the governing law will be the governing law of Ireland; for the purposes of Clause 18: disputes shall be resolved by the courts of Ireland.

2. For the purposes of Annex I: Customer is the ‘Data Exporter’, Telit Cinterion is the ‘Data Importer’ or vice versa, as applicable; the ‘contact details of the data exporter and data importer’, ‘Data subjects’, ‘Categories of data’, ‘Frequency of the transfer’, ‘Nature of processing’, ‘Purpose’, ‘Retention period’, ‘Subject matter, nature and duration of the processing’, are as described in Exhibit A of this DPA or other applicable documented instructions by and between the Parties. ‘Signature and Date’: By entering into the Service Agreement each Party is deemed to have signed these EU SCCs incorporated herein, including their exhibits.

3. For the purposes of Annex II: ‘technical and organizational measures” are as described in Exhibit B of this DPA, in addition to the following measures: Data Importer maintains industry standard measures to protect the Personal Data from interception (including in transit from Data Exporter to Data Importer and between different systems and services). This includes maintaining the Personal Data Protection Measures (including encryption of Personal Data whilst in transit and at rest), detailed in Sections 4-6 below.

4. Data Importer will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).

5. If Data Importer becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Data Importer shall:

I. To the extent the Personal Data is Customer Personal Data, Inform the relevant Authority that it is a Processor or Sub-processor (as applicable) of the Personal Data and that Data Exporter, as the Controller or Processor (as applicable) has not authorized Data Importer to disclose the Personal Data to the Authority;

II. Inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Data Exporter in writing;

III. Use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Data Importer’s control. Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Data Importer has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection shall not apply. In such event, Data Importer shall notify Data Exporter, as soon as possible, following the access by the Authority, and provide Data Exporter with relevant details, unless and to the extent legally prohibited to do so.

6. For the purposes of Annex III: the authorized sub-processors are as listed in Telit Cinterion’s approved Sub-processor List available online at https://www.telit.com/sub-processor-vendors/.

UK SCCs:

To the extent that Personal Data transfers are governed by the UK GDPR, the UK SCCs shall be incorporated by reference and form an integral part of this DPA. Where this is the case, the relevant annexes, appendices or tables shall be deemed populated with the information set out in this DPA, and the following modifications will apply: any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR; references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales; and Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts in England. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts".

SWISS SCCS:

In relation to transfers of Personal Data protected by the Swiss FADP, the EU SCCs shall be incorporated by reference and form an integral part of this DPA, with the following modifications:

I. any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss FADP;

II. references to "EU," "Union," "Member State," and "Member State law," shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

III. references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.

* * * * *