Data Transfers Addendum

1. Introduction

This Data Transfers Addendum is incorporated by reference into the Data Processing Addendum (DPA) between you and Andri.ai, which governs Andri.ai's and its Affiliates' Processing of Personal Data. You may be referred to as "You" or "Customer" in your Andri.ai Platform Agreement, or any other agreement governing your use of Andri.ai's services. Any capitalized terms not defined in this Data Transfers Addendum have the meanings given in the DPA or Agreement.

2. Order of Precedence

If multiple Data Transfer Mechanisms could apply to a transfer of Personal Data, the transfer will be subject to one Data Transfer Mechanism only, according to the following order of precedence:

• The EU Standard Contractual Clauses (SCCs)
• The UK International Data Transfer Addendum
• Any other data transfer mechanism permissible under applicable Data Protection Law and included in the DPA

3. The EU Standard Contractual Clauses

Module 2 (Controller to Processor) of the EU SCCs applies to any transfer of Personal Data from the European Economic Area (EEA) to Andri.ai in a third country.

3.1 Purpose and Effect

These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679.

3.2 Interpretation

• Terms defined in GDPR have the same meaning in these Clauses
• These Clauses are read and interpreted under GDPR provisions
• These Clauses do not conflict with rights and obligations under GDPR

3.3 Hierarchy

These Clauses prevail over any other agreements between the parties relating to data transfers.

3.4 Data Protection Safeguards

• Processing only on documented controller instructions
• Purpose limitation
• Transparency
• Accuracy and data minimization
• Storage limitation
• Security of processing
• Onward transfers
• Special categories of personal data
• Documentation and compliance

3.5 Duration and Data Return/Deletion

Processing occurs only for the duration specified. After services end, all personal data is deleted or returned, unless legal retention requirements apply.

4. UK International Data Transfer Addendum

4.1 Parties

Data Exporter:

• Name: The party to the Agreement with Andri.ai
• Address: The exporter's address
• Contact: As provided in the Agreement
• Role: Controller

Data Importer:

• Name: Skywalker Systems B.V.
• Address: The Netherlands
• Contact: info@skywalkersystems.dev
• Role: Processor

4.2 Governing Law

The Addendum is governed by the laws of England and Wales. Disputes are resolved by the courts of England and Wales.

5. Data Subject Rights

• Right to access personal data
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to not be subject to automated decision-making

6. Details of the Transfer

6.1 Categories of Data Subjects

• Users of the Exporter's applications
• Employees and contractors of the Exporter
• Third parties whose personal data is processed through the Services

6.2 Categories of Personal Data

• Contact information
• Professional details
• Usage data
• User-generated content
• Technical data

6.3 Special Categories of Data

Any sensitive data (including legal case details) is processed with additional safeguards and only when strictly necessary for the provision of services.

6.4 Processing Operations

• Collection
• Recording
• Organization
• Storage
• Adaptation or alteration
• Retrieval
• Consultation
• Use
• Disclosure by transmission
• Dissemination
• Restriction
• Erasure or destruction

7. Technical and Organizational Measures

7.1 Security Measures

• Encryption at rest and in transit
• Access controls and authentication
• Logging and monitoring
• Backup and disaster recovery
• Network security
• Physical security

7.2 Access Control

• Role-based access control
• Multi-factor authentication
• Regular access reviews
• Principle of least privilege

8. Sub-processor Management

• Prior authorization requirement
• Written contracts with equivalent obligations
• Regular audits and assessments
• List maintained at andri.ai/legal/subprocessors
• 15-day advance notice of changes
• Right to object to changes

9. Data Breach Notification

• Notification within 72 hours
• Detailed incident reports
• Cooperation in investigation
• Support in notification to authorities

10. Audit Rights

• Regular compliance audits
• Access to audit reports
• Cooperation with supervisory authorities
• Documentation of processing activities

11. Liability and Indemnification

Each party is liable for damages caused by breaching these clauses. The data importer is liable to data subjects for damages caused by breaching third-party beneficiary rights.

12. Termination

Data transfers may be suspended or terminated for breach of these clauses. All personal data must be returned or deleted upon termination.

13. Contact Information

• Inquiries: info@skywalkersystems.dev
• Address: Skywalker Systems B.V., The Netherlands
• Supervisory Authority: Autoriteit Persoonsgegevens (Dutch Data Protection Authority)