ADDENDUM TO THE TERMS OF SERVICE

This addendum regulates the terms and conditions for the processing of personal data transferred to the Provider by the Owner. The personal data are processed by the Provider for performing the Service. This addendum is governed by law of the Czech Republic in particular by the Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter “GDPR”).

All expressions and terms defined or used in the Terms of Service shall have the same meaning in this addendum, unless the context clearly requires otherwise.

Personal data submitted by the Owner to the Provider in connection with the Service includes the name, company information, email address, user role, country and other information entered into the Service by the Owner or User, in particular information about time worked, wages or other remuneration; for the purpose of measuring work time and cost management.

The purpose of the processing is to analyze the costs and profitability of the Owner's business accounts and the profitability of its team.

Personal data will be processed for the duration of the contractual relationship between the Provider and the Owner under Terms, in other words, for the duration of the Owner's Account. The Provider as a personal data processor is obliged to process personal data in accordance with the laws and instructions of the Owner executed through the Service.

The Owner grants the Provider a general authorization to use other personal data processors (sub-processors) for the processing of personal data. Other sub-processors include:

• Google Commerce Limited, 70 Sir John Rogerson's Quay, 2 Dublin, Ireland
• Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Intercom Inc., 55 Second Street, Suite 400, San Francisco, CA 94105, USA
• DigitalOcean, LLC, 101 Avenue of the Americas, New York, New York 10013, USA

The Owner waives his right to be informed about future changes in the above list of the subprocessors. If the Owner at any time in the future asks to be informed about changes of sub-processors, via the privacy@costlocker.com email, the Provider is obliged to inform the Owner about such changes and the Owner is entitled to raise its objections.

The Provider is authorized to transfer personal data to a third country outside the EU or European Economic Area. The transfer of personal data to third countries takes place on the basis of appropriate safeguards, standard contractual clauses and, and in the case of the USA, under the „Privacy Shield“ certification (https://www.privacyshield.gov). The processing activities take place at the offices of the Provider. For automated processing, personal data is processed on servers located in the EU and the US.

The Provider as data processor shall also adopt measures preventing unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transmission, other unauthorized processing, as well as other misuse, namely use locks and electronic protection, secure the data systems with access rights and antivirus protection and back up the data regularly. Persons authorized to process are bound by strict confidentiality. The Provider is further required to inform the Owner without undue delay of the personal data breach.

The Provider is also obliged to provide the Owner with sufficient cooperation to enable the Owner to respond to requests for the exercise of the rights of data subjects set out in Chapter III of the GDPR. The Provider is obliged to delete all personal data at the request of the Owner. This obligation does not apply to instances of backup copies retained to ensure the operation of the Service. The owner is entitled to call on the Provider to perform an audit on the fulfillment of the obligations under this Agreement, and the Provider is obliged in such case to provide the Owner with reasonable co-operation.