Data Protection Guidelines

1. Definitions

• "User" means any company or individual utilizing Essembi Products.
• "Personal Data" means information related to an identified or identifiable natural person.
• "Personal Data Breach" means a breach of security leading to unauthorized access or loss of Personal Data.
• "GDPR" means EU General Data Protection Regulation 2016/679.
• "Data Protection Laws" refers collectively to GDPR privacy laws and the California Consumer Privacy Act.

2. Processing of User Personal Data

Essembi shall comply with all applicable Data Protection Laws in the processing of User Personal Data. Such processing shall be conducted in accordance with the principles and requirements set forth in these Guidelines.

3. Limited Data Access

Essembi shall implement and maintain appropriate measures to ensure the reliability of any employee, agent, or contractor who may have access to User Personal Data. Access to User Personal Data shall be strictly limited to those individuals who require such access for the delivery of products and services. All such individuals shall be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Data Security

4.1 Security Measures

Essembi shall implement appropriate and reasonable technical and organizational measures for the security of User Personal Data. Such measures shall take into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

4.2 Technical Security Implementation

Essembi shall maintain industry-standard encryption for data in transit and at rest, conduct regular security audits and vulnerability assessments, implement multi-factor authentication for accessing sensitive systems, and maintain automated backup systems with encryption.

5. Subprocessing

Essembi shall not appoint or disclose any User's Personal Data to any subprocessor except as required or authorized by the User in writing.

6. Data Subject Rights

6.1 User Obligations

Users shall implement appropriate technical and organizational measures to assist Essembi in fulfilling its obligations to respond to data subject rights requests under Data Protection Laws.

6.2 Essembi Obligations

Essembi shall promptly notify Users of any data subject requests received and shall not respond to such requests except on documented User instructions or as legally required. Where legally required to respond, Essembi shall inform Users of such legal requirements prior to responding.

7. Personal Data Breach Management

In the event of a Personal Data Breach, Essembi shall notify Users without undue delay upon becoming aware of such breach. Such notification shall include sufficient information to allow Users to meet their reporting obligations. Essembi shall cooperate with Users and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment

Essembi shall provide reasonable assistance with data protection impact assessments and support prior consultations with data privacy supervising authorities as required by GDPR Articles 35 and 36. Essembi shall provide all necessary information during such impact assessments.

9. Data Retention and Deletion

Upon termination of the agreement with a User, Essembi shall return or delete all User Personal Data as specified by the User. Written confirmation of such return or deletion shall be provided within ten business days of termination.

10. Audit Rights

Essembi shall make available all information necessary to demonstrate compliance with these Guidelines and shall allow for and contribute to audits and inspections conducted by Users or their mandated auditors. Documentation of all audit-related activities shall be maintained.

11. Data Transfer

11.1 Transfer Restrictions

Essembi shall not transfer or authorize the transfer of Personal Data outside of the European Economic Area (EEA), United States, or China without prior written User consent.

11.2 Transfer Protection

For any authorized transfers outside the defined zones, Essembi and the User shall ensure adequate data protection through EU approved standard contractual clauses unless otherwise agreed in writing. Regular reviews of transfer mechanisms shall be conducted to ensure ongoing compliance.

12. Modifications

Essembi reserves the right to modify these Guidelines as needed to comply with legal requirements and operational needs. Users will be notified of material changes, and continued use of Essembi software following such notification shall constitute acceptance of such modifications.