Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the SearchX Terms of Service ("Agreement") between HelloWorld P.C. ("SearchX", "we", "us", or "our") and the entity or person accepting these terms ("Customer", "you", or "your"). This DPA applies to the extent that SearchX processes Personal Data on behalf of the Customer in the course of providing the services described in the Agreement.

1. Definitions

In this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and any national implementing legislation.
• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by SearchX on behalf of the Customer in connection with the services.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party appointed by SearchX to process Personal Data on behalf of the Customer in connection with the services.
• "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to Article 51 of the GDPR, or any equivalent regulatory authority under Applicable Data Protection Laws.

2. Scope and Roles

2.1 Roles

The parties acknowledge and agree that with regard to the processing of Personal Data pursuant to the Agreement, the Customer acts as the Controller, and SearchX acts as the Processor.

2.2 Details of Processing

The details of the processing activities carried out under this DPA are as follows:

• Subject Matter: The processing of Personal Data by SearchX is necessary to provide the search engine, AI chatbot, and related analytics services as described in the Agreement.
• Duration: The processing will continue for the duration of the Agreement, unless otherwise agreed in writing.
• Nature and Purpose: SearchX processes Personal Data for the purpose of providing, maintaining, and improving the services, including search indexing, query processing, AI-powered responses, analytics, and customer support.
• Categories of Data Subjects: End users of the Customer's website or application, the Customer's employees and contractors, and any other individuals whose Personal Data is submitted to the services by or on behalf of the Customer.
• Types of Personal Data: Name, email address, IP address, device and browser information, search queries, usage data, and any other Personal Data submitted by the Customer or its end users to the services.

3. Controller Obligations

The Customer, as Controller, shall:

• Ensure that it has all necessary rights and authorizations to provide Personal Data to SearchX for processing in accordance with this DPA and the Agreement.
• Ensure that its processing instructions comply with all Applicable Data Protection Laws.
• Provide all necessary notices to, and obtain all necessary consents or authorizations from, Data Subjects as required under Applicable Data Protection Laws.
• Be responsible for the accuracy, quality, and legality of the Personal Data provided to SearchX.
• Inform SearchX without undue delay if it becomes aware of any circumstances that could affect SearchX's ability to comply with its obligations under this DPA.

4. Processor Obligations

4.1 Processing Instructions

SearchX shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which SearchX is subject. In such a case, SearchX shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2 Confidentiality

SearchX shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. SearchX shall ensure that access to Personal Data is limited to those personnel who require such access to perform the services under the Agreement.

4.3 Security

SearchX shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall include, but are not limited to:

• Encryption of Personal Data in transit and at rest.
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Measures to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
• Measures for user identification and authorization.
• Protection against unauthorized access to data communication networks and distributed computing systems.
• Logging and monitoring of access to Personal Data and processing systems.

Further details of the technical and organizational measures are set out in Annex A.

4.4 Assistance to Controller

Taking into account the nature of the processing, SearchX shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR. SearchX shall promptly notify the Customer if it receives a request from a Data Subject in respect of Personal Data processed on behalf of the Customer, and shall not respond to such request without the Customer's prior written authorization.

4.5 Data Protection Impact Assessments (DPIA)

SearchX shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, which the Customer reasonably considers to be required under Article 35 or 36 of the GDPR or equivalent provisions of any other Applicable Data Protection Laws, in each case solely in relation to the processing of Personal Data by SearchX.

5. Sub-processors

5.1 General Authorization

The Customer provides a general written authorization to SearchX to engage Sub-processors to process Personal Data on the Customer's behalf. The list of currently authorized Sub-processors is set out in Annex B and is also available at https://searchxengine.ai/sub-processors.

5.2 Notification

SearchX shall notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Customer the opportunity to object to such changes. Notification shall be provided via email to the address associated with the Customer's account or through the SearchX platform.

5.3 Right to Object

If the Customer objects to a new Sub-processor on reasonable grounds relating to data protection, SearchX shall use commercially reasonable efforts to make available to the Customer a change in the services or recommend a commercially reasonable change to the Customer's configuration or use of the services to avoid processing of Personal Data by the objected-to Sub-processor. If SearchX is unable to make available such change within a reasonable period of time (not to exceed thirty (30) days), the Customer may terminate the applicable services that cannot be provided without the use of the objected-to Sub-processor by providing written notice to SearchX.

5.4 Sub-processor Obligations

Where SearchX engages a Sub-processor, SearchX shall impose data protection obligations on the Sub-processor that are no less protective than those set out in this DPA by way of a written contract. SearchX shall remain fully liable to the Customer for the performance of the Sub-processor's obligations.

6. Personal Data Breach

6.1 Notification

SearchX shall notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Customer.

6.2 Content of Notification

Such notification shall include, to the extent available:

• A description of the nature of the Personal Data Breach.
• The categories and approximate number of Data Subjects and Personal Data records concerned.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.

6.3 Cooperation

SearchX shall cooperate with the Customer and take such commercially reasonable steps as may be directed by the Customer to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

7. International Data Transfers

7.1 Data Location

SearchX primarily stores and processes Personal Data within the European Economic Area (EEA). Where processing outside the EEA is required, SearchX shall ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Laws.

7.2 Transfer Mechanisms

To the extent that the processing of Personal Data involves a transfer of Personal Data to a country outside the EEA that has not been deemed to provide an adequate level of data protection by the European Commission, SearchX shall ensure that one of the following transfer mechanisms is in place:

• Standard Contractual Clauses (SCCs): The parties shall enter into the SCCs as set out in Annex C, which are hereby incorporated by reference.
• Adequacy Decision: The transfer is to a country that benefits from an adequacy decision by the European Commission under Article 45 of the GDPR.
• Other Safeguards: Any other appropriate safeguard as permitted under Article 46 of the GDPR, such as binding corporate rules, approved codes of conduct, or approved certification mechanisms.

7.3 Transfer Impact Assessments

SearchX shall conduct and document transfer impact assessments for any transfers of Personal Data to third countries, taking into account the laws and practices of the destination country, and shall implement supplementary measures where necessary to ensure an essentially equivalent level of protection for the Personal Data.

7.4 UK Transfers

For transfers of Personal Data subject to the UK GDPR, the parties shall rely on the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018), or any successor transfer mechanism approved by the UK authorities.

8. Audits and Inspections

8.1 Audit Rights

SearchX shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

8.2 Audit Conditions

Any audit or inspection shall be subject to the following conditions:

• The Customer shall provide SearchX with at least thirty (30) days' prior written notice of any audit or inspection.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with SearchX's business operations.
• The Customer shall bear the costs of any audit or inspection, unless the audit reveals a material breach of this DPA by SearchX.
• The Customer's auditor shall be bound by appropriate confidentiality obligations.
• The frequency of audits shall be limited to once per year, unless required by a Supervisory Authority or in the event of a Personal Data Breach.

8.3 Certifications

SearchX may satisfy audit requests by providing the Customer with relevant certifications or audit reports from independent third-party auditors (such as SOC 2 Type II reports or ISO 27001 certifications), provided that such certifications or reports are less than twelve (12) months old and cover the relevant processing activities.

9. Liability

Each party's liability under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for damages caused by a breach of Applicable Data Protection Laws, or any liability that cannot be excluded or limited under applicable law. For the avoidance of doubt, if SearchX engages a Sub-processor in accordance with this DPA, SearchX shall be directly liable to the Customer for any breach of this DPA caused by an act or omission of such Sub-processor.

10. Term and Termination

10.1 Term

This DPA shall come into effect on the date on which the Customer accepts the Agreement and shall remain in force for as long as SearchX processes Personal Data on behalf of the Customer under the Agreement.

10.2 Data Return and Deletion

Upon termination or expiration of the Agreement, SearchX shall, at the Customer's election, delete or return all Personal Data processed on behalf of the Customer, and delete existing copies, unless European Union or Member State law requires storage of the Personal Data.

The Customer may request the return of Personal Data in a commonly used, machine-readable format within thirty (30) days of the termination or expiration of the Agreement. After this period, SearchX shall delete all remaining Personal Data within a further thirty (30) days, unless legally required to retain it.

SearchX shall certify in writing to the Customer that it has complied with the requirements of this Section upon request.

11. General Provisions

11.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of Greece, without regard to its conflicts of law principles. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Thessaloniki, Greece.

11.2 Amendments

SearchX may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or changes to our processing activities. Material changes will be communicated to the Customer with at least thirty (30) days' notice. Continued use of the services after the effective date of any changes constitutes acceptance of the updated DPA.

11.3 Severability

If any provision of this DPA is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

11.4 Entire Agreement

This DPA, together with the Agreement and any annexes hereto, constitutes the entire agreement between the parties with respect to the processing of Personal Data and supersedes all prior or contemporaneous agreements, understandings, and communications, whether written or oral, relating to such subject matter.

Annex A — Technical and Organizational Security Measures

SearchX implements and maintains the following technical and organizational security measures to protect Personal Data:

A.1 Access Control

• Role-based access control (RBAC) is implemented to ensure that only authorized personnel have access to Personal Data.
• Multi-factor authentication (MFA) is required for all administrative access to systems that process Personal Data.
• Access rights are reviewed and updated on a regular basis (at least quarterly).
• Unique user credentials are assigned to each authorized individual, and shared accounts are prohibited.

A.2 Encryption

• All Personal Data is encrypted in transit using TLS 1.2 or higher (TLS 1.3 preferred).
• Personal Data at rest is encrypted using AES-256 encryption or equivalent.
• Encryption keys are managed through a dedicated key management service with regular key rotation.

A.3 Network Security

• Firewalls and intrusion detection/prevention systems (IDS/IPS) are deployed to protect the network infrastructure.
• Network segmentation is used to isolate systems that process Personal Data.
• Regular vulnerability scans and penetration tests are conducted on systems that process Personal Data.

A.4 Data Center Security

• Personal Data is hosted in data centers that maintain industry-recognized certifications (such as ISO 27001, SOC 2).
• Physical access to data centers is restricted and monitored with 24/7 surveillance.
• Environmental controls (fire suppression, climate control, redundant power supply) are in place at all data center facilities.

A.5 Incident Response

• A documented incident response plan is maintained and tested at least annually.
• Security incidents are tracked and managed through a centralized incident management system.
• Post-incident reviews are conducted to identify root causes and implement corrective measures.

A.6 Business Continuity

• Regular backups of Personal Data are performed and tested to ensure recoverability.
• A disaster recovery plan is maintained with defined recovery time objectives (RTO) and recovery point objectives (RPO).
• Redundant systems and failover mechanisms are in place to ensure service availability.

A.7 Employee Security

• All employees with access to Personal Data undergo background checks prior to employment.
• Mandatory data protection and security awareness training is provided to all employees upon hire and on an annual basis.
• Employees are bound by contractual confidentiality obligations covering Personal Data.

A.8 Data Minimization and Retention

• Personal Data is collected and processed only to the extent necessary for the purposes described in this DPA.
• Retention policies are implemented to ensure Personal Data is not kept longer than necessary for its intended purpose.
• Secure deletion procedures are in place for Personal Data that is no longer required.

Annex B — Authorized Sub-processors

The following Sub-processors are authorized to process Personal Data on behalf of the Customer:

An up-to-date list of Sub-processors is maintained at https://searchxengine.ai/sub-processors.

Annex C — Standard Contractual Clauses

Where the transfer of Personal Data to a third country is required and no adequacy decision applies, the parties agree to enter into the Standard Contractual Clauses ("SCCs") as approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

The following provisions apply to the SCCs:

Clause 1: Purpose and Scope

The purpose of these SCCs is to ensure compliance with the requirements of Regulation (EU) 2016/679 (GDPR) for the transfer of personal data to a third country. The parties undertake to process Personal Data in accordance with these clauses and not to modify them except to select the appropriate modules or to add or update information in the annexes.

Clause 2: Modules

Module Two (Controller to Processor) applies to this DPA, where the Customer (as the data exporter/Controller) transfers Personal Data to SearchX or its Sub-processors (as the data importer/Processor) in a third country.

Clause 3: Docking Clause

An entity that is not a party to these clauses may, with the agreement of the existing parties, accede to these clauses at any time, either as a data exporter or as a data importer, by completing the relevant annex and signing the appendix.

Clause 4: Interpretation

These clauses shall be interpreted in the light of the provisions of the GDPR. The clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in the GDPR. Nothing in these clauses shall be interpreted as reducing the rights of data subjects under the GDPR.

Clause 5: Hierarchy

In the event of a contradiction between these clauses and the provisions of the Agreement or any related agreements between the parties, these clauses shall prevail to the extent that they relate to the protection of Personal Data.

Clause 6: Data Subject Rights

Data Subjects may invoke and enforce these clauses as third-party beneficiaries. The data importer shall promptly inform the data exporter of any request received directly from a Data Subject, and shall not respond to such request except on the documented instructions of the data exporter or as required by applicable law.

Contact

For questions or concerns regarding this Data Processing Addendum, please contact us: