DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") is concluded by and between the User, which uploads any Content on the Platform ("Controller"), as defined by the Terms of Service (https://lava.top/en/docs/terms/) and LAVALANE LTD, registered under the law of Republic of Cyprus with registration number HE 387079, and residing at Kallipoleos, 3, Flat/Office 102, 1055, Nicosia, Cyprus ("Processor"). Controller and Processor are hereinafter collectively referred to as the "Parties" and separately as the "Party".

The Controller and the Processor are the parties of the Terms of Service by accepting by the Controller Terms of Service or by signing a written version of the Terms by both Parties - if any (the "Terms"). This DPA is part of the Terms. Except as modified herein, the terms of the Terms will remain as agreed in case of contradictions between the terms of this DPA with the terms of the Terms, and the terms of this DPA prevail.

The Parties hereby conclude the standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 (decision (EU) 2021/915 of 4 June 2021) ("SCC").

For the purposes of Clause 1(a) of the SCC, the Parties choose the option 1.

The Parties agree not to include it in the SCC Clause 5 (Docking Clause).

For the purposes of Clause 7.7(a) of the SCC, the Parties choose the option 2 and specify that the Processor shall specifically inform in writing the Controller of any intended changes of that list through the addition or replacement of sub-processors at least 5 (five) days in advance, thereby giving the Controller sufficient time to be able to object to such changes before to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is available at https://lava.top/en/docs/policy/ and may be amended by the Processor from time to time at its discretion subject to Clause 7.7 of the SCC.

The Parties agree to add the following clause (f) to Clause 7.7 of the SCC: "The Controller may object to intended changes of the relevant agreed list of sub-processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Terms immediately upon written notice received by the Processor within 20 days as of the Controller is informed of the intended changes."

For the purposes of Clause 8(c)(4) of the SCC, the Parties choose the option 1.

For the purposes of Clause 9.1(b) of the SCC, the Parties choose the option 1.

For the purposes of Clause 9.1(c) of the SCC, the Parties choose the option 1.

For the purposes of Clause 9.2 of the SCC, the Parties choose the option 1.

Each Party's liability for any breach of this DPA (including the SCC) shall be subject to the limitations and exclusions of liability set out in the Terms, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.

All references in the SCC to requirements of data protection laws of the EU shall be read as references to requirements of data protection laws of the EU and relevant requirements of other applicable data protection laws.

The Parties agree that other clauses and additional safeguards added by this DPA to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.

Annexes I -- III are attached to this DPA.

ANNEX I

List of parties

Controller(s):

Name: User as defined in the Terms

Address: As defined in the Terms

Contact person’s name, position and contact details: As defined in the Terms

Signature and accession date: As defined in the Terms

Processor(s):

Name: LAVALANE LTD

Address: Kallipoleos, 3, Flat/Office 102, 1055, Nicosia

Contact person’s name, position and contact details: As defined in the Terms

Signature and accession date: As defined in the Terms

ANNEX II

Description of the processing

Categories of data subjects whose personal data is processed: any individuals whose data is uploaded to the Platform by the Controller at the Controller's discretion.

Categories of personal data processed: any categories of personal data uploaded to the Platform by the Controller at the Controller's discretion.

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: Sensitive personal data uploaded to the Platform by Controller at the Controller's discretion. The same restrictions and safeguards are applied to all personal data processed under this DPA.

Nature of the processing: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission or otherwise making available, alignment or combination, restriction, erasure and destruction.

Purpose(s) for which the personal data is processed on behalf of the Controller: The Processor will process personal data the Controller data submitted, stored, sent or received to provide the services to the Controller in accordance with the Terms.

Duration of the processing: The period of provision of the services to the Controller plus the time for the deletion of personal data, unless retention is required under applicable laws or if otherwise agreed by the Parties.

For processing by (sub-) processors, specify the subject matter, nature and duration of the processing: The (sub-) processors perform all the operations required to render the services to the Controller under the Terms. The (sub-) processors process the personal data until the Terms between the Controller and the Processor are valid and until the processing is required to render the services to the Controller.

ANNEX III

Technical and organizational measures including technical and organizational measures to ensure the security of the data

• Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
• Measures for ensuring the ability to restore the availability and access to personal data promptly in the event of a physical or technical incident
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing
• Measures for user identification and authorisation
• Measures for the protection of data during transmission
• Measures for the protection of data during storage
• Measures for ensuring physical security of locations at which personal data are processed
• Measures for ensuring events logging
• Measures for ensuring system configuration, including default configuration
• Measures for internal IT and IT security governance and management

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to assist the Controller: the same.

Description of the specific technical and organizational measures to be taken by the processor to be able to assist the Controller: the same.