Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the TRMS Terms of Service between TRMS, Inc. and the customer. It applies whenever TRMS processes personal data on behalf of the customer in connection with the provision of the TRMS platform.

Capitalised terms used in this DPA have the following meanings:

• Customer Personal Data — personal data that TRMS processes on behalf of the customer.
• Data Protection Laws — all laws applicable to the processing of Customer Personal Data, including the GDPR and the Zimbabwe Data Protection Act.
• Sub-processor — any third party engaged by TRMS to process Customer Personal Data.

TRMS will only process Customer Personal Data on documented instructions from the customer, including with regard to transfers of Customer Personal Data to a third country, unless required to do so by applicable law.

TRMS will ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations, whether by contract or by statutory duty.

TRMS implements and maintains the technical and organisational measures described on our Security page to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.

The customer authorises TRMS to engage Sub-processors as needed to provide the service, subject to the conditions set out in this section. TRMS will:

• Maintain an up-to-date list of Sub-processors
• Provide at least 30 days' notice before engaging a new Sub-processor
• Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA

TRMS will, taking into account the nature of the processing, assist the customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Laws.

TRMS will notify the customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data, and will provide reasonable information to assist the customer in meeting any obligations to report or inform data subjects.

Where TRMS transfers Customer Personal Data outside the customer's jurisdiction, it does so under the safeguards required by Data Protection Laws, including the Standard Contractual Clauses where applicable.

On termination of the customer's subscription, TRMS will, at the customer's choice, return or delete all Customer Personal Data within 30 days, unless retention is required by applicable law.