Service Delivery Agreement


Between:

Net Real Solutions, S.L.U. (hereinafter referred to as NRS), with tax identification number ESB12550877 and registered address at Av. Arcadi García Sanz, 19, 1ºA, Vila Real, Castellón, Spain, and listed in the Company Register of Castellón, Volume 1058, Book 622, Sheet 183, Section 8, Page CS-17458



And the customer accepting this Service Delivery Agreement (Customer), who acts herein as a service recipient, as well as the addendum to this service provision contract, which refers to the new European regulation on data protection (RGPD)

1. Subject matter

1. By means of this agreement and under the terms of signature thereof, NRS shall provide the Customer with digital communication and contact management services via the 360 ​​NRS platform.

2. Definitions

1. The definitions below have, by means of this agreement, the scope granted thereto by the following paragraphs of this clause:

a) Digital communication: email marketing services, push notifications, SMS and voice messages;

b) Contact management: manual and automatic processing and maintenance of contacts for digital communication actions, including the creation of statistical data;

c) 360NRS platform: infrastructure accessible to the Customer via the Internet through which NRS provides all digital communication and contact management services;

d) Monthly plan: monthly payment plan for sending emails and push notifications via the 360NRS platform. The month starts on the date when the Customer makes the first payment and shall end after thirty (30) calendar days, at which time the Customer may renew or extend the service.

e) Balance: amount paid by the Customer to top up their account on the 360NRS platform. This balance does not expire and is spent according to the messages sent or services used by the Customer on the 360NRS platform.

f) Non-contractual service: a service that the Customer requests from NRS which is of a different nature to the services included in this agreement.



3. Pricing and payment

1. The 360NRS platform services are provided either by signing up to one of two monthly plans (for sending emails and push notifications) or by topping up available balance (for sending emails and push notifications). The Customer may view updated pricing details at any time on the NRS website. The monthly plans and the balance amount are divided into levels of service (described below), which determine the features and services available.

1.1. Subscriber Plan: this plan entitles the Customer to upload a database to the 360NRS platform with the contracted number of subscribers (10,000, 50,000, 100,000, 500,000, 750,000 or 1,000,000). For a period of one month, the Customer shall be entitled to send an unlimited amount of push notifications and two emails per week to said database. The contacts in this database may not be deleted and replaced by new contacts.

SUBSCRIBER PLANS

Type of Plan

Monthly Price

Level of Service

Up to 10,000 subscribers

39 / month (VAT not included)

Email support

Shared Servers

Up to 50,000 subscribers

99 / month (VAT not included)

Phone support

Dedicated account manager

Extra delivery speed

Priority servers

Up to 100,000 subscribers

199 / month (VAT not included)

Phone support

Dedicated account manager

Extra delivery speed

Priority servers

Up to 500,000 subscribers

299 / month (VAT not included)

Phone support

Dedicated account manager

Extra delivery speed

Priority servers

Up to 750,000 subscribers

1,200 / month (VAT not included)

Priority phone support

Online training

Custom templates

Maximum delivery speed

Dedicated servers

Up to 1,000,000 subscribers

1,500 / month (VAT not included)

Priority phone support

Online training

Custom templates

Maximum delivery speed

Dedicated servers





1.2.Service Plan: This plan entitles the Customer to send the total number of contracted messages (50,000, 100,000, 250,000, 500,000, 750,000 or 1,000,000) by email and push notification. For a one-month period, the Customer shall be entitled to send the contracted amount of push notifications and emails to an unlimited number of subscribers. The Customer may upload all the contacts or groups as they wish and - on reaching the monthly limit of mails - may purchase extra credits at a reduced cost.

SERVICE PLAN

Type of Plan

Monthly Price

Additional Cost

Level of Service

Up to 50,000 deliveries (emails and push notifications)

59 / month (VAT not included)

Additional cost per 1000 emails or push notifications €1

Unlimited contacts

Phone support

Dedicated account manager

Extra delivery speed

Priority servers


Up to 100,000 deliveries (emails and push notifications)

89 / month (VAT not included)

Additional cost per 1000 emails or push notifications €0.90

Unlimited contacts

Phone support

Dedicated account manager

Extra delivery speed

Priority servers

Up to 250,000 deliveries (emails and push notifications)

199 / month (VAT not included)

Additional cost per 1000 emails or push notifications €0.70

Unlimited contacts

Priority phone support

Online training

Custom templates

Maximum delivery speed

Dedicated servers

Up to 500,000 deliveries (emails and push notifications)

299 / month (VAT not included)

Additional cost per 1000 emails or push notifications €0.60

Unlimited contacts

Priority phone support

Online training

Custom templates

Maximum delivery speed

Dedicated servers

Up to 1,000,000 deliveries (emails and push notifications)

399 / month (VAT not included)

Additional cost per 1000 emails or push notifications €0.50

Unlimited contacts

Priority phone support

Online training

Custom templates

Maximum delivery speed

Dedicated servers



2. The monthly plan is exclusively for sending emails and push notifications. Sending digital communications via other channels always requires a topped-up balance.

3. Monthly plans and balance top-ups are activated after payment is made.

4. Monthly plans must be manually renewed by the Customer. After one month, the Customer may contract the service again or upgrade/downgrade their plan. Cancellations are only possible when the validity period of the plan has expired.

5. All costs of access and connection to the 360NRS platform shall be borne by the Customer.

6. All non-contractual services shall be charged according to the NRS pricing system.

7. All invoices shall be sent by NRS to the Customer upon receipt of the corresponding payment and may be downloaded from the customer's personal account.

4. Obligations of NRS

1. NRS shall provide the Customer with the following services for the implementation of this agreement:

a) Digital communication and contact management services via the 360NRS platform;

b) Support, by email or telephone, during the normal business hours of NRS, for the services provided.

2. NRS undertakes to:

a) Maintain 360NRS services and platform in compliance with all international, national and local laws, rules and regulations, including, without limitations, those governing advertising and marketing practices.

b) Maintain the confidentiality of all information related to the Customer's data to which it has access.

c) NRS has its main headquarters in the territory of the European Union and is governed by compliance with European regulations on the protection of personal data. NRS does not store such data in locations outside EU jurisdiction and shall never sell, lend or transfer personal information, contact lists, messages or any other Customer details, except in the event of a court order. Such data may only be transferred between NRS employees within the strict scope of their service management and administration functions.

d) NRS is obliged to inform the Customer about any changes to the pricing of the 360NRS platform.



5. Obligations of the Customer

1. In addition to the obligations provided for in other clauses of this agreement and in the scope of the regular execution thereof, the Customer undertakes to:

a) Send digital communications via the 360NRS platform only to recipients who have previously and explicitly granted their authorisation to the Customer to receive such communications;

b) Strictly comply with the 360NRS White Paper on Good Practices in Mailing, with which they have explicitly indicated agreement by using the platform. The Customer is specifically obliged not to exceed the following limits:

METRICS

ACCEPTABLE

EXPLANATION

Hard bounces (recent)

2%

In relation to the number of bounced messages over the past 15 days.

Hard bounces (total)

10%

In relation to the total number of contacts.

Voluntary unsubscribes

1.4%

People who click on the unsubscribe button in the message.

Suspicious contacts

10%

E.g. known bounces, role-based email addresses, addresses with correct syntax but non-existent or never used in subscriptions.

Spam complaints

0.08%

For more than 1000 delivered messages (however, the number of daily complaints may never be greater than 50).

Opened message complaints

1.00%

In relation to how many messages sent have been opened over the past 5 days.

Spam traps and complaints without the Customer's justification

1

A spam trap is an email address specifically created to identify illegal databases.



c) Provide truthful and verifiable information when identifying their company via the 360NRS platform and to the recipients of their digital communications.

d) Not to engage in, or even to attempt, any conduct which may breach the norms and limitations of use imposed by the 360NRS platform, which may breach the current legal order or which may be detrimental, in any way, to legally-protected interests or positions.

e) Take responsibility for reading the regular emails sent by NRS or displayed on the 360NRS platform itself regarding news, recommendations, maintenance and other modifications to the platform.

f) Maintain the confidentiality of all information related to internal NRS data to which it may have access at some point.

g) Refrain from spamming, whereby spamming is understood to be the sending of emails:

- to any contact list without the prior knowledge or consent of said contacts.

- to contacts who have expressed their intention to unsubscribe from the contact list.

- solely for the purpose of attracting contacts in exchange for revenue.

- which do not contain a valid and identifiable sender.

- with a subject line or content which includes false, misleading, discriminatory, xenophobic or unlawful information, or which promotes revenue from gambling, sells pyramid schemes, or encourages wrongdoing and abuse.

- and, ultimately, anything which under LOPD (Spanish), LSSI (EU) or CAN SPAM (USA) legislation may be deemed as spam.

6. Use of SMS sender IDs

1. All sender IDs used by the Customer when sending SMS via the 360NRS platform must exist, be valid and clearly identify the sender to recipients.

2. Alphanumeric mobile phone sender IDs may only correspond to the name of the Customer's company or to a trademark registered by the Customer.

3. Numeric telephone sender IDs may only be valid numbers used by the Customer or by the Customer's business.

7. Confidentiality

1. For the purposes of complying with regulations on the protection of personal data, NRS - as the data processor - guarantees that it shall only process personal data according to the Customer's instructions. NRS undertakes to process information classified as confidential with the utmost privacy and secrecy. Confidential information shall be deemed to be any personal data which is accessed by virtue of the delivery of services considered herein.

2. NRS shall not apply the data to purposes other than those required for the accurate delivery of services. Should NRS apply the personal data provided to other purposes, or disclose or use said data in violation of the stipulations herein, it shall also be considered the data processor, duly responding to any infringements which it may incur.

3. NRS undertakes to keep professional secrecy regarding access to personal data regulated by this agreement, duly agreeing not to disclose said data, not even for preservation thereof, to other people. This obligation shall continue even after the relationship with the Customer has terminated. NRS shall adopt the necessary technical and organisational measures stipulated in data protection regulations to ensure the security and integrity of personal data and prevent the unauthorised alteration, loss, processing or use thereof, taking into account the state of the technology, the nature of the data stored and the risks to which it is exposed, whether from human action or physical or natural means.

4. Under no circumstances may NRS incorporate data to which it may have access as a result of its professional relationship with the Customer to its own files or media. Once the contractual obligations have been fulfilled, and whenever the relationship between both parties terminates, in compliance with the agreed or legally-defined terms and conditions, the personal data used by NRS shall be destroyed or returned to the owner thereof, along with any media or documents containing any personal data subject to processing. Data shall not be destroyed when there is a legal stipulation which requires the preservation thereof, in which case it shall be returned to the Customer to guarantee preservation. In any event, NRS shall keep the data duly inaccessible for as long as there may be liabilities in its relationship with the Customer.

8. Guarantees and risks

1. The digital communication and contact management services provided by NRS via the 360NRS platform do not guarantee the absence of technical failures or the ability to comply with a specific objective, whichever the circumstances. NRS nonetheless agrees to do its utmost to assist the Customer in troubleshooting any issues or difficulties detected. NRS also undertakes to maintain an uptime of 98% (the average availability of NRS is 99.5%).

2. The Customer assumes all liability for the use of the 360NRS platform, accepting the obligation to compensate NRS for damages resulting from improper use of the platform, and also assuming all expenses or liabilities which NRS may have to bear derived from said use.

3. The Customer is fully liable for the nature, processing and legality of recipient databases which it uses for digital communication actions via the 360NRS platform. In the event of a complaint or dispute submitted by any recipient of the Customer's digital communication actions, NRS shall not be held liable for such actions, whichever the circumstances.

4. The Customer is obliged to maintain the confidentiality of its identification ("username") and access code ("password") to the 360NRS platform, with NRS not being held liable for the use which third parties, with or without the Customer's authorisation, may make of such details. Neither shall NRS be liable for storing the Customer's account details on the 360NRS platform were the account to be disabled or deleted.

9. Time frame and termination

1. This agreement takes effect from the moment at which the Customer creates an account on the 360NRS platform and shall remain in force until the Customer terminates the use of NRS services, or if said services are revoked due to non-compliance or by mutual agreement.

10. Non-compliance

1. Unjustified non-compliance with the obligations arising from this agreement entitles the other party, in the general terms of applicable law, to the right of unilateral cancellation thereof.

2. The Customer shall automatically lose (by NRS disabling their account), and without prior notice, the right and access to NRS services if one or more of the following conditions occurs, and shall not be entitled to any refund for amounts paid for the use of said services:

a) Non-payment of invoices issued by NRS in the period stipulated in this agreement;

b) Breach of the NRS Anti-Spam Policy;

c) Breach of any of the obligations of the Customer stipulated in this agreement.

d) Registration of a new NRS account (with or without corresponding payment) after having breached any of the obligations stipulated herein in a previous NRS account.

3. If the Customer has contracted a monthly plan and has not paid the invoices issued by NRS within the stipulated period, the Customer's NRS account shall automatically be converted into a non-plan account and any scheduled or ongoing mailings shall be suspended if there is enough balance in the account to perform said mailing.

4. In the event of a dispute and if the Customer resides in European Union, they may use the services of the European Consumer Centre, the policies and recommendations of which NRS endorses.

11. Notifications

1. Notifications between the parties regarding the execution of this agreement, including the request for services, shall be made by email, fax or post.

2. NRS shall regularly send messages to the Customer about the NRS platform (new features, service maintenance, payment notifications, etc.) via one or more of the aforementioned channels. NRS may also occasionally send information to the Customer about actions of NRS companies or partners. The Customer may at any time unsubscribe from these messages by clicking on the "Edit Subscription" button.

12. Jurisdiction

In the event of any dispute or disagreement which may arise regarding the interpretation and/or implementation of this agreement, the parties shall submit to the Courts of Castellón, waiving their own jurisdiction and applying current Spanish law.



ADDENDUM TO CONTRACT FOR THE PROVISION OF SERVICES

Net Real Solutions, SLU, (hereinafter "NRS" or "Data Processing Manager") with fiscal identification number ESB12550877, located at Av. Arcadi García Sanz, 19, 1ºA, Vila Real, Castellón, Spain; Registered in the Mercantile Registry of Castellón, volume 1058, book 622, sheet 183, section 8, page CS-17458; legally represented by Mr. Joaquín Edo, as Director-General, with national ID number 29018346M, as sole administrator.

The parties have agreed in advance, either through

a) a Service Provision Contract

b) or through the explicit Acceptance of the Terms of Service at the time of registration on any of the NRS websites (www.nrsgateway.com and/or www360nrs.com), that NRS will provide the Client with a web platform or Integration API for the mass sending of communications by SMS, e-mail, notifications, web, push notifications or automatic calls.

For reasons of providing the services mentioned in the previous paragraph, NRS is required to process certain personal data on behalf of the Client, who will be the person responsible for the processing of personal data, as defined by the applicable Law on Protection of Personal Data;

The parties agree to sign this Addendum on data protection in accordance with article 28 of the General Regulation of Data Protection of the European Union, in the following terms:


2nd (Definitions)

a) GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 concerning the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

b) "personal data" means any information about an identified or identifiable natural person ("the interested party"); a natural person will be considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or several elements of their physical, physiological, genetic, mental, economic, cultural or social identity;

c) "processing": any operation or set of operations performed on personal data or sets of personal data, whether by automated or non-automated procedures, such as collection, registration, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of access authorisation, comparison or interconnection, limitation, deletion or destruction;

d) "person responsible for processing": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the processing; if the purposes and means of the treatment are defined by the law of the European Union or of the Member States, the person responsible for the treatment or the specific criteria for their appointment may be established by the law of the European Union or of the Member States;

e) "data processor": the natural or legal person, public authority, service or other body that processes personal data on behalf of the person responsible for processing;

f) "security breach" means any breach of security resulting from the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorised communication of or access to such data;


3rd (Object)

1. By this contract and in the terms of its signature, the Person responsible for processing empowers Net Real Solutions as the Data Processor of personal data to provide the service specified below.

The treatment will consist solely and exclusively of the provision of services of "SMS messages, e-mails, web and app notifications and automatic calls through the web platform owned by NRS or by integration with the NRS server"


4th (Duration)

This agreement will enter into force as of the date of signature, by both parties, of this contract and will be valid during the provision of the service, by the Processing Manager, object of the main contract.

The data processor's obligation of confidentiality shall remain valid for two years after the end of the service described in the main contract.

Once the present contract ends, the data processor must return any personal data to the person responsible for said personal data, and delete any copy that they have in their possession. However, they can keep the data secured, for any possible administrative or legal processes.


5th (Obligations of the data processor)

The data processor and all their employees undertake to:

a) Use the personal data to which they have access only for the purpose of this assignment. In no circumstances may data be used for their personal purposes.

b) Process the data in accordance with the instructions of the person responsible for processing.

If the data processor considers that any of the instructions violate the GDPR or any other law of the European Union or a Member State regarding data protection, the data processor shall immediately inform the person in charge.

c) Keep a written record of all categories of processing activities carried out on behalf of the person responsible for processing, containing:

    - The name and contact information of the data processor(s) and of each person on behalf of which the data processor is acting and, where appropriate, the representative of the person responsible or of the data processor and the data protection delegate.

    - The categories of processing carried out by each person responsible.

    - Where applicable, transfers of personal data to a third country or international organisation, including the identification of said third country or international organisation and, in the case of transfers indicated in Article 49, clause 1, paragraph two of the GDPR, the documentation of appropriate guarantees.

    - A general description of the technical and organisational security measures related to:

        i. The pseudonymisation and the encryption of personal data.

        ii. Guaranteeing the confidentiality, integrity, availability and permanent resilience of the processing systems and services.

        iii. The ability to restore the availability and access to personal data quickly, in case of a physical or technical incident.

        iv. The verification, evaluation and assessment of the effectiveness of technical and organisational measures to ensure the safety of the processing.

d) Refrain from disclosing data to third parties, unless you have the express authorisation of the person in charge of processing, in legally accepted cases.

The data processor can communicate the data to others designated by the person in charge, according to the instructions of the person in charge of processing. In such a case, the person in charge will identify, in advance and in writing, the entity to which the data must be communicated, the data which is to be communicated and the security measures to be applied in order to proceed with the communication.

If the person in charge must transfer personal data to a third country or to an international organization, pursuant Union or Member State law, he/she will inform the person responsible for that legal requirement in advance, unless such right prohibits for important reasons of public interest.

e) Refrain from outsourcing any of the services mentioned in this contract which may involve the processing of personal data, except for the auxiliary services necessary for the normal operation of the services of the data processor.

If it is necessary to subcontract any processing, this fact must be communicated in writing to the person in charge, one month in advance, indicating the processes that are to be subcontracted and clearly and unequivocally identifying the subcontractor company and their contact information. The subcontracting can be carried out if the person in charge does not make any objection known within the established period (one month).

The subcontractor, who shall also have the status of data processor, also undertakes to comply with the obligations established herein for the data processor and with the instructions which the manager may enforce. It is the responsibility of the initial data processor to regulate the new relationship so that the new data processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as them, in relation to the appropriate processing of data personal and guaranteeing the rights of the people affected. In the case of non-compliance on the part of the subcontacted data processor, the initial manager will answer to the person responsible for processing in terms of compliance with the obligations.

f) Maintaining confidentiality with respect to personal data to which they have had access under this commission, even after the conclusion of the contract.

g) Guarantee that the persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, and must be informed accordingly.

h) Make available to the person in charge the documentation proving compliance with the obligation established in the previous section.

i) Guarantee the necessary training in terms of protection of personal data of the persons authorised to process personal data.

j) Assist the data processor in the response to the exercise of rights of:

    - Access, rectification, deletion and opposition.

    - Limitation on processing.

Data portability

Not being subject to automated individualised decisions (including profiling).

The data processor must resolve, on behalf of the person in charge, and within the established period, requests to exercise rights of access, rectification, deletion and opposition, limitation of the processing, portability of data and not being subject to automated individualised decisions, in relation to the data subject to processing

k) It is the responsibility of the person responsible to provide the right to information at the time of the data collection.

l) Notification of data security breaches

The data processor will notify the person in charge of processing, without undue delay, and in any case within a maximum period of 72 hours, of security breaches concerning data for which they are responsible and of which they are aware, together with all the relevant information for the documentation and communication of the incident.

Notification will not be necessary when it is unlikely that such a breach of security constitutes a risk to the rights and freedoms of natural persons.

At least the following information will be provided:

    - A description of nature of the personal data security breach, including, whenever possible, the categories and the approximate number of affected users, and the categories and the approximate number of personal information records affected.

    - The name and contact information of the data protection officer or another contact point where more information could be obtained.

    - A description of the possible consequences of the personal data security breach.

    - A description of the measures adopted or proposed to remedy the personal data security breach, including, if applicable, the measures adopted to mitigate possible negative effects.

If it is not possible to provide all the information at the same time, and to the extent to which it is not, the information will be provided gradually without undue delay.

m) Provide the person in charge with all the necessary information to demonstrate compliance with their duties, as well as for carrying out the audits or inspections performed by the person in charge or by another authorised auditor.

n) Implement the security measures included in the APPENDIX SECURITY MEASURES.

o) In all cases, you must implement the necessary security measures to:

    - Guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services.

    - Restore the availability and access to personal data quickly, in case of physical or technical incident.

    Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to guarantee the safety of the processing.

    - Pseudonymise and encrypt personal data, if applicable.

p) Destination of the data

Destroying the data, once the service has been completed. Once destroyed, the data processor must certify their destruction in writing and must deliver the certificate to the person responsible.

However, the processor may keep a copy, with the data duly encrypted, as long as responsibilities for the execution of the provision can be fulfilled.


6th (Obligations of the Person in charge of processing)

The person responsible for processing shall:

a) Send digital communications through the web platform owned by NRS, or through integration with NRS servers, only to recipients who previously and explicitly granted their authorisation to receive such communications.

b) Deliver to the data processor the data referred to in clause 3 of this document, in order to facilitate the provision of the services to which the main contract refers.

c) Carry out an evaluation of the impact, if necessary, on the protection of personal data of the processing operations to be carried out by the person in charge.

d) Conduct the prior consultations required.

e) Ensure, prior to and throughout the processing, compliance with the GDPR by the data processor.

f) Oversee the processing, including carrying out inspections and audits.


7th (SECURITY MEASURES)

ORGANISATIONAL MEASURES

INFORMATION THAT SHALL BE KNOWN BY ALL STAFF WITH ACCESS TO PERSONAL DATA

All personnel with access to personal data must be aware of their obligations in relation to the processing of personal data and will be informed of these obligations. The minimum information that will be known by all the staff will be the following:

- DUTY OF CONFIDENTIALITY AND SECRECY

    - The access of unauthorised persons to personal data should be avoided, in order to avoid: leaving personal data exposed to third parties (unattended electronic screens, paper documents in areas of public access, supports with personal data, etc.), this consideration includes the screens that are used for the visualisation of images from the video-surveillance system. When you are absent from the workplace, the screen must be locked or the session closed.

    - Paper documents and electronic media will be stored in a secure place (cabinets or restricted access rooms) 24 hours a day.

    - Documents or electronic media (CDs, pen drives, hard drives, etc.) will not be discarded with personal data without guaranteeing their destruction.

    - Personal data or any personal information will not be communicated to third parties, special attention will be given in not divulging protected personal data during telephone consultations, emails, etc.

    - The duty of secrecy and confidentiality persists even when the worker's employment relationship with the company ends.

- RIGHTS OF THE DATA HOLDERS

All workers will be informed of the procedure to address the rights of the interested parties, clearly defining the mechanisms by which the rights can be exercised (electronic means, referring to the Data Protection Officer if there is one, postal address, etc.). ) taking into account the following:

    - Upon presentation of their national identity document or passport, the holders of personal data (interested parties) may exercise their rights of access, rectification, deletion, opposition and portability. The person responsible for the processing must respond to the interested parties without undue delay.

For the right of access, the interested parties will be provided with a list of the personal data they have available, along with the purpose for which they were collected, the identity of the recipients of the data, the conservation periods, and the identity of the person responsible. who can request the rectification, deletion and opposition to the processing of the data.

For the right to recification, the data of the interested parties that were inaccurate or incomplete for the purposes of the processing will be corrected.

For the right to deletion, the data of the interested parties will be deleted when the interested parties express their refusal or opposition to consent for the processing of their data and there is no legal duty that prevents deletion.

For the right to portability, the interested parties must communicate their decision and inform the person responsible, as the case may be, about the identity of the new person responsible to whom they provide their personal data.

The person responsible for the processing must inform all persons with access to personal data about the terms of compliance to meet the rights of the interested parties, and the manner and procedure in which said rights will be met.

- SECURITY VIOLATIONS OF PERSONAL DATA

    - When there are security breaches of PERSONAL DATA, such as, for example, theft or improper access to personal data, the Spanish Data Protection Agency will be notified within 72 hours of said security breaches, including all information necessary for the clarification of the facts that would have given rise to the improper access to personal data. The notification will be made by electronic means through the electronic headquarters of the Spanish Agency for Data Protection at the address: https://sedeagpd.gob.es


TECHNICAL MEASURES

IDENTIFICATION

- When the same computer or device is used for the processing of personal data and personal purposes, it is recommended to have several profiles or different users for each of the purposes. The professional and personal uses of the computer must be kept separate.

- It is recommended to have profiles with administrator rights for the installation and configuration of the system and users without privileges or administrative rights for access to personal data. This measure will prevent access privileges being obtained or the operating system being modified in case of cybersecurity attack.

- Passwords for access to personal data stored in electronic systems must be guaranteed. The password must have at least 8 characters, and be a mixture of numbers and letters.

- When personal data are accessed by different people, for each person with access to personal data, a specific username and password must be used (unambiguous identification).

- The confidentiality of passwords must be guaranteed, preventing them from being exposed to third parties. In no case will passwords be shared nor written down in a shared space and accessed by people other than the user.

DUTY OF SAFEGUARD

The following are the minimum technical measures to guarantee the safeguarding of personal data:

- UPDATING OF COMPUTERS AND DEVICES: The devices and computers used for the storage and processing of personal data must be kept as up-to-date as possible.

- MALWARE: On computers and devices where the automated processing of personal data is carried out, an antivirus system must be available to guarantee protection against the theft and destruction of personal information and data as much as possible. The antivirus system should be updated periodically.

- FIREWALL: To avoid illicit remote access to personal data, there must be an activated firewall installed on those computers and devices in which personal data is stored and/or processed.

- ENCRYPTION OF DATA: When it is necessary to perform the extraction of personal data away from the site where it is processed, either by physical means or by electronic means, the possibility of using an encryption method to guarantee the confidentiality of the data in case of undue access should be assessed.

- COPY OF SECURITY: Periodically a backup copy will be made in a second device different from that used for daily work. The copy will be stored in a secure place, different from that in which the computer is located with the original files, in order to allow the recovery of personal data in case of loss of information.

The security measures will be reviewed periodically, the review may be done by automatic mechanisms (software or computer programs) or manually. Consider that any computer security incident that has happened to any acquaintance can occur to you, and take precautions against it.