Einride Data Processing Addendum (Singapore)

Version 1.1, April 2023

1. SUBJECT MATTER AND SCOPE

   1. This Data Processing Addendum (the “DPA”) consists of this document along with Attachment A (Specification). Where applicable and subject to Section 9 below, standard contractual clauses adopted by the EU Commission from time to time shall be deemed incorporated into the DPA by reference.
   2. This DPA constitutes an addendum and an integrated part of the Contract (as defined in the Einride Saga Terms of Service) between Einride and User which may be concluded by way of an order form, main agreement or User accepting the Einride Saga Terms of Service referencing this DPA. In the event of inconsistencies between clause(s) in other Contract documents and this DPA in regard to Einride’s processing of Personal Data, this DPA shall prevail and apply in lieu of such inconsistent clause(s) in other Contract documents. Notwithstanding the foregoing, standard contractual clauses shall (if incorporated) have the highest priority in the event of any conflict or inconsistency with this DPA or the Contract.
   3. Einride will as part of the Software Services process Personal Data (as a ‘data intermediary’) on behalf of User. This DPA constitutes a written agreement between a User and a data intermediary as required pursuant to the Personal Data Protection Act 2012 of Singapore (“PDPA”).
   4. If User Content includes Personal Data of a third party, Userwarrants and represents that it has been instructed by and has obtained the authorization (including express written consent, if necessary) of all relevant third parties to enter into this DPA with Einride on behalf of such third party and that each and every relevant third party has given such notifications to, and obtained any required consents from, the relevant individuals to ensure that the collection, use, disclosure or other forms of processing of such Personal Data in these circumstances complies with applicable data protection laws, including the PDPA.
   5. For the avoidance of doubt, Personal Data collected and processed by Einride in its own right other than as a data intermediary for the User shall not be subject to this DPA. Please see the Privacy Notice (Singapore) for further information.

2. DEFINITIONS

   1. Terms defined in the Contract shall have the same meaning when used in this DPA with an initial capital letter. Further, the terms defined in the PDPA shall have the meanings set forth therein, including, amongst others, "individual", "data intermediary", "processing", "data breach”, and “Commission”, when used in this DPA.
   2. In addition to the preceding section and to the terms defined above, the following terms shall be defined as follows:

      ”Covered Personal Data”	Personal Data that is processed by Einride as data intermediary on behalf of User, see Specification.
      ”Specification”	means Attachment A.
      ”Supervisory Authority”	The Personal Data Protection Commission of Singapore and, where applicable, any other supervisory authority with regulatory jurisdiction over Customer’s business operations.

3. INSTRUCTIONS TO EINRIDE

   1. User hereby instructs Einride to process Personal Data in accordance with Attachment A and as reasonably necessary to provide the Services to Einride’s customers. User may provide additional, documented instructions to Einride to process Personal Data; provided, however, that Einride shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Contract and this DPA.
   2. In the event User provides additional documented instructions regarding processing of Covered Personal Data, which goes beyond the scope of this DPA or the Contract, or which requires Einride to take measures over and above the standard measures taken by Einride in order to protect the Personal Data processed by Einride, Einride is entitled to remuneration for any costs incurred by Einride as a result of such additional instructions, provided that they are technically feasible to implement.
   3. If User’s instructions, in Einride’s opinion, might infringe the PDPA, Einride shall notify User and shall not be obliged to follow such instructions, in full or in part, to the extent that they infringe the PDPA, and await additional instructions before Einride continues to process Covered Personal Data.
   4. This DPA will not in any way prevent or limit Einride from processing Personal Data to the extent necessary in order to comply with legal requirements under the PDPA and/or other laws to which Einride is subject.
   5. Notwithstanding any provisions regarding choice of law agreed between the parties in the Agreement, Einride will comply with data protection legislation applicable to data intermediaries in Singapore. User shall comply with data protection legislation where applicable.

4. SECURITY MEASURES AND ASSISTANCE

   1. Einride shall implement appropriate technical and organizational measures as described in Einride's Security Policy, available upon request, to ensure a level of security appropriate to the risks involved. Technical and organizational measures are subject to technical progress and further development. Accordingly, Einride reserves the right to modify such measures provided that the functionality and security of the Software Services is not significantly degraded. User hereby discharges Einride of any obligation to notify and/or obtain prior approval from User of such changes. Upon User’s request, Einride shall provide an up-to-date and current high level description of technical and organizational security measures.
   2. Einride shall, upon User's request and taking into account the nature of the processing and the information available to Einride, provide information to User in order to allow User to carry out, where required under applicable laws, data protection impact assessments ("DPIAs") and prior consultations with the relevant supervisory authority in relation to the processing of Personal Data covered by the Software Services.
   3. Each party shall take measures to ensure that access to Covered Personal Data is limited to only those employees, consultants and affiliated companies who need access to the Covered Personal Data in order to fulfil its obligations under the Contract and the DPA.
   4. Each party shall ensure that all employees authorized to access and process Covered Personal Data are bound by confidentiality obligations and observe confidentiality in no less a restrictive manner than required by the confidentiality undertaking set out in the Contract.

5. DATA BREACH

   1. In the event of a data breach attributable to Einride or its Subprocessors involving Covered Personal Data processed by Einride as data intermediary, Einride shall notify User, in email or otherwise in writing without undue delay and in accordance with all applicable laws, after becoming aware of the data breach.
   2. If the breach is a 'notifiable breach' as defined under the PDPA, (a) Einride’s notification to the User shall include the information required under Regulation 6 of the Personal Data Protection (Notification of Data Breaches) Regulations 2021, including inter alia, (i) a description of the nature of the data breach including the and approximate number of affected individuals concerned and the categories and approximate number of Personal Data records concerned; and (ii) a description of the measures taken or proposed to be taken by Einride to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects; and (b) Einride shall also comply with all obligations to notify such breach to the Supervisory Authority in accordance with the PDPA, including providing all required information in relation to such breach, and notifying the Supervisory Authority of such breach as soon as practicable but in any case no later than three calendar days after Einride determines that there is a notifiable breach.

6. USE OF SUBPROCESSORS

   1. User hereby agrees that Einride may engage service providers to process Covered Personal Data on behalf of User (“Subprocessor(s)”). User hereby issues a general written authorisation to Einride to engage Subprocessors of Covered Personal Data and enter into data processing agreements with obligations no less restrictive than those set out in this DPA. A current list of Subprocessors including geographical location is available at https://documents.einride.tech/en/subprocessors.html (the "Subprocessor List").
   2. Einride may replace or add new Subprocessors by making changes to the Subprocessor List at any time, provided that Einride notifies User without undue delay, thereby giving Controller the opportunity to reasonably object to such changes. Einride’s notification obligation to User will be fulfilled by Einride posting updates to the subprocessor list. In order to receive automated notifications of pending changes to Subprocessors in accordance with this Section, User may subscribe to receive automated notifications by signing up via the webform made available by Einride at: https://i.einride.tech/subprocessor.
   3. User may object to a new Subprocessor processing User’s Personal Data by notifying Einride within ten (10) days from Einrides’ notice thereof, provided that such objection is reasonable and based on data protection concerns and protection of data subject’s rights and freedoms. User acknowledges that certain Subprocessors are essential to providing the Software Services and that objecting to the use of a Subprocessor may prevent Einride from offering the Software Services to User. If only non-material part(s) of the Software Services are affected due to the User’s objection, Einride may in its sole opinion cancel User’s use of such non-material part of the Software Services, if and until the User withdraws its objection or Einride has decided to engage an alternative Subprocessor which the User accepts. If the objection is of essential nature for the provision of the Software Services and Einride is unable to accommodate User’s objection, either Party may terminate, wholly or partly (if possible), the Software Services including this DPA by providing the other Party with written notice within one (1) month of Einride’s initial notice. Einride will refund a prorated portion of any pre-paid charges for Software Services covering the period after such termination date.
   4. Einride shall be liable for the acts and omissions of any Subprocessor to the same extent as if the acts or omissions were performed by Einride.

7. ACCESS TO INFORMATION AND AUDIT

   1. Einride shall upon reasonable request provide User access to all information relevant and necessary to demonstrate that Einride has fulfilled its obligations under the PDPA. Such information and documentation shall constitute Confidential Information of Einride. Einride shall have the right to request that any User employees or third party auditors engaged by the User shall sign a non-disclosure undertaking regarding Einride’s Confidential Information prior to providing access to its information. Such request shall be complied with without undue delay and shall not be conditional upon any other matters.
   2. Where the information provided is not sufficient to allow User to comply with applicable audit requirements and obligations under applicable law, User may at User’s sole cost and expense (i) request additional information and documentation and (ii) after a reasonable prior notice, and subject to Einride’s confidentiality and data protection obligations to third parties further audit Einride’s control environment and security practices relevant to Covered Personal Data. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, only the legally mandated entity (such as a governmental regulatory authority having oversight of User’s operations) may, as part of such further audit, conduct an on-site inspection of the technical and organizational measures that Einride or its subcontractor(s) has implemented to fulfil its obligations under this DPA; such inspection to be performed subject to reasonable confidentiality undertakings and in a manner that minimizes any risk of disruption to Einride’s or its subcontractors’ business and clients or damage to facilities and in accordance with applicable laws, practices and policies.
   3. An on-site inspection as per Section 7.2 shall be (i) subject to at least thirty (30) days’ prior written notice, and (ii) be strictly limited to what is required to verify that Einride’s technical and organisational security measures comply with Einride’s Security Policy.
   4. Any and all costs and expenses related to User’s inspections shall be borne by the User, including any potential costs and expenses incurred by Einride due to Einride's or its Subprocessor(s)’ participation in such inspection.

8. RIGHTS OF THE INDIVIDUAL

   1. The User shall act as the single-point-of-contact in relation to individuals on all matters and issues related to the processing activities carried out under this DPA. Einride shall, subject to receiving compensation from the User for all costs incurred in providing such assistance, duly assist User in responding to requests from individuals to correct, erase, limit and/or block Covered Personal Data in accordance with User’s instructions.
   2. Should an individual, a Supervisory Authority, or any other third party, make a request or otherwise contact Einride (or any Subprocessor) regarding the processing of Covered Personal Data, Einride shall, to the extent not prohibited by decision of a court or public authority, refer such request to User.
   3. f an individual’s Covered Personal Data is not accessible to User through the Service, Einride will, as necessary to enable User to meet its obligations under applicable data protection legislation, provide reasonable assistance to make such Covered Personal Data available to User. Einride is entitled to compensation from the User for any costs and expenses relating to Einride's assistance in accordance with the User's request pursuant to this section.
   4. If an individual pursuant to mandatory law is entitled to exercise its right directly vis-à-vis Einride, Einride shall take relevant measures and shall be discharged of any obligation to inform or notify User.
   5. User hereby instructs Einride to provide information notices to individuals about the specific purposes for the collection, use or disclosure of their Personal Data in the Software Services in accordance with Section 20 of the PDPA.

9. TRANSFER TO AND PROCESSING OF PERSONAL DATA OUTSIDE SINGAPORE

   1. User agrees that Einride or its Subprocessors may transfer Covered Personal Data outside Singapore, and process the Covered Personal Data under the Agreement on equipment or by using resources that are located outside Singapore, in order to fulfil its obligations under the Agreement or as otherwise reasonably required for Einride to provide Software Services to its customers around the world, and provided that any such transfer will only occur if and to the extent that:
      1. the recipient of the Covered Personal Data is bound by legally enforceable obligations to provide to the Covered Personal Data a standard of protection that is at least comparable to the protection under the PDPA;
      2. Einride ensures that there are appropriate safeguards in place for the transfer in accordance with the PDPA and Regulations 10 and 11 of the Personal Data Protection Regulations 2021; or
      3. Einride is able to apply other legal mechanisms under the PDPA and its subsidiary legislation for the transfer of the Covered Personal Data.

10. CONFIDENTIALITY

    1. In addition to the confidentiality undertakings that follow from the Contract, Einride undertakes to not disclose Covered Personal Data or otherwise reveal information about the processing of Covered Personal Data to any third party without User’s explicit instruction, unless required to do so for legal or regulatory purposes.
    2. The confidentiality undertaking in accordance with section 10.1 above is not applicable in relation to professional advisors or subcontractors with whom Einride has entered into a data processor agreement in accordance with section 6.1 above. However, such data processor agreement shall include a corresponding confidentiality obligation for the professional advisor or subcontractor.

11. COMPENSATION

    1. Einride is entitled to compensation on time and material basis for any performance required under this DPA not included in the Service, such as measures or assistance requested by User related to:
       1. Compliance with User’s Additional Instructions in accordance with section 3 above.
       2. Assisting User with data protection impact assessments and prior consultation in accordance with section 4.2 above.
       3. Allowing for and contributing to audits carried out by User in accordance with section 7 above.
       4. Assisting User in responding to requests from data subjects exercising their rights under the PDPA, in accordance with section 8.1 above.
       5. Assisting User in transferring Covered Personal Data in connection with termination of the processing in accordance with section 12.2 below.

12. TERM AND TERMINATION

    1. This Data Processing Addendum enters into force when the Contract has been agreed by both parties and shall remain in force for as long as Einride processes Covered Personal Data.
    2. Upon termination of the Contract, Einride will during a reasonable data retention period provide User with the ability to download and retrieve any Personal Data in Einride’s or its Subprocessors’ possession in accordance with Einride’s standard procedures for the Software Services. Upon expiry of the data retention period, Einride shall delete or de-identify any Personal Data, unless Einride is obligated under applicable law to continue to store the Covered Personal Data.

13. GOVERNING LAW AND DISPUTE RESOLUTION

    1. Governing law as well as disputes regarding the interpretation or application of this Data Processing Addendum shall be determined in accordance with the dispute resolution provisions of the Contract.

Attachment A – Specification

Description of the processing of Personal Data covered by the DPA

This Attachment A includes a description of the processing of Covered Personal Data carried out by Einride on behalf of the User, pursuant to the DPA.