Data Processing Addendum

数据处理附录

This Data Processing Addendum (this “DPA”) is entered into by and between the “Seller” and Whaleco Technology Limited (“Whaleco Ireland”) (each a “Party” and together the “Parties”). The Seller agrees to comply with the following terms in respect of the Processing of Whaleco Ireland Personal Data in the course of providing the Services to Whaleco Ireland.

本《数据处理附录》（以下简称“本附录”）由商家（以下简称“乙方”）和Whaleco Technology Limited（以下简称“甲方”）（甲方或乙方单称“一方”，合称“双方”）共同订立。乙方同意在提供本附录所述的服务过程中遵守以下关于甲方个人数据处理的各项条款。

1. Definitions

定义

For purposes of this DPA, the terms below have the meanings set forth below.

就本附录而言，以下术语的含义如下。

(a) Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

关联公司是指一方直接或间接控制、共同控制另一方，或者两方或两方以上受同一主体控制、共同控制等任一情形的。前述“控制”是指，直接或间接拥有权力，从而通过行使表决权、合同或其他方式决定或影响某一方的管理或决策方向。

(b) Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations applicable to either Party’s Processing of Personal Data under this DPA, including, without limitation, the General Data Protection Regulation 2016/679 (the “GDPR”), the UK GDPR, the Privacy and Electronic Communications Directive 2002/58/EC, the CCPA and VDCPA.

适用的数据保护法是指适用于任何一方处理个人数据的任何司法管辖区的隐私、数据保护和数据安全法律和法规，包括但不限于《一般数据保护条例2016/679号法规》（以下称“GDPR”）、《隐私和电子通信指令2002/58/EC》、CCPA 和 VDCPA。

(c) Applicable European Law means any law of the EEA (or the law of one or more of the Member States of the EU), and (where applicable in respect of UK Data Subjects) any law of the UK, and (where applicable in respect of Swiss Data Subjects) any law of Switzerland, which is applicable to one or more of the Parties.

适用的欧洲法律是指适用于一方或多方的欧洲经济区的任何法律（或一个或多个欧盟成员国的法律）、（适用于英国数据主体）英国的任何法律，以及（适用于瑞士数据主体）瑞士的任何法律。

(d) CCPA means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any binding regulations promulgated thereunder.

CCPA是指经 2020年加州隐私权法案（“CPRA”）修订的 2018 年加州消费者隐私法案，以及根据该法案颁布的任何具有约束力的法规。

(e) Whaleco Ireland Data means information provided or made available to Seller to perform the Services under this DPA.

甲方数据是指为本附录所述的服务而向商家提供的或使其可获取的信息。

(f) Whaleco Ireland Personal Data means Whaleco Ireland Data that constitutes “Personal Data,” “personal information,” or “personally identifiable information” defined in Applicable Data Protection Laws or information of a similar character regulated thereby, shared with the Seller to Process for and on behalf of Whaleco Ireland in the course of providing the Services to Whaleco Ireland under this DPA, as set out in Annex 4 (Description of Processing).

甲方个人数据是指乙方在提供本附录所述的服务过程中，甲方向乙方共享，由乙方代表甲方处理的，构成适用的数据保护法定义下的“个人数据”、“个人信息”或“个人身份信息”或受其监管的类似性质的信息的甲方数据，详见附件4（处理活动的详细信息）。

(g) Data Subject Request means an actual or purported request, notice or complaint from (or on behalf of) a Data Subject exercising his or her rights under Applicable Data Protection Laws.

数据主体请求是指数据主体（或代表）根据适用数据保护法行使其权利而实际提出或声称的请求、通知或投诉。

(h) EEA means the European Economic Area.

EEA是指欧洲经济区。

(i) EU means the European Union.

EU是指欧盟。

(j) European Data Protection Change means any change in or interpretation of the Applicable Data Protection Laws (including any guidance by the European Commission, the European Data Protection Board, or ruling by the Court of Justice of the EU) that: (a) results in the SCCs ceasing to be a means to ensure adequate safeguards for the purposes of Applicable Data Protection Laws for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection; or (b) promulgates an alternative to the SCCs that enables the lawful transfer of Personal Data from the EU, the EEA, the UK or Switzerland (where applicable) to third countries.

欧洲数据保护法变更是指适用数据保护法（包括欧盟委员会、欧洲数据保护委员会的任何指导或欧盟法院的裁决）的任何变更或解释：(a) 导致标准合同条款在个人数据传输至无法确保充分数据保护水平的第三国数据处理者时，不再是一种充分保障适用数据保护法的方式； (b) 颁布标准合同条款的替代方案，使个人数据能够从欧盟、欧洲经济区、英国或瑞士（如适用）合法传输到第三国。

(k) Information Security Incident means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, acquisition of, or access to, Whaleco Ireland Personal Data transmitted, stored or otherwise Processed by Seller or Seller Subprocessors. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Whaleco Ireland Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

信息安全事件是指乙方或乙方的分处理商拥有、保管或控制的甲方个人数据，发生意外或遭受非法破坏、丢失、更改、未经授权披露、获取或访问的事件。信息安全事件不包括不影响个人数据安全的不成功尝试或活动，但包括不成功的登录尝试、网络延迟、端口扫描、拒绝服务攻击或对防火墙或网络系统的其他网络攻击。

(l) Seller Subprocessors means Affiliates or third parties that Seller engages to Process Whaleco Ireland Personal Data in relation to the Services.

乙方分处理商是指乙方聘请的，处理与服务相关的甲方个人数据的关联公司或第三方。

(m) Regulator means any independent public authority, including any regulator or supervisory authority, established under the laws of any applicable jurisdiction responsible for the monitoring and application of Applicable Data Protection Laws.

监管机构是指根据任何适用司法管辖区的法律设立的负责监控和适用适用数据保护法的任何独立公共机构，包括任何监管机构或监督机构。

(n) Regulator Correspondence means any correspondence or communication received from a Regulator relating to Whaleco Ireland Personal Data.

监管机构函件是指从监管机构收到的与甲方个人数据有关的任何函件或通信。

(o) Security Measures has the meaning given in Section 4(a) (Seller’s Security Measures) of this DPA.

安全措施具有本附录第 4(a) 条款（商家的安全措施）中约定的含义。

(p) Services means the product customization services and online instant communication services undertaken by the Seller arising from this DPA.

服务，本附录项下指乙方提供的产品定制服务和在线即时通信服务。

(q) Standard Contractual Clauses (“SCCs”) means Module 2 (Controller to Processor) (“EEA C2P SCCs”) and Module 3 (Processor to Processor) (“EEA P2P SCCs”) of the SCCs for the transfer of personal data to third countries set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (together the “EEA SCCs) and (ii) the UK Addendum. Specifically, the EEA SCCs shall be interpreted as follows:

标准合同条款（“SCCs”），指欧盟委员会发布的针对将个人数据转移至第三国的（EU）2021/914号执行决定中的第2模块（控制者对处理者）(“EEA C2P SCCs”)，和第3模块（处理者对处理者）(“EEA P2P SCCs”)（共同称为“EEA SCCs”）；以及（ii）英国附录。具体而言，EEA SCCs应解释为以下内容：

(i) clause 7 (Docking clause) of the EEA SCCs shall apply;

EEA SCCs第7条（对接条款）适用；

(ii) for the purposes of clause 9 (Use of sub-processors) of the EEA C2P SCCs, option 2 (General Written Authorisation) applies and the relevant time period is 30 calendar days;

就EEA C2P SCCs 第9条（子处理者的适用）而言，适用选项2（一般书面授权），相关时间期限为30个自然日；

(iii) for the purposes of clause 9 (Use of sub-processors) of the EEA P2P SCCs, option 2 (General Written Authorisation) applies and the relevant time period is 60 calendar days;

就EEA P2P SCCs第9条（子处理者的适用）而言，适用选项2（一般书面授权），相关时间期限为60个自然日；

(iv) the independent dispute resolution option in clause 11 (Redress) of the EEA SCCs does not apply;

EEA SCCs第11条（补救）中的独立争议解决方案不适用；

(v) for the purposes of clause 15(1)(c) (Obligations of the data importer in case of access by public authorities) of the EEA SCCs, the Seller must provide the Whaleco Ireland with the requisite information relating to any Third Party Request received by Seller at monthly intervals.

出于EEA SCC第15(1)(c)条（公共机构访问时数据接收方的义务）的目的，乙方必须每月向甲方提供一次收到的与任何第三方请求相关的必要信息。

(vi) for the purposes of clause 17 (Governing law) of the EEA SCCs, the chosen option is option 1 and the chosen law is the law of Ireland;

就EEA SCCs第17条(管辖法律）而言，所选选项为选项1，所选法律为爱尔兰法律；

(vii) for the purposes of clause 18(b) (Choice of forum and jurisdiction) of the EEA SSCs, the chosen courts are courts of Ireland;

就EEA SSCs第18（b）条(法院和管辖权的选择）而言，选定的法院为爱尔兰法院；

(viii) the Appendix shall be completed as follows:

附录应填写如下：

(A) Whaleco Ireland shall be the Controller and data exporter and Seller shall be the Processor and data importer for the purposes of Annex I.A to the EEA SCCs. The contact information for each shall be as follows:

就EEA SCCs附件I.A而言，甲方应为数据的控制方和披露方，乙方应为处理者和数据接收方，各自的联系信息如下：

(a) Address of Whaleco Ireland, contact person’s name, position and contact details: Address: 25 St Stephen’s Green, Dublin 2;

甲方地址、联系人的姓名、职位和联系方式：（地址：都柏林2号，圣斯蒂芬斯绿地25号）；

(b) Address of Seller and Seller’s contact person’s name, position and contact details: [as provided and updated by sellers from time to time ];

乙方地址、联系人的姓名、职位和联系方式：【以商家提供或更新为准】；

(B) The contents of Annex 4 (Description of Processing) shall form Annex I.B to the EEA SCCs;

附件4（处理活动的详细信息）的内容应构成EEA SCCs的附件I.B；

(C) The competent supervisory authority shall be the Irish Data Protection Commission for the purposes of Annex I.C to the EEA SCCs; and

就EEA SCCs附件I.C而言，主管监管机构应为爱尔兰数据保护委员会；和

(D) The contents of Annex 2 (Security Measures) shall form Annex II to the EEA SCCs.

附件2（安全措施）的内容应构成EEA SCCs的附件二。

(r) Third Party Request means a written request from any third party for the disclosure of Whaleco Ireland Personal Data, where compliance with such a request is required or purported to be required by applicable law or regulation.

第三方请求系指任何第三方就披露甲方个人数据提出的书面请求，而适用法律或法规要求或据称要求遵守该等请求。

(s) UK means the United Kingdom.

UK是指英国。

(t) UK Addendum means the International Data Transfer Addendum to the EEA SCCs (version B.1.0) issued by the UK Information Commissioner’s Office in accordance with section 119A of the UK Data Protection Act 2018 which came into force on 21 March 2021, on the basis that:

英国附录是指英国信息专员办公室根据2021年3月21日生效的《2018年英国数据保护法》第119A条发布的《欧盟委员会标准合同条款国际数据传输附件》（B.1.0版），基于：

(i) Table 1 and Table 3 of the UK Addendum are deemed to have been completed with the corresponding details stipulated in this DPA for EEA SCCs,

英国附录的表1和表3被视为已完成，并包含本 DPA 中针对 EEA SCCs 规定的相应详细信息，

(ii) for the purposes of Table 1 of the UK Addendum: (a) the "Start Date" is the effective date of this DPA; and (b) the official company registration number (where applicable) of the Seller is [as provided and updated by sellers from time to time ] and the official company registration number of Whaleco Ireland is 723548;

就英国附录表1而言：(a)“开始日期”是本 DPA 的生效日期；(b) 乙方的正式公司注册号（如适用）【以商家提供或更新为准】，甲方的正式公司注册号为 [723548]；

(iii) for the purposes of Table 2 of the UK Addendum, (1) the version of the "Approved EU SCCs" is the EEA SCCs; and (2) the choices regarding clause 7 (Docking clause), clause 9 (Use of sub-processors), clause 11 (Redress), and clause 15 (Obligations of the data importer in case of access by public authorities) (as stipulated in this DPA for the EEA SCCs) are applicable; and

就英国附录表2而言，(1)“批准的欧盟 SCCs”的版本是 EEA SCCs； (2) 本DPA中针对EEA SCCs规定的第7条（对接条款）、第9条（子处理者的使用）和第11条（补救）的选择适用；以及

(iv) "Exporter" is deemed to have been chosen for the purposes of Table 4 of the UK Addendum.

出于英国附录表4的目的，“出口商”被视为已被选择。

(u) UK GDPR means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the EU (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

英国GDPR 是指根据《2018 年欧盟（退出）法案》第 3 节，并经《2019 年数据保护、隐私和电子通信（修订等）（欧盟退出）法规》修订，构成英格兰和威尔士、苏格兰和北爱尔兰法律一部分的 GDPR。

(v) VDCPA means Virginia Consumer Data Protection Act (2021; effective Jan. 1, 2023), and any binding regulations promulgated thereunder.

VDCPA指的是《弗吉尼亚州消费者数据保护法》（2021年；自2023年1月1日起生效），以及据此颁布的任何具有约束力的法规。

(w) The terms “Controller”, “Data Subject”, “Personal Data”, “Processing” (“Process” and “Processed” construed accordingly), “Processor”, “Special Categories of Personal Data” and “Sub-Processor” shall have the meanings given to them under Applicable Data Protection Laws.

术语“控制者”、“数据主体”、“个人数据”、“处理”（据此解释为“处理者”和“被处理者”）、“处理者”、“个人数据的特殊类别”和“子处理者”应具有适用数据保护法所规定的含义。

(x) References to Articles of the GDPR in this DPA are to articles of the GDPR and/or UK GDPR (as applicable) unless otherwise stated.

除非另有说明，本附录中提到的GDPR条款是指GDPR和/或英国GDPR(如适用)的条款。

2. Duration and Scope of DPA

本附录的有效期和适用范围

(a) Whaleco Ireland Personal Data is defined in Section 1 above.

甲方个人数据定义见上文第1节。

(b) The Parties agree that for the purposes of the Applicable Data Protection Laws, Whaleco Ireland is the Controller of Whaleco Ireland Personal Data and Seller is a Processor of Whaleco Ireland in relation to the Whaleco Ireland Personal Data that Seller Processes in the course of providing the Services to Whaleco Ireland, as set out in Annex 4 (Description of Processing).

双方同意，就适用的数据保护法而言，甲方是甲方个人数据的控制方，乙方是在向甲方提供服务过程中处理有关甲方个人数据的甲方分处理者，详见附件4（处理活动的详细信息）。

(c) The Parties agree to comply with this DPA and their respective obligations under Applicable Data Protection Laws in respect of the Whaleco Ireland Personal Data. This DPA is in addition to, and does not relieve, remove or replace, a Party's obligations or rights under the Applicable Data Protection Laws.

双方同意遵守本附录以及适用数据保护法规定的各自关于甲方个人数据的义务。本附录是对适用数据保护法规定的一方义务或权利的补充，并且不会免除、删除或取代一方的义务或权利。

(d) This DPA will remain in effect for so long as Seller Processes Whaleco Ireland Personal Data for the Services. Upon termination of this DPA, Seller shall, at Whaleco Ireland’s request, delete or return (as directed by Whaleco Ireland) all Whaleco Ireland Personal Data in Seller’s possession and delete existing copies of Whaleco Ireland Personal Data. The Seller shall demonstrate to the satisfaction of Whaleco Ireland that it has taken such measures, unless (in each case) Applicable European Law prevents it from returning or destroying all or part of the Whaleco Ireland Personal Data (in which case, the terms of this DPA will continue to apply to such Whaleco Ireland Personal Data).

只要乙方为服务的目的处理甲方个人数据，本附录将一直有效。在本附录终止时，乙方应根据甲方的要求，删除或返还（按照甲方的指示）乙方拥有的所有甲方个人数据，并删除甲方个人数据的现有副本。乙方应向甲方证明其已采取令甲方认可的此类措施，除非（在这种情况下）适用的欧洲法律禁止其归还或销毁全部或部分甲方个人数据（在这种情况下，本附录条款将继续适用于此类甲方个人数据）。

(e) Processing of Personal Data subject to the CCPA with respect to which Whaleco Ireland is a Business or Service Seller (as defined in CCPA) shall be subject to Annex 1 (California Annex) and Annex 2 (Security Measures) to this DPA.

甲方若作为企业或服务提供方（见 CCPA 中的定义），则处理受CCPA约束的个人数据时应遵守本附录附件1（加利福尼亚附件）和附件2（安全措施）的规定。

(f) The Parties acknowledge and agree that Annex 4 (Description of Processing) to this DPA is an accurate description of the Processing carried out under this DPA. Whaleco Ireland shall be permitted to make amendments to Annex 4 (Description of Processing) regarding the nature, duration, purpose, types, and categories related to the Processing of Whaleco Ireland Personal Data on written notice to Seller.

双方承认并同意，本附录附件4（处理活动的详细信息）是对根据本附录进行处理的准确描述。无论本协议中是否有任何相反规定，甲方有权在书面通知乙方后对附件中与处理相关的性质、持续时间、目的、类型和类别进行修改。

3. Whaleco Ireland Instructions

甲方的指示

(a) Seller will Process Whaleco Ireland Personal Data only in accordance with Whaleco Ireland’s documented instructions to Seller, including with regard to transfers of Personal Data to a third country or international organisations (unless required to do so by Applicable European Law to which Seller is subject; in such a case, Seller shall inform Whaleco Ireland of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). This DPA is a complete expression of such instructions as at the date of this DPA. If Whaleco Ireland has additional instructions (“Additional Instructions'') after the date of this DPA, Whaleco Ireland will inform Seller of such Additional Instructions. All Additional Instructions will be binding on Seller. By entering into this DPA, Whaleco Ireland instructs Seller to Process Whaleco Ireland Personal Data in accordance with this DPA and to perform its other obligations and exercise its rights in accordance with this DPA. Seller will inform Whaleco Ireland immediately in writing if in its opinion there is a conflict between Whaleco Ireland’s instructions and Applicable Data Protection Laws.

乙方将仅根据甲方提供的书面指示处理甲方个人数据，包括将个人数据转移到第三国或国际组织（除非乙方所受适用的欧洲法律要求这样做；在这种情况下，乙方应在处理之前告知甲方该法律要求，除非该法律基于公共利益的重要理由禁止此类信息）。本附录是截止本附录发布之日的此类指示的完整表达。如果甲方在本附录日期之后有附加说明（“附加说明”），则甲方应将该等附加说明通知乙方。所有附加说明对乙方具有约束力。通过签订本附录，甲方指示乙方根据本附录处理甲方个人数据，并根据本附录履行其在本附录项下的其他义务，行使其在本附录项下的权利。如果乙方认为甲方的指示与适用的数据保护法之间存在冲突，则乙方将立即以书面形式通知甲方。

(b) Seller will not disclose Whaleco Ireland Personal Data to any third party (including for back-up purposes) apart from the Seller Subprocessors authorised by Whaleco Ireland under this DPA at Annex 3 (List of Seller Subprocessors), unless previously agreed between the Parties put down in writing, or required by Applicable European Law to which Seller is subject. In such a case, Seller will inform Whaleco Ireland of that legal requirement before Processing, unless that Applicable European Law prohibits such information on important grounds of public interest.

除甲方根据本附录附件3（乙方分处理商列表）授权的乙方分处理商外，乙方不得向任何第三方披露甲方个人数据（包括出于备份目的），除非双方事先书面同意或乙方根据适用欧洲法律的要求披露。在这种情况下，乙方应在处理前告知甲方该法律要求，除非适用的欧洲法律以公共利益为重要理由禁止乙方告知此信息。

4. Security

安全

(a) Seller Security Measures. Seller will implement and maintain appropriate technical and organisational measures to protect Whaleco Ireland Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Whaleco Ireland Personal Data including, at a minimum, the measures described in Annex 2 (Security Measures) (the “Security Measures”). Seller may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Whaleco Ireland Personal Data.

乙方安全措施。乙方应实施并维护适当的技术和组织措施，至少采取附件2（安全措施）中所述的措施（下称“安全措施”），以保护甲方个人数据免遭意外或非法破坏、丢失、更改、未经授权的披露或访问。只要更新后的措施不会降低对甲方个人数据的整体保护，乙方可不时更新安全措施。

(b) Security Compliance by Seller Staff. Seller shall require that its personnel who are authorised to access Whaleco Ireland Personal Data are subject to appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

乙方员工的安全合规性。乙方应要求有权访问甲方个人数据的人员遵守适当的保密义务或适当的法定保密义务。

(c) Information Security Incidents. Seller will notify Whaleco Ireland without undue delay, but no later than twenty-four (24) hours, of any Information Security Incident of which Seller becomes aware or suspects. Any such notification by Seller to Whaleco Ireland of an Information Security Incident will contain the following information to the extent that Seller has details of same: (i) a description of the nature of the Information Security Incident (including, where possible, the categories and approximate number of both the Data Subjects and the data records concerned); (ii) the details of a contact point where more information concerning the Information Security Incident can be obtained; and (iii) its likely consequences and the measures taken or proposed to be taken to address the Information Security Incident, including to mitigate its possible adverse effects. Whaleco Ireland agrees that Seller may provide the foregoing information in phases, without undue delay, as it becomes available. Seller will, to the extent reasonably necessary, cooperate and assist with Whaleco Ireland’s investigation of the Information Security Incident, including any relevant notifications to Regulators and affected Data Subjects, and will take commercially reasonable steps to remediate the cause to the extent the remediation is within Seller’s control.

信息安全事件。乙方应立即通知甲方，但最迟不得超过二十四（24）小时将任何意识到或怀疑的信息安全事件通知甲方。乙方向甲方发出的有关信息安全事件的任何此类通知应包含以下详细信息（只要乙方掌握了相同的详细信息）：（i）信息安全事件的性质描述（如可能，包括相关数据主体和数据记录的类别和大致数量）；（ii）可以获得有关信息安全事件的更多信息的联系点的详细信息；以及（iii）其可能的后果以及为应对信息安全事件而采取或拟采取的措施，包括减轻其可能的不利影响。甲方同意乙方可以在上述信息可提供时分阶段提供上述信息，不得无故拖延。乙方应在合理必要的范围内，配合和协助甲方对信息安全事件的调查，包括向监管机构和受影响的数据主体发出的任何相关通知，并应采取商业上合理的措施，在乙方控制范围内尽可能进行补救。

5. Data Subject Requests

数据主体请求

(a) Seller’s Data Subject Request Assistance. Seller will (taking into account the nature of the Processing of Whaleco Ireland Personal Data) provide Whaleco Ireland with assistance reasonably necessary for Whaleco Ireland to perform its obligations under Applicable Data Protection Laws to fulfil Data Subject Requests with respect to Whaleco Ireland Personal Data in Seller’s possession or control.

乙方的数据主体请求协助。乙方应（考虑到甲方个人数据处理的性质）向甲方提供合理必要的协助，以便甲方履行其在适用数据保护法下的义务，以满足与甲方相关的数据主体就乙方拥有或控制的个人数据行使的请求权。

(b) Whaleco Ireland’s Responsibility for Data Subject Requests. If Seller receives a Data Subject Request, Seller will (i) promptly notify Whaleco Ireland; and (ii) advise the Data Subject to submit the request to Whaleco Ireland, and Whaleco Ireland will be responsible for responding to any such request. Seller will not respond to a Data Subject Request without Whaleco Ireland’s prior authorisation, unless legally compelled to do so. If Seller is required to respond to such a Data Subject Request, Seller will promptly notify Whaleco Ireland and provide Whaleco Ireland with a copy of the request, unless legally prohibited from doing so.

甲方对数据主体请求的责任。如果乙方收到数据主体请求，乙方应（i）立即通知甲方；（ii）建议数据主体向甲方提交请求，甲方将负责回应任何此类请求。未经甲方事先授权，乙方不应对数据主体请求做出回应，除非法律强制要求。如果乙方被要求对此类数据主体请求做出回应，乙方将立即通知甲方并向甲方提供该请求副本，法律禁止的除外。

6. Restrictions on Use

使用限制

(a) Whaleco Ireland Personal Data shall only be Processed by the Seller for the specific purpose of providing the Services under this DPA.

甲方个人数据只能由乙方出于根据本附录提供服务的特定目的进行处理。

(b) Seller shall ensure that Whaleco Ireland Personal Data is segregated from all other Personal Data Processed by the Seller.

乙方应确保甲方个人数据与乙方处理的所有其他个人数据分开。

乙方不得：

(i) sell any Whaleco Ireland Personal Data;

出售任何甲方个人数据；

(ii) retain, use, share or disclose any Whaleco Ireland Personal Data for any purpose other than for the specific purpose of providing the Services under this DPA;

出于根据本附录提供服务的特定目的以外的任何目的保留、使用、共享或披露任何甲方个人数据；

(iii) use Whaleco Ireland Personal Data for profiling, targeting, analytics or data harvesting;

使用甲方个人数据进行剖析、定位、分析或数据收集；

(iv) do anything to cause the Whaleco Ireland to be in breach of Applicable Data Protection Laws; or

做出任何导致甲方违反适用数据保护法的行为；或者

(v) combine Whaleco Ireland Personal Data received pursuant to this DPA with Personal Data (i) received from or on behalf of another person, or (ii) collected from Seller’s own interaction with any Data Subject to whom such Personal Data pertains, except as and to the extent necessary as a part of Seller’s provision of the Services under this DPA.

将根据本附录收到的甲方个人数据与（i）从他人或代表他人收到的个人数据，或（ii）从乙方自己与此类个人数据所属的任何数据主体的互动找那个收集的个人数据相结合，但作为乙方根据本附录提供服务的一部分所必需范围内的除外。

(d) Seller hereby certifies that it understands its obligations under this Section 6 and will comply with them.

乙方特此确认，其知悉并理解本附录第6条规定的义务，并将严格遵守这些义务。

7. Cooperation with Whaleco Ireland

与甲方的合作

(a) Data Protection Impact Assessment. Where applicable and upon Whaleco Ireland’s request, Seller will provide Whaleco Ireland with reasonable cooperation and assistance needed to fulfil Whaleco Ireland’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Whaleco Ireland’s Processing of Personal Data relating to this DPA. Seller will provide reasonable assistance to Whaleco Ireland in the cooperation or prior consultation with the Regulator, to the extent required under Applicable Data Protection Laws.

数据保护影响评估。在适用的情况下，乙方应根据甲方的请求向甲方提供所需合理的合作和协助，使甲方能够履行其在适用数据保护法项下的义务，以进行相关的数据保护影响评估。乙方应在适用数据保护法要求的范围内，向甲方提供合理协助，以便与监管机构的合作或事先协商。

(b) Regulator Correspondence and Third Party Requests. Seller shall promptly notify Whaleco Ireland on receipt of any Regulator Correspondence or Third Party Request relating to the Whaleco Ireland Personal Data, unless Seller is prohibited from so notifying Whaleco Ireland by applicable law. Seller will not disclose any Whaleco Ireland Personal Data in response to such Regulator Correspondence or Third Party Request without first consulting with, and obtaining, Whaleco Ireland’s prior written authorisation, unless legally compelled to do so, in which case Seller will use reasonable endeavours to (i) challenge or narrow such request to the greatest extent reasonably possible under law, including by litigation; and (ii) advise Whaleco Ireland in advance of such disclosure and in any event as soon as practicable thereafter.

监管机构通知和第三方请求。乙方应在收到甲方个人数据有关的任何监管机构信函或第三方请求后立即通知甲方，除非适用法律禁止乙方通知甲方。在未事先征求意见并获得甲方事先书面授权的情况下，乙方不得根据此类监管机构信函或第三方请求时披露任何甲方个人数据，除非法律强制要求披露。在此种情况下，乙方应尽合理努力（i）在法律允许的最大范围内质疑或缩小此类请求的范围，包括通过诉讼；以及（ii）在披露之前告知甲方，并且在任何情况下，在披露之后尽快告知甲方。

(c) Seller shall make available to Whaleco Ireland all information necessary for Whaleco Ireland to demonstrate compliance with the obligations laid down in Article 28 GDPR.

乙方应向甲方提供甲方所需的所有信息，以证明其遵守 GDPR 第 28 条规定的义务。

(d) Seller shall comply with any relevant policies and procedures notified to them by Whaleco Ireland from time to time, as may be reasonable and appropriate.

乙方应遵守甲方不时向其通知的合理且适当的任何相关政策和程序。

8. Seller Subprocessors

乙方分处理商

(a) Consent to Seller Subprocessor Engagement. Subject to the Seller’s compliance with any procedures in place from time to time in relation to the appointment of Seller Subprocessors, Whaleco Ireland authorises the engagement of Seller Subprocessors set out in Annex 3 (List of Seller Subprocessors) of this DPA.

同意乙方聘用分处理商。在乙方遵守不时制定的与指定乙方分处理商相关的任何程序的前提下，甲方可授权乙方聘用本附录附件3(乙方分处理商列表)中明确的乙方分处理商。

(b) Information about Seller Subprocessors. Information about current Seller Subprocessors, including their functions and locations, is available in Annex 3 (List of Seller Subprocessors) of this DPA.

有关乙方分处理商的信息。有关当前乙方分处理商的信息，包括其职能和地点，请参阅本附录的附件 3（乙方分处理商列表）。

(c) Requirements for Seller Subprocessor Engagement. Seller shall comply with any procedures in place from time to time in relation to the appointment of Seller Subprocessors. When engaging any Seller Subprocessor, Seller will enter into a written contract with such Seller Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Whaleco Ireland Personal Data to the extent applicable to the nature of the services provided by such Seller Subprocessor. Seller shall be liable for all obligations subcontracted to, and all acts and omissions of, the Seller Subprocessor.

乙方聘用分处理商的请求。乙方应遵守不时制定的与指定乙方分处理商相关的任何程序。乙方在聘用任何分处理商时，应与该分处理商签订书面合同，其中应包括在适用于该分处理商提供的服务性质的范围内，不低于本附录中甲方个人数据保护的义务。乙方应对分包给分处理商的所有义务以及分处理商的所有作为与不作为负责。

(d) Opportunity to Object to Seller Subprocessor Changes. When Seller engages any new Seller Subprocessor, other than those listed at Annex 3 (List of Seller Subprocessors) of this DPA, after the effective date of this DPA, Seller will notify Whaleco Ireland in writing of the proposed engagement (including the name and location of the relevant Seller Subprocessor and the activities it will perform) at least 30 days in advance. If Whaleco Ireland objects to such engagement in a written notice to Seller within 30 days after being informed of the engagement on reasonable grounds relating to the protection of Whaleco Ireland Personal Data, such proposed new Seller Subprocessor shall not be permitted to Process Whaleco Ireland Personal Data.

拒绝乙方分处理商变更的可能。在本附录生效后，当乙方聘用任何新的分处理商时（本附录附件3-乙方分处理商列表中列明的分处理商除外），应至少提前30天书面通知甲方拟聘用的分处理商（包括相关分处理商的名称和位置及其将执行的活动）。如果甲方在收到通知后 30天内因与甲方个人数据保护相关的合理理由以书面通知形式向乙方提出异议，则此类新分处理商不得参与处理甲方个人数据。

9. Audits

审计

(a) Reviews and Audits of Compliance. Whaleco Ireland may audit Seller’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Protection Laws.

合规性审查和审计。甲方有权每年一次以及在适用数据保护法可能要求的其他情况下，审计乙方是否遵守其在本附录项下的义务。

(b) Seller will contribute to such audits by providing Whaleco Ireland with the information and assistance reasonably necessary to conduct the audit. Seller agrees and acknowledges that a third party may be used to conduct (in whole or in part) such audits.

乙方将通过向甲方提供进行审计所需的合理信息和帮助来促进此类审计。乙方同意并认可可以使用第三方来进行（全部或部分）此类审计。

本附录第9条中的任何内容均不应要求乙方违反任何保密义务。

(d) Without prejudice to any other provision of this DPA, if the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third-party auditor within twelve (12) months of Whaleco Ireland’s audit request and Seller has confirmed there have been no known material changes in the controls audited since the date of such report, Seller shall provide such reports to Whaleco Ireland.

在不影响本附录任何其他条款的情况下，甲方提出审计请求后十二 (12) 个月内如果在 SOC 2 Type 2、ISO、NIST 或由合格的第三方审核员执行的类似审核报告中阐述了所请求审核中要评估的控制或措施，并且乙方已确认自该报告之日起审计的控制措施没有发生已知的重大变化，乙方应向甲方提供此类报告。

(e) The audit must be conducted during regular business hours of Seller and shall be subject to Seller’s reasonable safety and security policies.

审计必须在乙方的正常工作时间内进行，并遵守乙方合理的安全和保障政策。

(f) Whaleco Ireland will notify Seller of any non-compliance discovered during the course of an audit and provide Seller with any audit reports generated in connection with any audit under this Section 9, unless prohibited by Applicable Data Protection Laws.

除非适用的数据保护法律禁止，否则甲方将及时向乙方通知在审计过程中发现的任何不合规情况，并向乙方提供任何与本条项下审计相关的审计报告。

(g) Without prejudice to any right of Whaleco Ireland to recover costs, damages or expenses relating to non-compliance, each Party shall meet its own costs arising from any audits or inspections carried out under this Section 9.

在不损害甲方追偿与不合规相关的成本、损害或开支的任何权利的情况下，各方应自行承担因根据本条进行的任何审计或检查而产生的费用。

(h) Notwithstanding the foregoing, if Whaleco Ireland requests an audit due to an Information Security Incident or reasonably suspected breach of Applicable Data Protection Laws or as required by a Regulator, Whaleco Ireland (or its representative) may perform such audit more than once annually, without the foregoing restrictions and any such audit shall be at Seller’s sole cost and expense.

尽管有上述规定，如果甲方因信息安全事件或合理怀疑乙方违反适用数据保护法或根据监管机构的要求而请求进行审计，甲方（或其代表）在不受上述限制的情况下，可以每年进行一次以上的此类审计，并且任何此类审计均应由乙方自行承担费用。

10. Transfers of Whaleco Ireland Personal Data

甲方个人数据的传输

a) Transfer Mechanisms between Whaleco Ireland and Seller. The Parties acknowledge and agree that Seller may be located in, and intend to Process Whaleco Ireland Personal Data under this DPA in, jurisdictions outside of the EU, the EEA, the UK and/or Switzerland, and that such jurisdictions may not be recognised as providing an adequate level of protection for Personal Data within the meaning of Applicable Data Protection Laws (i.e. via an adequacy determination of the European Commission or the UK Secretary of State as applicable). Therefore, for transfers by Whaleco Ireland under this DPA of EU, EEA, UK or Swiss Whaleco Ireland Personal Data to Seller in jurisdictions which do not ensure an adequate level of data protection, the SCCs shall apply as follows:

甲方和乙方之间的传输机制。双方认可并同意，乙方可能位于欧盟、欧洲经济区、英国和/或瑞士以外的司法管辖区，并有意按照本附录处理甲方个人数据，并且此类司法管辖区可能不被视为提供适用数据保护法含义内的对个人数据的充分保护水平（即通过欧盟委员会或英国国务大臣（如适用）的充分性确定）。因此，对于甲方根据本附录将欧盟、欧洲经济区、英国或瑞士个人数据传输至无法确保充分数据保护水平的司法管辖区的乙方的情况，标准合同条款应按如下规定适用：

i. the EEA C2P SCCs shall apply to transfers of EU and EEA Whaleco Ireland Personal Data where Whaleco Ireland acts as Controller of and data exporter of Whaleco Ireland Personal Data and Seller acts as Processor and data importer of Whaleco Ireland Personal Data; and

EEA C2P标准合同条款应适用于欧盟和欧洲经济区个人数据的传输，其中甲方作为甲方个人数据的数据的控制者和披露方，乙方作为甲方个人数据的处理者和数据接收方；以及

ii. the UK Addendum shall apply to transfers of UK Whaleco Ireland Personal Data where Whaleco Ireland acts as Controller and data exporter of Whaleco Ireland Personal Data and Seller acts as Processor and data importer of Whaleco Ireland Personal Data.

英国附录适用于英国个人数据的传输，其中甲方作为个人数据的数据控制者和披露方，乙方作为个人数据的处理者和数据接收方。

b) Swiss data protection law. To the extent that the data protection and privacy laws and regulations of Switzerland (“Swiss Data Protection Laws”) apply to a transfer of Whaleco Ireland Personal Data, the Parties agree that the EEA SCCs are amended so that, with respect (only) to such transfer (and without limiting or affecting the application of the EEA SCCs otherwise):

瑞士数据保护法。如果瑞士的数据保护和隐私法律法规(下称“瑞士数据保护法”)适用于甲方个人数据的转移，则(仅)就此类转移(且不限制或影响EEA标准合同条款的其他适用)，双方同意对EEA标准合同条款进行修改：

(i) general and specific references in the EEA SCCs to Regulation (EU) 2016/679 or “that Regulation” or EU or Member State law have the same meaning as the equivalent reference in Swiss Data Protection Laws;

EEA标准合同条款中对法规(EU) 2016/679、“该法规”、欧盟或成员国法律的一般和具体引用与瑞士数据保护法中的等效引用具有相同的含义；

(ii) the term “Member State” will not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with clause 18.c of the EEA SCCs;

“成员国”一词不会被解释为排除瑞士的数据主体根据EEA标准合同条款第18.c条在其经常居住地(瑞士)就其权利起诉的可能性；

(iii) the details of the transfers are those specified in Annex I.A to the EEA SCCs where Swiss Data Protection Laws apply to the data exporter’s Processing when making that transfer;

传输的详细信息为EEA标准合同条款附件I.A中规定的信息，其中瑞士数据保护法适用于数据导出方在进行该传输时的处理；

(iv) the SCCs also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as “personal data” under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity; and

如果该等信息在瑞士数据保护法下受到类似“个人数据”的保护，则标准合同条款也适用于与已识别或可识别的法人实体有关的信息的传输，直到该等法律被修订为不再适用于法人实体为止；以及

(v) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority for the purposes of clause 13 of the EEA SCCs.

瑞士联邦数据保护和信息专员是符合EEA 标准合同条款第13条的主管监管机构。

c) The Parties agree that the SCCs are hereby incorporated by reference and will be deemed to have been executed by the Parties. To the extent that there is any conflict between the terms of this DPA and the terms of the SCCs, the SCCs shall govern.

双方同意，标准合同条款通过引用的方式并入本合同，并将被视为已由双方签署。如果本附录条款与标准合同条款之间存在任何冲突，则以标准合同条款为准。

d) Internal Seller Transfer Mechanisms. The Seller warrants and undertakes that it shall not transfer, nor allow for Seller Subprocessors to transfer, Whaleco Ireland Personal Data outside of the Seller’s jurisdiction, unless it has specific authorisation from Whaleco Ireland to do so. For transfers of Whaleco Ireland Personal Data under this DPA by the Seller or Seller Subprocessors to other countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws (which for the avoidance of doubt may include transfers from the EEA to the UK), Seller acknowledges and agrees that Seller has implemented, and will implement, all transfer mechanisms required to comply with Applicable Data Protection Laws and shall ensure such compliance by Seller Subprocessors, including entering into, or procuring that such Seller Subprocessors enter into, the EEA P2P SCCs.

乙方内部提供者传输机制。乙方保证并承诺，除非获得甲方的具体授权，否则其不会将甲方个人数据传输至乙方管辖范围之外，也不会允许乙方分处理者将甲方个人数据传输至乙方管辖范围之外。对于乙方或乙方分处理者在本附录项下将甲方个人数据传输到无法确保适用数据保护法意义上的充分数据保护水平的其他国家/地区（为免生疑问，可能包括从欧洲经济区转移到英国），乙方承认并同意其已实施并将实施所有需要遵守适用数据保护法的传输机制，并应确保乙方分处理者遵守该等规定，包括签订或促使此类分处理者签订EEA P2P SCCs。

e) Seller will provide Whaleco Ireland with reasonable support to enable Whaleco Ireland’s compliance with the requirements imposed on international transfers of Whaleco Ireland Personal Data. Seller will, upon Whaleco Ireland’s request, provide information to Whaleco Ireland which is reasonably necessary for Whaleco Ireland to complete a transfer impact assessment ("TIA") to the extent required under Applicable Data Protection Laws.

乙方应向甲方提供合理支持，以使甲方遵守对甲方个人数据国际传输的要求。乙方应根据甲方的请求，向甲方提供所需的合理必要信息，以便甲方根据适用的数据保护法完成传输影响评估（下称“TIA”）。

11. Miscellaneous

其他

(a) Any notices required or permitted to be given by Seller to Whaleco Ireland under this DPA may be given (a) to Whaleco Technology Limited, First Floor, 25 St, Stephens Green, Dublin 2, Ireland, and such notices shall be deemed given when received by Whaleco Ireland by letter delivered by nationally recognized overnight delivery service or first-class postage prepaid mail at the above address; (b) to Seller’s primary points of contact with Whaleco Ireland; or (c) to any email provided by Whaleco Ireland for the purpose of providing it with Service-related communications or alerts.

乙方根据本附录要求或许可向甲方发出的任何通知均可 (a) 发送给Whaleco Technology Limited, 地址是【First Floor, 25 St, Stephens Green, Dublin 2, Ireland】，并且当甲方通过公认的隔夜递送服务或一级邮资预付邮件在上述地址收到该等通知时，该等通知应视为已送达； (b) 发至乙方于甲方的主要联系地点；(c)发给乙方与甲方的主要联系人； (c) 发至甲方为了向其提供与服务相关的通信或提醒而提供的任何电子邮件地址。

(b) In the event of changes to Applicable Data Protection Laws, Seller will take, and will ensure Seller Subprocessors take, such measures as required under Applicable Data Protection Laws to continue facilitating the lawful Processing of Whaleco Ireland Personal Data pursuant to this DPA and Applicable Data Protection Laws.

如果适用数据保护法发生变更，乙方应采取并确保乙方分处理商采取适用数据保护法要求的此类措施，以继续促进根据本附录和适用数据保护法合法处理甲方个人数据。

乙方因本附录产生的责任不应受到任何责任排除或责任限制的约束。

(d) Seller will defend Whaleco Ireland from and against any claims, demands, suits, causes of action, proceedings, investigations or inquiries (“Claims”), and indemnify and hold Whaleco Ireland harmless from all losses, liabilities, damages, costs and expenses (including reasonable legal fees and fees related to any investigation or regulatory proceeding) (“Losses”) to the extent the Claims or Losses arise out of, are in connection with, or relate to: (i) any breach by Seller of this DPA; and/or (ii) Seller’s violation of any Applicable Data Protection Laws.

如果索赔或损失是由以下原因引起、与之相关或涉及：(i) 乙方任何违反本附录；和/或 (ii)乙方违反任何适用数据保护法的行为，乙方应保障甲方免受任何索赔、要求、诉讼、诉因、程序、调查或询问（简称“索赔”），赔偿并确保甲方免受所有损失、责任、损害、成本和支出（包括合理的法律费用和与任何调查或监管程序相关的费用）（简称“损失”）。

(e) In case of discrepancies between the English and Chinese versions, the English version shall prevail.

中英文版本如有任何差异，应以英文版本为准。

Annex 1 to DPA
附件1

California Annex

加州附件

Annex 2 to DPA
附件2

Security Measures

安全措施

1. Organisational management and dedicated staff responsible for the development, implementation and maintenance of the Seller’s information security program.

配备负责乙方信息安全计划的开发、实施和维护的管理人员和专职人员。

2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Seller’s organisation, monitoring and maintaining compliance with the Seller’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.

实施并维持审计和风险评估程序，用于定期审查和评估乙方组织的风险，监控和保障对乙方政策和程序的遵守，并向内部高级管理层报告其信息安全和合规情况。

3. Data security controls which include, at a minimum, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly or at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes).

实施并维持数据安全控制，至少包括数据的逻辑隔离、受限（例如，基于角色的）访问和监控，以及对通过公共网络（即互联网）传输、无线传输或静态或存储在便携式或可移动媒体（即笔记本电脑、CD/DVD、USB驱动器、备份磁带）上的个人数据使用商用行业标准加密技术。

4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).

实施并维持逻辑访问控制，旨在根据权限级别和工作职能，对数据和系统功能的电子访问进行管理（例如，在需要知道和最小权限的基础上授予访问权限；所有用户使用唯一的ID和密码；定期审查并在雇佣终止或工作职能发生变化时撤销/更改访问权限）。

5. Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Seller’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Seller’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.

实施并维持密码控制，旨在管理和控制密码强度、有效期和使用，包括禁止用户共享密码并要求乙方分配给其员工的密码：（i）长度至少为八（8）个字符；（ii）不以可读格式存储在乙方的计算机系统上；（iii）必须具有明确的复杂性；（iv）必须有一个历史阈值以防止重复使用最近的密码；（v）新发布的密码必须在首次使用后更改。

6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.

实施并维持系统审计或事件记录及相关监控程序，以主动记录用户访问和系统活动。

7. Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of the Seller’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.

保证数据中心、服务器机房设施和其他包含个人数据的区域的物理和环境安全，旨在：（i）保护信息资产免收未经授权的物理访问，（ii）管理、监控和记录人员进出乙方设施，以及（iii）防止环境危害，例如防止高温、火灾和水的损害。

8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Seller’s possession.

为技术和信息系统的配置、监控和维护提供操作程序和控制措施，包括系统介质的安全处置，使其中包括的所有信息或数据在最终处置或从乙方手中释放之前无法破译或恢复。

9. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to the Seller’s technology and information assets.

实施并维持变更管理程序和跟踪机制，旨在测试、批准和监控乙方技术和信息资产的所有重大变更。

10. Incident management procedures are designed to allow the Seller to investigate, respond to, mitigate and notify of events related to the Seller’s technology and information assets.

实施并维持事件管理程序，旨在允许乙方调查、响应、缓解和通知乙方的技术和信息资产相关的事件。

11. Network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

实施并维持网络安全控制，提供企业防火墙和分层DMZ架构以及入侵检测系统和其他流量和事件相关程序，旨在保护系统免受入侵并限制任何成功攻击的范围。

12. Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

实施并维持漏洞评估、补丁管理和威胁防护技术，以及预定监控程序，旨在识别、评估、缓解和防范已识别的安全威胁、病毒和其他恶意代码。

13. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergencies or disasters.

实施并维持业务弹性/连续性和灾难恢复程序，旨在维持服务和/或从可预见的紧急情况或灾难中恢复。

Annex 3 to DPA
附件3

List of Seller Subprocessors

乙方分处理商列表

Whaleco Ireland authorises the Seller to engage the following Seller Subprocessors for the purpose of providing the Services under this DPA:

甲方同意乙方与以下分处理商签订合同以满足本附录的要求：

Seller Subprocessor Name

分处理商名称

Nature of Processing

处理性质

Location

地址

N/A

Annex 4 to DPA

附件4

Details of Processing Activities

处理活动的详细信息

Data Subjects:

数据主体：

The Whaleco Ireland Personal Data processed / transferred concern the following categories of Data Subjects:

Temu users.

处理或传输的甲方个人数据中涉及以下类别的数据主体：

Temu用户

Categories of Personal Data:

普通类别数据：

The Whaleco Ireland Personal Data transferred and processed is:

Name and other non-sensitive Personal Data users may disclose during the Services.

传输和处理的甲方个人数据是：

用户可能在服务期间披露姓名和其他非敏感个人数据。

Special categories of data:

敏感类别数据：

The Whaleco Ireland Personal Data transferred may concern the following special categories of data:

N/A.

传输的个人数据可能涉及以下特殊类别的数据：

N/A.

The frequency of the transfer:

传输频率

One-off for each instance of the Services.

每次服务实例都是一次性的。

Nature of the processing:

处理性质：

The Whaleco Ireland Personal Data transferred will be subject to the following basic processing activities/ processing operations (please specify):

Use.

传输的甲方个人数据将接受以下基本处理活动（请具体说明）：

使用。

Purpose(s) of the data transfer/ processing:

数据传输/处理的目的：

For the purpose of providing the Services as described in this DPA.

为了提供本附录中所述的服务。

The duration of the processing and period for which the Whaleco Ireland Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

甲方个人数据将被保留的期限，或者如果不可能，用于确定该期限的标准：

For each instance of the Services, for the duration of such instance. Seller shall not store or share any Whaleco Ireland Personal Data and shall delete Whaleco Ireland Personal Data immediately after the use of such Whaleco Ireland Personal Data.

对于服务的每个实例，在该实例的持续时间内。乙方不得存储或共享任何甲方个人数据，并应在使用此类甲方个人数据后立即删除。