Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the Client and Liquid Technology Limited ("LTL", "we") and governs the processing of personal data carried out by LTL on behalf of the Client.

1. Roles of the Parties

For the purposes of this DPA and applicable data protection law — including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Data Protection Act (Chapter 586 of the Laws of Malta):

• Client acts as the Data Controller, determining the purposes and means of processing personal data
• Liquid Technology Limited acts as the Data Processor, processing personal data only on documented instructions from the Controller

2. Processing of Personal Data

LTL shall process personal data only on documented instructions from the Client, including with regard to transfers of personal data to a third country, unless required to do so by applicable law. LTL shall promptly inform the Client if, in its opinion, an instruction infringes applicable data protection law.

Processing activities may include storage, transmission, analysis, retrieval, and deletion of personal data as necessary to deliver the contracted services.

3. Sub-processors

The Client provides general written authorisation for LTL to engage sub-processors, subject to the following conditions:

• LTL shall impose data protection obligations on any sub-processor equivalent to those set out in this DPA
• LTL shall remain fully liable to the Client for the performance of sub-processors' obligations
• LTL shall notify the Client of any intended changes to sub-processors, giving the Client the opportunity to object

Current sub-processors include Cloudflare, Inc. for CDN, DNS, and security infrastructure. Where data is transferred outside the EEA, appropriate safeguards such as Standard Contractual Clauses are applied.

4. Security

LTL shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Access controls and role-based permissions restricting data access to authorised personnel only
• Monitoring of systems and networks for security incidents and anomalous activity
• Infrastructure security controls including encryption in transit and at rest where appropriate
• Regular review and testing of security measures

5. Data Breach Notification

In the event of a personal data breach, LTL shall notify the Client without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. Such notification shall include, to the extent available:

• A description of the nature of the breach, including categories and approximate number of data subjects and records affected
• Contact details of the data protection point of contact
• A description of the likely consequences of the breach
• Steps taken or proposed to address the breach and mitigate its effects

6. Termination

Upon termination or expiry of the underlying services agreement, LTL shall — at the Client's election and within a reasonable timeframe — either return all personal data to the Client or securely delete or destroy it, unless applicable law requires continued storage. LTL shall certify such return or deletion in writing upon request.

7. Governing Law

This DPA is governed by and construed in accordance with the laws of Malta. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the Maltese courts.

For data protection queries or to exercise rights under this DPA, contact us at technical@liqtek.com.