General terms and conditions

Effective as of 1.9.2023.

1. INTRODUCTORY PROVISIONS

1.1. These GTC are terms and conditions within the meaning of Section 273 of Act No. 513/1991 Coll., as amended (the Commercial Code”) and apply to all relations between the Provider and the Customer.

1.2. The Customer acknowledges that the Platform shall not be accessed and used for any purpose other than the Customer’s testing and evaluation of the Platform (the Purpose”), unless specified otherwise in these GTC.

1.3. By accessing and using the Platform, you agree to be bound by these GTC.

2.DEFINITIONS

Other than the terms defined in the body of these GTC, these terms have the following meaning:

“Affiliate”

means any entity under the control of either the Provider or the Customer, where “control” means ownership of or the right to direct greater than 50% of the voting securities of such entity;

“Confidential Information”

means technical and non-technical information including patents, copyright, trade secrets, proprietary information, techniques, sketches, drawings, models, inventions, know-how, processes, apparatus, equipment, algorithms, software programs, software, source documents, and formulas related to the current, future and proposed products and services, research, experimental work, development, design details and specifications, engineering, and information marked “confidential” or “proprietary” or which the recipient knows or has reason to know that the information shall be deemed confidential; for the avoidance of doubt, this term does not include any information that the receiving party may demonstrate by its written records: (a) was known to it prior to its disclosure by the disclosing party; (b) is or has become known through no wrongful act of the receiving party; (c) has been rightfully received from a third party authorised to make such disclosure; (d) has been independently developed by the receiving party; (e) has been approved for release with the written authorisation of the disclosing party; or (f) has been disclosed by court order or as otherwise required by law, provided that the party required to disclose the information provides prompt notice to enable the other party to seek a protective order or otherwise prevent such disclosure;

“Consumer”

means a natural person, who is acting outside the scope of an economic activity (trade, business, craft, liberal profession);

“Contractor”

means an independent contractor or consultant of the Customer who is not a competitor of the Provider;

“Customer”

means the entity or a natural person accessing and using the Platform;

“Customer Data”

means any data of any type that is submitted to the Services by or on behalf of the Customer, including without limitation data submitted, uploaded, or imported to the Services by the Customer (including from Third-Party Platforms);

“DPA”

means the data processing addendum attached hereto as Exhibit A.

Feedback

means comments, questions, suggestions, or other feedback relating to the Services, but excluding any Customer Data;

“GTC”

means these Demonstration General Terms and Conditions;

“Intellectual Property Rights”

include all valid patents, trademarks, copyrights, trade secrets, moral rights, feedback, and other intellectual property rights, as may exist now or hereafter come into existence, and all renewals and extensions thereof, and all improvements to any of the foregoing, regardless of whether any of such rights arise under the laws of any state, country, or other jurisdiction;

“Laws”

mean all applicable local, state, federal, and international laws, regulations, and conventions;

“Permitted User”

means an employee or a Contractor of the Customer or its Affiliate who is authorized to access the Services;

“Personal Data”

means any information about an identified or identifiable natural person (“Data Subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Platform”

means the Provider’s demonstration website, demonstration application or any other demonstration product developed by the Provider to which these GTC applies;

“Provider”

means AID s.r.o., a limited liability company, identification number: 51 852 683, with its registered office at Námestie SNP 3, Bratislava - mestská časť Staré Mesto 811 06, registered in the Commercial Register maintained by the District Court Bratislava I, section Sro, insert no. 130255/B;

“Services”

mean the Provider's proprietary software-as-a-service solution, including all products, services, and software provided by the Provider to the Customer based on these GTC within the Platform;

“Third-Party Platform”

means any software, software-as-a-service, data sources or other products or services not provided by the Provider that are integrated with or otherwise accessible through the Services;

“User Account”

means the account created by the Customer or created for the Customer in order to access and use the Platform.

3. PLATFORM USE CONDITIONS

3.1. Access to the Platform.

3.1.1 The Customer needs to create a User Account to access and use the Platform. The User Account may be deleted by the Customer at any time with the effect set out in section 11 (Termination and Discontinuation).

3.1.2 The Customer may access the Platform and use the Services solely for the Purpose and in accordance with these GTC, the technical user documentation provided with the Services, and any scope of use restrictions designated in these GTC.

3.1.3 The Customer may permit its Affiliates and Contractors to serve as Permitted Users, provided the Customer remains responsible for their compliance by such individuals with all the terms and conditions of these GTC, and all use of the Services by such individuals is for the sole benefit of the Customer.

3.1.4 The Customer must have an compatible operating system, compatible web browser and an internet connection to access and use the Services. The cost of the internet connection shall be borne by the Customer in accordance with the contractual relationship between the Customer and its telecommunications operator.

3.1.5 If Customer is given API keys or passwords to access the Services on the Provider's systems, the Customer is solely responsible for and will require that all Permitted Users keep API keys, user ID and password information strictly confidential and not share such information with any unauthorized person. User IDs are granted to individual, named persons, and may not be shared. If the Customer is accessing the Services using credentials provided by a third party (e.g., Google), then the Customer will comply with all applicable terms and conditions of such third-party regarding provisioning and use of such credentials. The Customer will be responsible for all actions taken using its User Account and passwords.

3.1.6 If a Permitted User who has access to a user ID is no longer an employee or a Contractor of the Customer, then the Customer will promptly delete such user ID or otherwise terminate such Permitted User's access to the Services.

3.1.7 Customer is solely responsible for and shall promptly notify the Provider of any actual or reasonably suspected unauthorized use of Customer’s User Account, API keys or passwords, or any other violation or suspected violation of these GTC of which they become aware.

3.1.8 The Customer shall promptly notify the Provider in the event that the Customer becomes aware of or suspects any outage or malfunction of the Platform. The Customer shall provide all necessary assistance to the Provider in repairing the outage or malfunction.

3.2. Protection of the Platform. In relation to the Platform, the Customer shall:

3.2.1 refrain from recording, uploading and transmitting content that is contrary to Laws, good morals or principles of decent behavior;

3.2.2 use the Platform in a manner that does not interfere with its operation, in particular the distribution of malicious code, files, scripts or programs;

3.2.3 use the Platform in a manner that does not cause a burden to other users or the Platform;

3.2.4 use the Platform in accordance with Laws.

3.3. General Restrictions.In relation to the Platform, the Customer will not (and will not permit any third party to):

3.3.1 rent, lease or provide access to the Platform;

3.3.2 sublicense the use of the Services to a third party;

3.3.3 use the Platform to provide, or incorporate the Services into, any product or service provided to a third party;

3.3.4 reverse engineer, decompile, disassemble, or otherwise seek to obtain the source code or non-public APIs to the Services, except to the extent expressly permitted by Laws (and then only upon advance notice to the Provider);

3.3.5 copy or modify the Platform or any documentation, or create any derivative work from any of the foregoing;

3.3.6 remove or obscure any proprietary or other notices contained in the Platform (notices on any reports or data printed from the Platform); or

3.3.7 publicly disseminate information regarding the performance of the Platform.

4. PROVIDER’S APIs

4.1. If the Provider makes access to any APIs available as part of the Services, the Provider may monitor the Customer's usage of such APIs and limit the number of calls or requests Customer may make if the Provider believes that the Customer's usage is in breach of these GTC or may negatively affect the security, operability or integrity of the Services (or otherwise impose liability on the Provider).

5. APPLICATIONS

5.1. To the extent the Provider provides applications for use with the Services (the “Apps”), subject to all the terms and conditions of these GTC, the Provider grants to the Customer a limited, non-transferable, non-sublicensable, non-exclusive license to use the object code form of the Apps internally, but only for the Purpose of these GTC and in accordance with the technical user documentation provided with the Services and these GTC.

6. CUSTOMER DATA

6.1. Data Processing by the Provider. All data processing activities within the Platform will be governed by the DPA, unless otherwise specified in these GTC.

6.2. Rights in Customer Data. As between the parties, the Customer will retain all right, title, and interest (including all Intellectual Property Rights) in and to the Customer Data as provided to the Provider. Subject to the terms of these GTC, the Customer hereby grants to the Provider a non-exclusive, worldwide, royalty-free right to use, copy, store, transmit, modify, and display the Customer Data solely to the extent necessary to provide the Services to the Customer.

6.3. Storage of Customer Data. The Provider does not provide an archiving service and expressly disclaims any obligations with respect to storage.

7. CUSTOMER OBLIGATIONS

7.1 The Customer is solely responsible for the accuracy, content, and legality of all Customer Data. The Customer represents and warrants to the Provider that the Customer has all necessary rights, consents, and permissions to collect, share, and use all Customer Data as contemplated in these GTC (including granting the Provider the rights in Section 6.2 (Rights in Customer Data) and that no Customer Data will violate or infringe (i) any third party Intellectual Property Rights or publicity, privacy, or other rights, (ii) any Laws, or (iii) any terms of service, privacy policies or other agreements governing Customer's User Account with any Third-Party Platforms. The Customer further represents and warrants that all Customer Data complies with these GTC. The Customer will be fully responsible for all Customer Data submitted to the Services by any Permitted User as if it was submitted by the Customer.

7.2 The Customer agrees to comply with all Laws in its use of the Services. Without limiting the generality of the foregoing, the Customer will not engage in any unsolicited advertising, marketing, or other activities using the Services, including without limitation any activities that violate the Laws.

7.3 The Customer will defend the Provider from and against any claim arising from or relating to any Customer Data, Customer's use of a Third Party Platform, or Customer's use of the Services in violation of Laws and will indemnify and hold the Provider harmless from and against any damages and costs awarded against the Provider or agreed in settlement by the Customer (including reasonable attorneys' fees) resulting from such claim, provided that the Customer will have received from the Provider: (i) prompt written notice of such claim (but in any event notice in sufficient time for the Customer to respond without prejudice); (ii) the exclusive right to control and direct the investigation, defense and settlement (if applicable) of such claim; and (iii) all reasonably necessary cooperation of the Provider (at the Customer's expense). Notwithstanding the foregoing sentence, (a) the Provider may participate in the defense of any claim by counsel of its own choosing, at its cost and expense; and (b) the Customer will not settle any claim without the Provider's prior written consent, unless the settlement fully and unconditionally releases the Provider and does not require the Provider to take any action or admit any liability.

7.4 Notwithstanding anything to the contrary herein, the Customer agrees that the Provider may obtain and aggregate technical or other data about Customer's use of the Services, including data derived from the Customer Data, that is non-personally identifiable with respect to the Customer and Customer Data (“Aggregated Anonymous Data”), and the Provider may use the Aggregated Anonymous Data to analyze, improve, support, and operate the Services for any business purpose, including without limitation to generate industry benchmark or best practice guidance, recommendations, or similar reports for distribution to and consumption by the Customer and other the Provider customers. For clarity, this Section 7.4 does not give the Provider the right to identify the Customer as the source of any Aggregated Anonymous Data.

8. THIRD-PARTY INTEGRATIONS

8.1. The Services may support integrations with certain Third-Party Platforms. To enable the Services to access and receive Customer's information from a Third-Party Platform, the Customer may be required to input its credentials for such Third-Party Platform. By enabling use of the Services with any Third-Party Platform, the Customer authorizes the Provider to access Customer's accounts with such Third-Party Platform for the purposes described in these GTC. The Customer is responsible for complying with any relevant terms and conditions of the Third-Party Platform and for maintaining appropriate accounts in good standing with the providers of the Third-Party Platforms.

8.2. Customer acknowledges and agrees that the Provider has no responsibility or liability for any Third-Party Platform or how a Third-Party Platform uses or processes Customer Data after such is exported to a Third-Party Platform and Customer, by enabling integration with Third Party Platform, consents to such sharing of Customer Data with Third Party Platform. The Provider cannot ensure that the Services will maintain integrations with any Third-Party Platform and the Provider may disable integrations of the Services with any Third-Party Platform at any time with or without notice to the Customer. For clarity, these GTC govern Customer's use of and access to the Services, even if accessed through an integration with a Third-Party Platform. TO THE EXTENT THE CUSTOMER USES FEATURES IN THE SERVICES THAT INTEGRATE WITH A THIRD-PARTY PLATFORM AND THE CUSTOMER REQUESTS THAT THE PROVIDER INTEGRATE WITH SUCH THIRD-PARTY PLATFORM'S BETA OR PRE-RELEASE FEATURES (the “THIRD-PARTY BETA RELEASES”), THE PROVIDER WILL HAVE NO LIABILITY ARISING OUT OF OR IN CONNECTION WITH THE PROVIDER'S PARTICIPATION IN SUCH THIRD-PARTY BETA RELEASES OR CUSTOMER'S USE OF SUCH INTEGRATED FEATURES.

9. OWNERSHIP

9.1. The Customer acknowledges that it is obtaining only a limited right to the Services and that irrespective of any use of the words “purchase”, “sale”, or like terms in these GTC, no ownership rights are being conveyed to the Customer.

9.2. The Customer agrees that the Provider or its suppliers retain all right, title, and interest (including all Intellectual Property Rights) in and to the Services and all technical user documentation provided with the Services and all related and underlying technology and documentation and any derivative works, modifications or improvements of any of the foregoing, including Feedback (collectively, the “Provider's Technology”).

9.3. Except as expressly set forth in these GTC, no rights in the Services are granted to the Customer.

9.4. Subject to all the terms and conditions in these GTC, the Provider grants to the Customer a limited, non-transferable, non-sublicensable, non-exclusive license to use the Platform solely for the evaluation and testing purposes.

9.5. The Customer may, from time to time, submit Feedback to the Provider. The Provider may freely use or exploit Feedback in connection with the Services and may also disclose such Feedback to third party. The Provider shall not disclose the name of the Customer in any use or exploitation of the Feedback.

9.6. Provider does not monitor what information other Customers upload in the Platform. In the event that the Customer believes that any content found in the Platform infringes their Intellectual Property Rights, the Customer shall notify Provider together with information proving their claim, namely:

9.6.1. identification and contact details of the Customer;

9.6.2. description of the work, the Intellectual Property Rights that the Customer claims to have infringed;

9.6.3. description of where infringing content is located in the Platform, and;

9.6.4. identification of the person who infringes Intellectual Property Rights (to the extent known to the Customer).

9.7. If the Provider determines that Intellectual Property Rights are being infringed, Provider will remove the infringing content from the Platform or prevent access thereto at its discretion.

10. FEES & PAYMENT

10.1. The access to Platform and use of Services are provided to Customer at no charge.

11.TERMINATIONAND DISCONTINUATION

11.1. The Customer may terminate the contractual relationship established between the parties governed by these GTC at any time by deleting its User Account.

11.2. The Provider may terminate the contractual relationship established between the parties in the event of any breach of the provisions of these GTC by the Customer by deleting Customer’s User Account .

11.3. The Provider may discontinue the provision of the Services in whole or in part at any time by notifying the Customers.

11.4. Upon termination or discontinuation of the Services pursuant to this section 11, the Customer shall cease all use of the Services, and shall promptly return all copies of Provider's Technology or otherwise destroy those copies and provide assurances (signed by an officer of the Customer) to the Provider that it has done so if requested by the Provider.

12.CONFIDENTIAL INFORMATION

12.1. Each party (as “Receiving Party”) agrees that all code, inventions, know-how, business, technical and financial information it obtains from the disclosing party (the “Disclosing Party”) constitute the confidential property of the Disclosing Party (the “Confidential Information”), provided that it is identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure.

12.2. Any Provider's Technology, performance information relating to the Services, and the terms and conditions of these GTC will be deemed Confidential Information of the Provider without any marking or further designation. Except as expressly authorized herein, the Receiving Party will (1) hold in confidence and not disclose any Confidential Information to third parties and (2) not use Confidential Information for any purpose other than fulfilling its obligations and exercising its rights under these GTC.

12.3. The Receiving Party may disclose Confidential Information to its employees, agents, contractors and other representatives having a legitimate need to know (including the Provider's Affiliates and the subcontractors referenced in Section 15.7 (Subcontractors), provided that such representatives are bound to confidentiality obligations no less protective of the Disclosing Party than this Section 12 and that the Receiving Party remains responsible for compliance by any such representative with the terms of this Section 12.

12.4. The Receiving Party's confidentiality obligations will not apply to information that the Receiving Party can document: (i) was rightfully in its possession or known to it prior to receipt of the Confidential Information; (ii) is or has become public knowledge through no fault of the Receiving Party; (iii) is rightfully obtained by the Receiving Party from a third party without breach of any confidentiality obligation; or (iv) is independently developed by employees of the Receiving Party who had no access to such information.

12.5. The Receiving Party may make disclosures to the extent required by law or court order, provided the Receiving Party notifies the Disclosing Party in advance and cooperates in any effort to obtain confidential treatment, unless such a notification is prohibited by the Laws.

12.6. The Receiving Party acknowledges that disclosure of Confidential Information would cause substantial harm for which damages alone would not be a sufficient remedy, and therefore that upon any such disclosure by the Receiving Party the Disclosing Party will be entitled to seek appropriate equitable relief in addition to whatever other remedies it might have at law. This confidentiality obligation applies for 5 (five) years following the initial date of disclosure of Confidential Information.

13. DISCLAIMER OF WARRANTIES, LIMITATION OF LIABILITY AND INDEMNIFICATION

13.1. THE PLATFORM AND THE SERVICES ARE PROVIDED “AS IS.” EXCEPT TO THE EXTENT PROHIBITED BY LAW, THE PROVIDER, ITS AFFILIATES AND PROVIDER’S SUBCONTRACTORS MAKE NO WARRANTIES (EXPRESS, IMPLIED, STATUTORY OR OTHERWISE) WITH RESPECT TO THE PLATFORM OR SERVICES AND DISCLAIM ALL WARRANTIES INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, SATISFACTORY QUALITY AND NON-INFRINGEMENT. THE PROVIDER DOES NOT WARRANT THAT THE PLATFORM WILL BE ACCURATE, ERROR FREE, AND THE USE OF THE PLATFORM UNINTERRUPTED, OR THAT ANY CONTENT WILL BE SECURE OR NOT LOST OR ALTERED.

13.2. NEITHER PARTY (NOR ITS AFFILIATES) SHALL HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THE AGREEMENT GOVERNED BY THE GTC FOR ANY LOSS OF USE, LOST DATA, LOST PROFITS, FAILURE OF SECURITY MECHANISMS, INTERRUPTION OF BUSINESS, OR ANY INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND, EVEN IF INFORMED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. IF THE CUSTOMER IS IN THE EUROPEAN ECONOMIC AREA, REFERENCES TO “INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES” SHALL ALSO MEAN ANY LOSSES OR DAMAGES WHICH: (A) WERE NOT REASONABLY FORESEEABLE BY BOTH PARTIES; (B) WERE KNOWN TO THE CUSTOMER BUT NOT TO THE PROVIDER; OR (C) WERE REASONABLY FORESEEABLE BY BOTH PARTIES BUT COULD HAVE BEEN PREVENTED BY THE CUSTOMER SUCH AS, FOR EXAMPLE, LOSSES CAUSED BY VIRUSES, MALWARE, OR OTHER MALICIOUS PROGRAMS, OR LOSS OF OR DAMAGE TO CUSTOMER DATA.

13.3. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PROVIDER, ITS AFFILIATES AND ITS SUBCONTRACTORS SHALL NOT BE LIABLE TO THE CUSTOMER FOR ANY EXPENSES, COSTS, CLAIMS OR FINES ARISING FROM OR CONNECTED TO THE AGREEMENT GOVERNED BY THE GTC, REGARDLESS OF THE FORM OF ACTIO N, WHETHER IN CONTRACT, TORT OR OTHERWISE AND REGARDLESS OF THE THEORY OF LIABILITY. IN NO EVENT SHALL THE AGGREGATE LIABILITY OF THE PROVIDER, ITS AFFILIATES AND PROVIDER’S SUBCONTRACTORS EXCEED ONE HUNDRED EUROS (EUR 100.00).

13.4. The Customer shall defend and fully indemnify the Provider, Provider’s Affiliates, and Provider’s Sub-processors against all costs, expenses, damages and losses, including any interest, fines, legal and other professional fees and expenses arising from or connected to the Customer’s breach of the agreement governed by the GTC.

14.ADDITIONAL TERMS AND CONDITIONS APPLICABLE TO CONSUMERS

14.1. The additional terms and conditions . These additional terms and conditions set out in this section 14 of these GTC shall apply when the Platform is used by Consumer. The other terms and conditions contained in these GTC shall apply only to the extent that they do not conflict with this section 14 and any Laws, including, but not limited to the consumer protection legislation.

14.2. Data processing.The protection and processing of Consumer’s Personal Data is subject to Provider’s Privacy Policy, which is available in the Platform.

14.3. Heirs and Assigns.The contractual relationship established between the Provider and a Customer that is a Consumer governed by these GTCs terminates upon the death of the Consumer.These GTC will not inure to the benefit of, and will not be enforceable by, Consumer’s administrators of last will, successors and heirs.

14.4. Contractual relationship. The Consumer is entering into a contractual relationship with the Provider by creating a User Account and accepting these GTC in the Platform.

14.5. Right towithdraw. The Consumer is entitled to withdraw from the contractual relationship with the Provider within fourteen (14) days following the day of the conclusion of the contractual relationship. The Consumer may withdraw from the contractual relationship with the Provider by sending the withdrawal to hallo@aidental.ai. A sample withdrawal form is attached hereto as Exhibit B.

14.6. Access to the Platform. Only natural persons over the age of 18 are entitled to create a User Account. By creating a User Account, the Consumer declares that:

14.6.1. the Personal Data that Consumer provides when creating a User Account are true, accurate, current and complete in all respects;

14.6.2. Consumer will promptly notify the Provider of any changes to the Personal Data by changing the Personal Data in the User Account or by sending an email to consent@aidental.ai ;

14.6.3. Consumer will not impersonate another person or entity or use a false name or a name that Consumer is not authorized to use;

14.6.4. Consumer does not intent to create User Account to harm the Provider (e.g. by using its knowledge of the Platform with a competitor or by creating a similar product).

14.7. In accordance with Article 14 of EU Regulation 524/2013 on online dispute resolution for consumer disputes, amending EC Regulation 2006/2004 and Directive 2009/22/EC, the Consumer has the right to exercise his or her rights and claims under these GTC with the Provider through online alternative dispute resolution (“ODR”). ODR is provided through a platform operated by the European Commission. The Customer, who is a Consumer, is entitled to use the ODR platform for dispute resolution in the language of their choice. The ODR platform is accessible online at https://webgate.ec.europa.eu/odr/main/index.cfm?event=main.home.chooseLangu

14.8. The Consumer may resolve their disputes in accordance with EU Directive 2013/11/EU on alternative dispute resolution for consumer disputes and amending Regulation (EC) 2006/2004 and Directive 2009/22/EC (“ADR”). You can find your country's dispute resolution body here: https://ec.europa.eu/consumers/odr/main/?event=main.adr.show2&lng=EN

14.9. The Consumer has the right to contact the Provider for redress if he or she is dissatisfied with the manner in which the Provider has handled his or her complaint, or if the Consumer believes that the Provider has violated his or her rights, by sending an email to consent@aidental.ai .

14.10. The Consumer also has the right to file a complaint with the Slovak Trade Inspection or other relevant authority which can be found here: https://ec.europa.eu/consumers/odr/main/?event=main.adr.show2 .

15. FINAL PROVISIONS

15.1. Assignment. These GTC will bind and inure to the benefit of each party's permitted successors and assigns. Neither party may assign these GTC without the advance written consent of the other party, except that either party may assign these GTC in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of such party's assets or voting securities. Any attempt to transfer or assign these GTC except as expressly authorized under this Section 15.1 will be null and void.

15.2. Severability. If any provision of these GTC will be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision will be limited to the minimum extent necessary so that these GTC will otherwise remain in effect.

15.3. Governing Law and Dispute Resolution.

15.3.1. These GTC are construed and governed by the Laws of the Slovak Republic and without reference to applicable jurisdiction's conflict of laws principles.

15.3.2. All disputes arising out of or in connection with these GTC, including disputes concerning the existence, validity or termination of these GTC or the consequences of its invalidity, shall be decided exclusively by the competent courts in the Slovak Republic in Bratislava.

15.4. Notices.Any notice or communication required or permitted under these GTC will be in writing and sent to, in case of the Customer, to the email address connected to the User Account of the Customer; and, in the case of the Provider to hallo@aidental.ai . The notice will be deemed to have been received by the next business day after transmission.

15.5. Amendments; Waivers.Provider may, at its sole discretion, issue a new version of these GTC. The Provider shall notify the Customer by publishing the amended version of these GTC on the Platform or by emailing it to the Customer. The amended GTC shall come into effect by no later than thirty (30) days after such notification is given. If the Customer continues to use the Services, the Customer is deemed to have accepted the amended GTC. No waiver will be implied from conduct or failure to enforce or exercise rights under these GTC, nor will any waiver be effective unless in a writing signed by a duly authorized representative on behalf of the party claimed to have waived.

15.6. Entire Agreement. The agreement governed by these GTC constitutes the entire agreement between parties with respect to the subject matter hereof and supersedes all previous proposals, both oral and written, negotiations, representations, commitments, writings and all other communications between the parties.

15.7. Subcontractors.The Provider may use the services of subcontractors and permit them to exercise the rights granted to the Provider in order to provide the Services under these GTC, provided that the Provider remains responsible for (i) compliance of any such subcontractor with the terms of these GTC, (ii) for the overall performance of the Services as required under these GTC and (iii) compliance with the terms of the DPA.

15.8. Force Majeure. Neither party will be liable to the other for any delay or failure to perform any obligation under these GTC (except for a failure to pay fees) if the delay or failure is due to unforeseen events that occur after the signing of these GTC and that are beyond the reasonable control of such party, such as a strike, blockade, war, act of terrorism, riot, natural disaster, failure or diminishment of power or telecommunications or data networks or services, or refusal of a license by a government agency. The following events shall always be considered Force Majeure with respect to Provider: (i) power failure; (ii) natural disaster; (iii) failure or delay of telecommunications networks, internet, hosting, hardware, software; (iv) damage Provider's systems and infrastructure, including viruses and cyber attacks.

15.9. Independent Contractors. The parties to these GTC are independent contractors. There is no relationship of partnership, joint venture, employment, franchise, or agency created hereby between the parties. Neither party will have the power to bind the other or incur obligations on the other party's behalf without the other party's prior written consent.


Exhibit A

Data processing addendum

( “DPA”)

1. INITIAL PROVISIONS

This Data Processing Agreement with its Exhibits (the “DPA”) are entered into by and between the Customer (the “Controller”) and the Provider (the “Processor”).

(The Controller and the Processor jointly hereinafter referred to also as the “Parties” and individually as the “Party”)

The "Effective Date" of this DPA is the date when Customer initially access to any Services based on the GTC, whereas the DPA is an integral part of GTC.

2.DEFINITIONS

For the purposes of this DPA, capitalized terms not otherwise defined shall have the meaning given to them in the GTC.

These terms have the following meaning:

"CCPA" means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this DPA. Terms "business", "service provider" and "sale" have the same meaning given to it under the CCPA.

"Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by The Provider under this DPA.

"Data Protection Legislation" means, as applicable to a party and its Processing of Personal Data: (i) EU Data Protection Law (ii) UK Data Protection Law, (iii) CCPA and any national data protection laws made under the CCPA, (iv) any other law applicable for the provision of the Services.

"EU Data Protection Laws" mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR") and the EU e-Privacy Directive (Directive 2002/58/EC). Terms "Controller", "Processor", "Process", "Processing", and "Data Subject" shall have the same meanings given to them under the GDPR.

"Restricted Transfer" means a transfer of Personal Data from the European union/EEA to any other country which is not subject based on adequacy regulations pursuant to Article 45 of Regulation (EU) 2016/679.

Sensitive Personal Information” means any of the following: (i) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act (“HIPAA”), if applicable; or (ii) any other personal data of an EU citizen deemed to be in a “special category” (as identified in the GDPR or EU Data Protection Laws).

"Sub-processor" means any third party engaged by the Provider to assist in fulfilling its obligations with respect to providing the Services and that processes Personal Data as Processor.

"Standard Contractual Clauses" means: (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCC"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCC").

Swiss Data Protection Law” means in respect to Switzerland (i) the Swiss Federal Act of June 1992 on Data Protection (“FADP”), the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993 and (iii) the revised FADP from the point the revised FADP enters into force.

"UK Data Protection Law" means: (i) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the " UK GDPR "); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case, as may be amended or superseded from time to time.

3. PROVIDER'S OBLIGATIONS

3.1. Roles. For the purposes of the GDPR and similar Data Protection Legislation, Customer (or third party on whose behalf Customer is authorized to instruct the Provider) is the Controller of Customer Data that are Personal Data, and the Provider shall process Personal Data as a Processor (or sub-Processor, as applicable to Customer's use of the Services); and for the purposes of the CCPA (to the extent the CCPA is applicable), Customer is the business and the Provider is the service provider.

3.2.Permitted Purposes. The Provider shall Process Personal Data for the purposes described in Annex A and in accordance with Customer's documented lawful instructions included in this DPA ("Permitted Purposes"), except where otherwise required by laws that are compatible with applicable Data Protection Legislation. In particular and to the extent the CCPA is applicable, Customer's transfer of Personal Data to the Provider is not a sale, and the Provider provides no monetary or other valuable consideration to Customer in exchange for Personal Data. To the extent required by Data Protection Legislation, this Section 3.2 constitutes the certification from the Provider to the Processing instructions herein. The Provider is obliged at all times to process Personal Data in compliance with Data Protection Legislation and fulfil all its obligations arising out of Data Protection Legislation.

3.3.Processing Instructions. The Provider shall immediately inform Customer if it becomes aware that Customer's processing instructions infringe Data Protection Legislation. If the Provider is unable to process Personal Data in accordance with the Customer's documented lawful instructions, the Provider is obliged to promptly notify Customer of its inability to comply.

3.4.Security Measures. The Provider shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect all Customer Data, including Personal Data, from Data Breaches and preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, these measures must include the measures identified in Annex C of this DPA.

3.5.Access and Confidentiality. The Provider shall ensure that any person it authorizes to process the Personal Data (including Provider's staff, agents and Sub-processors) ("Personnel") are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received proper training, and are informed about the confidential nature of the Personal Data and their obligations related to it and have access to Personal Data only on need-to-know basis. The Provider shall ensure that Personnel Processes the Personal Data only as necessary for the Permitted Purposes.

3.6.Data Returns and Deletion. Upon written request of the Customer and upon termination or discontinuation of the provision of the Services under the GTC, the Provider will use all reasonable endeavors to destroy all Customer Data under the conditions defined in the GTC. Customer declares and approves, that any data that cannot be returned or destroyed or deleted will remain confidential, subject to the terms of this DPA and the GTC.

4. AUDIT RIGHTS

4.1.Right to conduct audits. The Customer shall have the right to conduct an audit to verify Provider's compliance with its obligations laid down in Art. 28 GDPR (if applicable) and in this DPA. The Provider shall allow the Customer to carry out the audit if (i) the Customer requests to carry out the audit via a written notice at least 30 (thirty) days in advance; (ii) the Customer will specify the agenda for such audit in such notice; (iii) the audit shall not take place more than once a year; (iv) all associated costs and expenses shall be borne by the Customer or reimbursed to the Provider on demand; and (v) the audit shall last no longer than the equivalent of 1 working day (8 hours) of Provider's representative. On the request of the Customer, the Provider will provide the Customer with the estimated cost that it expects to incur during such audit according to the extent specified in the agenda provided by the Customer. The customer agrees that during the audit the Provider will only provide the Customer with information and access relating solely to the Customer's Personal Data. The Customer undertakes to comply with all security and organizational instructions given by the Provider and to enter into an NDA with the Provider for audit purposes.

4.2.Independent Auditor. In case the Customer requests the audit by an independent party – external licensed auditor, the Provider may object to an external licensed auditor appointed by the Customer to conduct the audit if the auditor is, in Provider's reasonable opinion, not suitably qualified or independent, a competitor of the Provider, or otherwise manifestly unsuitable. Any such objection will require the Customer to appoint another auditor. The conditions set out in clause 4.1 also apply mutatis mutandis to the independent auditor and the Customer undertakes to ensure compliance with these restrictions.

5. CUSTOMER’S OBLIGATIONS

5.1.Customer’s Processing of Personal Data. The Customer shall, in its use of the Services, process Personal Data in accordance with Data Protection Legislation and other relevant legislation. The Customer shall have the sole responsibility for the accuracy, quality, and legality of Personal Data and its processing, including, but not limited to, how the Customer acquired Personal Data and provided Personal Data to the Provider.

5.2.Customer’s Compliance. The Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its processing of Personal Data and any processing instructions it issues to the Provider; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorizations (as applicable) for the Provider to Process Personal Data for the Permitted Purposes; (iii) it shall be responsible for providing any notices required by Data Protection Legislation and other relevant legislation to its Permitted users and other relevant data subjects with respect to processing their Personal Data by the Provider; (iv) it has fulfilled (or shall fulfil) all registration or notification obligations to which the Customer is subject to under the Data Protection Legislation and other relevant legislation; and (v) it is responsible for its own processing of Personal Data, including integrity, security, maintenance, and appropriate protection of Personal Data under Customer’s control.

5.3.Technical and Organizational Measures. The Customer is responsible for its secure use of the Services, including securing the user IDs and passwords and protection of the security of Personal Data when in transit to and from the Services. The Customer is also responsible for the use of the Services by any person the Customer authorized to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if the Customer did not authorize such use. The Customer agrees to, immediately upon awareness, notify the Provider of any unauthorized use of the Services or of any other breach of security involving the Services.

6. COOPERATION

6.1.Data Subject Rights. To the extent that the Customer is unable to access the relevant Personal Data within the Services independently, the Provider shall, taking into account the nature of the Processing, provide assistance (including by appropriate technical and organizational measures) to provide reasonable cooperation to the Customer in order to (i) respond to any requests from a data subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the Processing of the Personal Data (collectively "Correspondence").

In the event that any such Correspondence is made directly to the Provider, it shall promptly notify the Customer and shall not respond directly unless legally compelled to do so. If the Provider is required to respond to such Correspondence, the Provider shall promptly notify the Customer and provide it with a copy of the request, unless legally prohibited from doing so.

6.2.Data Protection Impact Assessment. To the extent required by Data Protection Legislation, the Provider shall provide reasonable cooperation regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation.

6.3.Request for Disclosure. The Provider is obliged to promptly notify the Customer about any legally binding request for disclosure of the Personal Data by a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry and to assist the Customer accordingly (at Customer's expense).

7. SECURITY INCIDENTS

7.1.Data Breach. Upon becoming aware of a Data Breach, the Provider shall notify the Customer without undue delay and shall provide such timely information and cooperation as the Customer may reasonably require in order to fulfil its data breach reporting obligations under Data Protection Legislation, including the type of data affected and the identity of the affected person(s) as soon as such information becomes known or available to the Provider.

7.2.No acknowledgement. The Customer agrees that any notification that the Provider provides to the Customer in relation to a Data Breach shall not be construed or understood as an acknowledgement of any fault or liability.

7.3.Further Conduct. The Provider shall further take all such measures and actions as are reasonable to remedy or mitigate the effects of the Data Breach and shall keep Customer informed of all developments in connection with the Data Breach.

7.4.Cooperation. If a Data Breach is caused or materially contributed to by the Customer, the Provider will cooperate in the investigation of the Data Breach subject to Customer's obligation to compensate the Provider for its expenses and costs.

8. SUB-PROCESSING

8.1.Authorized Sub-processors. The Customer provides a general authorization for the Provider to engage Sub-processors to Process Personal Data on Customer's behalf. The Sub-processors currently engaged by the Provider are listed in Annex B .

8.2.New Sub-processors . The Provider shall provide at least ten (10) days prior written notice to the Customer of the engagement of any new Sub-processor (including details of the Processing and location), whereas the Provider provides such notifications of new sub-processors via offering a subscription on the Provider’s website https://www.aidental.ai/privacy-policy. It is the responsibility of the Customer to subscribe to the notifications.

8.3.Objections .If the Customer has a reasonable objection to any new sub-processor, it shall notify the Provider of such objections in writing to consent@aidental.ai within ten (10) days from receiving the notification and the Parties will seek to resolve the matter in good faith. The Customer has a right to terminate the cooperation under GTC if he disagrees for the sound reason he gave with new sub-processor, however the Customer shall not receive refund of any already paid fees in case of such termination. If Customer does not provide a timely objection to any new sub-processor in accordance with this Section 8.3, Customer will be deemed to have consented to the sub-processor and waived its right to object.

8.4.Liability for sub-processors. The Provider remains liable for any breach of this DPA caused by an act, error, or omission of such Sub-processor. Section 13. of the GTC (Disclaimer of warranties and limitation of liability) shall not apply. The limitation of liability under section 10 of this DPA shall apply.

9. DATA TRANSFERS

9.1.International Data Transfers. The Provider shall take all such measures necessary to ensure that the processing and transfer of Personal Data in or to a territory other than the territory in which the Personal Data was first collected complies with Data Protection Legislation.

9.2.Application of Standard Contractual Clauses. The Parties agree that when and to the extent the transfer of Personal Data from the Customer to the Provider is a Restricted Transfer and EU Data Protection Laws or UK Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the EU SCC and/or UK SCC, which shall be incorporated by reference into and form an integral part of this DPA.

9.3.EU Data. For the purposes of Personal Data that is subject to the EU Data Protection Laws ("EU Data"):

a) Where the Customer is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where the Customer is a Processor acting on behalf of third-party Controllers, Module 3 (Processor to Processor Clauses) will apply;

b) in Clause 7 (Docking Clause), the optional docking clause will apply;

c) in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of sub-processor changes shall be as set out in Section 8.2 of this DPA and the period for notification of objections in Section 8.3 of this DPA;

d) in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;

e) in Clause 17 (Governing Law), Option 1 will apply, and the EU SCC will be governed by Slovak law;

f) in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Slovak Republic;

9.4.UK Data. For the purposes of Personal Data that is subject to the UK Data Protection Laws ("UK Data"), the EU SCC will also apply in accordance with paragraphs 9.3.a) to 9.3.d) above, with the following modifications:

a) references to "Regulation (EU) 2016/679" shall be interpreted as references to UK GDPR;

b) references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK GDPR;

c) references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" and "UK law";

d) the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK from the possibility of suing for their rights in their place of habitual residence (i.e., the UK);

e) Clause 13(a) of the EU SCC and Part A3 of Annex A of the DPA are not used and the "Supervisory authority" is the UK Information Commissioner's Office;

f) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales";

g) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales; and

h) with respect to transfers to which UK GDPR apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts",

i) unless the EU SCCs, implemented as described above, cannot be used to lawfully transfer Personal Data in compliance with the UK GDPR, the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Annexes A, B and C (as applicable).

9.5.Swiss Data. For the purposes of Personal Data that is subject to the Swiss Data Protection laws, the EU SCC will also apply in accordance with paragraphs 9.3.a) to 9.3.d) above, with the following modifications:

a) Now therefore, for transfers from Switzerland, references to the GDPR will mean the Swiss Federal Act on Data Protection, references to the EU or Member States will mean Switzerland, and references to a supervisory authority will mean the Federal Data Protection and Information Commissioner (FDPIC). To the extent any Transfer or processing of Personal Data by Provider takes place in any other country (except if in an Adequate Country) and is subject to Swiss Data Protection Law, the Parties agree that, with respect to the transfer of Personal Data from Switzerland by Provider, the EU SCCs set forth above to this DPA will apply in respect of that processing and Provider is the 'data importer' and will comply with the obligations of the 'data importer' accordingly and Customer is the 'data exporter' and will comply with the obligations of the' data exporter' accordingly.

b) References to the “EU”, “Union”, “Member State” and “Member State Law” shall be interpreted as references to Switzerland and Swiss Law as the case may be and references to data subjects shall include data subjects in Switzerland who are not excluded from the possibility of exercising their rights in Switzerland in accordance with 18(c) of the EU SCCs.

c) References to “competent supervisory authority” and “competent courts” shall be interpreted as references to the Swiss Federal Data Protection Information”.

10.LIMITATION OF LIABILITY

10.1.Limitation of Liability.Liability of the Parties, its affiliates and subcontractors will be subject to the limitations and exclusions of liability (including any agreed aggregate financial cap) set forth under the GTC. For the avoidance of doubt, nothing in the GTC or this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable.

11. FINAL PROVISIONS

11.1.Third-Party Beneficiaries. Data Subjects are the sole third-party beneficiaries to the Standard Contractual Clauses, and there are no other third-party beneficiaries to this DPA, unless specified to the contrary in the GTC.

11.2.Acknowledgement.The Customer acknowledges and agrees that in relation to the provision of Services under the GTC, the Provider may process Customer Data (upon obtaining the consent of the Data Subjects or by using different legal basis allowed by the Data Protection Legislation) its own purposes, including, but not limited to the monetization, development of the Services and scientific purposes, and so as an independent controller or in a joint-controllership with the third party. The provisions of this DPA will not apply for such additional processing, which will be performed under the responsibility of the Provider or the respective third party. Details about processing of Customer Data by the Provider as a data controller can be found in the Provider’s privacy notice.

11.3. Severability. If any provision of this DPA will be adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision will be limited to the minimum extent necessary so that this DPA will otherwise remain in effect.

11.4.Governing Law and Jurisdiction. This DPA shall be governed by and construed with governing law and jurisdiction provisions in the GTC, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.

11.5. Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA.

11.6.Amendments and Waivers. No supplement, modification, or amendment of this DPA will be binding, unless executed in writing by a duly authorized representative of each Party to this DPA. No waiver will be implied from conduct or failure to enforce or exercise rights under the DPA, nor will any waiver be effective unless in a writing signed by a duly authorized representative on behalf of the Party claimed to have waived. No provision of any purchase order or other business form employed by the Customer, nor even SCCs will supersede the terms and conditions of this DPA.

11.7.Term. This DPA shall continue to be in effect for the duration of the contractual relationship established between the Parties governed by the GTC plus the period from termination of such contractual relationship or discontinuation of the provision of the Services pursuant to section 11. (Termination and Discontinuation) of the GTC until the Provider ceases to process Personal Data on behalf of the Customer.


Annex A
Description of the Processing Activities / Transfer

Annex A(1) List of Parties:

Data Exporter

Data Importer

Name: Customer, as identified in the GTC

Name: Provider, as identified in the GTC

Address: As identified in the GTC

Address: As identified in the GTC

Contact details: As identified in the GTC

Contact details: As identified in the GTC

Activities relevant to the transfer: See Annex A(2) below

Activities relevant to the transfer: See Annex A(2) below

Role: Controller

Role: Processor

Annex A(2) Description of Transfer

Description

Categories of data subjects:

Customers, Permitted Users, third parties whose Personal Data is uploaded to the Platform by the Customer

Categories of personal data:

Name, surname and e-mail of Customer and its Permitted User

Pseudonymized medical data including scans of the oral cavity, diagnoses, age, sex and ethnicity and other personal data of Customer, Permitted User and third parties, which is provided by the Customer while using the Services

Identification number of the Customer, Permitted User or third party assigned by the Customer while using the Services.

Sensitive data:

Biometric data, health data (oral cavity scans and diagnoses) and information about ethnicity

Frequency of the transfer:

Ongoing ad hoc transfers based on use of Services by the Customer.

Nature and subject matter of processing:

The Personal Data may be subject to the following processing activities required for the purpose of provision of the Services to the Customer by the Provider:

(i) storage (hosting) and other processing necessary to provide, maintain and improve the Services provided to Customer under the agreement governed by the GTC,

(ii) collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction,

(iii) technical support provided to the Customer on a case-by-case basis.

Duration of the processing:

For the duration of the contractual relationship established between the Parties governed by the GTC and possibly longer in the Provider processes data for its own purpose as a data controller.

Purpose(s) of the data transfer and further processing:

Personal Data shall be processed for the purpose of the cooperation of the Parties and provision of the Services to the Customer by the Provider based on the contractual relationship established between the Parties governed by the GTC.

Retention period (or, if not possible to determine, the criteria used to determine that period):

Until the termination of the contractual relationship between the Parties or discontinuation of the provision of Services by the Provider.

Annex A(3): Competent supervisory authority

With respect to EU Data the competent supervisory authority is The Office for Personal Data Protection of the Slovak Republic (the "Supervisory Authority").


Annex B
Approved Sub-processors

Microsoft Corporation Inc., seated at Redmond, Washington, USA

Hosting the Provider, cloud services for the Provider, analytical tools

Büro Milk s.r.o., seated at Klemensova 4 811 09 Bratislava - Staré Mesto, Slovakia

Marketing services and personalized content creation

PS: Digital, s.r.o., seated at Šustekova 5 851 04 Bratislava – Petržalka, Slovakia

Marketing services, personalized content and other marketing distribution

khn, s.r.o., seated at Fraňa Kráľa 23, 811 05 Bratislava - Staré Mesto, Slovakia

Design and survey services

Aston ITM, spol. s r.o., seated at nám. SNP 3 811 06 Bratislava, Slovakia

IT support and development services

Curaden AG, Amlehnstrasse 22, 6010 Kriens, Switzerland

Provision of access to dental student associations.


Annex C
Technical and Organizational Measures

The technical and organisational measures implemented by the Provider (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context, and purposes of the processing, and the risks for the rights and freedoms of natural persons, are described:

Type of measure

Implemented measure

Measures of pseudonymisation and encryption of personal data

  • All personal data should be encrypted during transmission and while at rest.
  • The Provider should use pseudonymization and anonymization techniques to protect the data. These techniques can remove or replace identifiers to render the data less identifiable.

Measures for ensuring ongoing confidentiality of processing systems and the Services

  • Role-Based Access Control (RBAC): System access limited to authorized users via roles based on job functions, enhancing data confidentiality.

Measures for ensuring ongoing integrity of processing systems and the Services

  • Data Integrity Checks: Regular data validation and checksum techniques deployed to detect and correct any inaccuracies, preserving the consistency and accuracy of data over its entire lifecycle.
  • System Update and Patch Management: Regular system updates and patches applied promptly to fix vulnerabilities, ensuring the integrity and secure functioning of all processing systems and services.

Measures for ensuring ongoing availability and resilience of processing systems and the Services

  • Redundancy and Backup Systems: Data regularly backed up and systems designed with redundancy to ensure continuous availability and quick recovery in case of system failures.
  • Disaster Recovery Plan: A robust disaster recovery plan in place to restore systems and services swiftly in the event of a significant disruption, ensuring ongoing availability and resilience.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

  • Regular Security Audits: Conducting frequent security audits assesses the effectiveness of the technical and organizational measures, ensuring ongoing security of data processing.
  • Penetration Testing: Regular penetration testing evaluates the strength of the security measures, simulating potential attacks to identify vulnerabilities in the processing system.

Measures for user identification and authorization

  • Access control: Only authorized and authenticated users have access to system.
  • Periodic Access Reviews: Regularly reviewing user access rights and privileges ensures that only authorized personnel have access to personal data, strengthening security measures.

Measures for the protection of Data during storage

  • Secure Storage Infrastructure: Utilizing secure and certified data centers or cloud storage providers with stringent security protocols protects stored data from physical and cyber threats.

Measures for ensuring physical security of locations at which personal data are processed

  • Access Control Systems: Physical access control systems in place at data processing locations to prevent unauthorized entry and protect data from physical threats.
  • Surveillance Systems: Utilization of surveillance systems, such as CCTV cameras, in data processing locations enhances physical security by monitoring and recording activities.

Measures for internal IT and IT security governance and management

  • IT Security Policies: Establishing comprehensive IT security policies to guide staff in maintaining a secure environment and adhering to data protection regulations.
  • Security Awareness Training: Providing regular security awareness training to employees, ensuring they understand their roles and responsibilities in maintaining IT security and data protection.

Measures for ensuring data minimization

  • Data Minimization Policies: Policies ensuring only necessary data is collected and stored, limiting the exposure of personal data and reducing potential risks.
  • Regular Data Reviews: Regular reviews and audits of stored data to identify and remove unnecessary or outdated personal data, ensuring data minimization.

Measures for ensuring data quality

  • Data Validation Procedures: Implementing robust data validation procedures to check for inaccuracies and inconsistencies, ensuring high quality of data.
  • Regular Data Cleansing: Periodic data cleansing routines to identify and correct or remove any errors, maintaining the integrity and quality of data.

Measures for ensuring limited data retention

  • Data Retention Policy: Establishing a clear data retention policy that specifies the duration for which data can be stored and when it should be deleted.

Measures for ensuring accountability

  • Data Protection Officer (DPO): Appointing a DPO who oversees data protection strategies, ensuring compliance with regulations and maintaining accountability.
  • Documentation and Record-Keeping: Keeping thorough records of data processing activities, audits, and policy updates to demonstrate compliance and accountability in data handling.

Measures for allowing data portability and ensuring erasure

  • Data Erasure Protocols: Implementing clear protocols for securely erasing personal data upon request or after the retention period, respecting user's rights and privacy regulations.


Exhibit B

Model withdrawal form

(complete and return this form only if you wish to withdraw from the contract)

— To [here the trader’s name, geographical address and, where available, his fax number and e-mail address are to be inserted by the trader]:

— I/We (*) hereby give notice that I/We (*) withdraw from my/our (*) contract of sale of the following goods (*)/for the provision of the following service (*),

— Ordered on (*)/received on (*),

— Name of consumer(s),

— Address of consumer(s),

— Signature of consumer(s) (only if this form is notified on paper),

— Date