Terms and Conditions

In order to provide the services under the conditions set forth in the Agreement located at
https://hilos.io/terms-and-conditions (or its successor URL), Hilos may engage the following third
parties as sub-processors to carry out data-processing activities that involve the processing of
personal data on the customer’s behalf.

‍

Effective: April 15, 2025

‍
This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the agreement
located at https://hilos.io/terms-and-conditions or its successor URL (“Agreement”) entered into
between Hilos and the customer (“Customer”) governing the subscription of services (“Services”)
from Hilos by Customer. This DPA reflects the Parties’ agreement with regard to the Processing of
Personal Data on behalf of Customer by Hilos.

‍
1. DEFINITIONS

‍
“Controller” means the entity which determines the purposes and means of the Processing of
Personal Data.
“Data Subject” means the identified or identifiable person to whom Personal Data relates. An
identifiable person is a person who may be identified, directly or indirectly, in particular by
reference to an online identifier, or to one or more factors specific to the physical, physiological,
genetic, psychological, financial, cultural or social identity of such natural person.
“Data Protection Laws” means all laws and regulations, including laws and regulations of Mexico,
laws and regulation of the European Union, and any other law or regulation, applicable the
Processing of Personal Data carried out by Hilos within the framework of the performance the
Agreement, in each case as amended, repealed, consolidated, or replaced from time to time. For
the avoidance of doubt, Data Protection Laws include the GDPR and the UK GDPR, if and to the
extent applicable.
"Europe" means the European Union, the European Economic Area, Switzerland and the United
Kingdom.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the Processing of Personal Data and
on the free movement of such data.
“Personal Data” (which may also be used interchangeably with “Customer Personal Data”) means
any Customer personal data that directly or indirectly identifies a Data Subject.
“Processing” means any operation or set of operations, carried out by a Party (whether or not by
automated means), and applied to Personal Data or sets of Personal Data, such as, in particular,
collection, recording, storage, organization, structuring, conservation, adaptation, modification,
extraction, consultation, use, communication by transmission, dissemination or any other form of

provision, reconciliation, interconnection, limitation, erasure or destruction. “Process”,
“Processed” and “Processes” shall be interpreted accordingly.
“Processor” means any entity that Processes Personal Data on behalf of the Controller.
“EU Standard Contractual Clauses” or “EU SCCs” means the European Commission standard
contractual clauses for the transfer of Personal Data to a Processor established in a third country
which does not ensure an adequate level of data protection, as annexed to the European
Commission’s Decision (EU) 2021/914 of 4 June 2021 and as may be amended, replaced or
repealed from time to time.
“UK GDPR” means the GDPR as incorporated into the United Kingdom law.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
2. PURPOSE
In the course of providing the Services to Customer pursuant to the Agreement, Hilos Processes
Customer Personal Data on behalf of Customer. The Parties agree to comply with the provisions
set out in this DPA with respect to any Customer Personal Data, each acting reasonably and in
good faith.
3. PROCESSING OF PERSONAL DATA
3.1. Role of the Parties
Customer appoints Hilos as a Processor to Process the Customer Personal Data on behalf of
Customer. As between the Parties, Customer Personal Data is the sole and exclusive property of
Customer. Each of Customer and Hilos shall comply with the obligations that apply to it under Data
Protection Laws.
3.2. Customer representations and warranties
Customer, acting as the Controller of the Personal Data, shall, in its use of the Services, Process
Personal Data in accordance with the requirements of Data Protection Laws, including any
applicable obligation to provide notice to or obtain consent from Data Subjects in connection with
the use of Hilos as Processor. For the avoidance of doubt, Customer represents and warrants that
its Processing instructions comply with the Data Protection Laws. Customer shall have sole
responsibility for the accuracy, quality, and legality of Personal Data and the means by which
Customer collected Personal Data.

Customer must comply with all laws and regulations applicable to its use of the Services, including
laws related to confidentiality of communications, privacy, digital marketing, and data protection
requirements. Customer is responsible for determining whether the Services are appropriate for
storage and Processing of information subject to any specific law or regulation and for using the
Services in a manner consistent with Customer’s legal and regulatory obligations.
Customer specifically acknowledges and agrees that its use of the Services will not violate the
rights of any Data Subject, to the extent applicable under Data Protection Laws. In particular,
Customer represents and warrants that it has provided all notices and obtained all consents and
rights necessary under Data Protection Laws for Hilos to Process Personal Data on behalf of
Customer for the purposes described in the Agreement (including this DPA). Hilos may take
remedial action should Customer materially breach this Section which may include the termination
of the Agreement (in whole or in part) and/or the suspension of the Services.
Customer shall not (and shall not permit Data Subject to) disclose to Hilos any of the following
categories of data: (i) any “sensitive” or “special categories” of Personal Data (as these terms and
their equivalent are defined under Data Protection Laws) and/or (ii) any Personal Data obtained
from or relating to a Data Subject that is deemed a child under Data Protection Laws.
Customer undertakes to promptly inform Hilos in the event where it becomes aware that personal
data of minor and/or sensitive data are processed through the Services.
Further, Customer is solely responsible for determining the suitability of the Services for
Customer’s business and complying with any Data Protection Laws to the collection and use of
Personal Data and Customer’s use of the Services.
3.3. Hilos’s Processing of Personal Data
Within the framework of the performance of the Agreement, Hilos undertakes to Process
Customer’s Personal Data as a Processor (within the meaning of Data Protection Laws) in
accordance with the documented and written general or specific instructions provided by
Customer.
This DPA and the Agreement into which it is incorporated contain Customer’s complete
instructions to Hilos for the Personal Data Processing carried out within the framework of the
performance of the Agreement. Hilos shall inform Customer if, in its reasonable opinion, an
instruction of Customer constitutes a breach of the GDPR or any applicable Data Protection Laws,
or if Hilos is unable to follow Customer’s instructions for the Processing of Personal Data.
Notwithstanding the foregoing, Customer acknowledges and agrees that such notification will not
constitute a general obligation on the part of Hilos to monitor or interpret the laws applicable to
Customer and such notification will not constitute legal advice to Customer.

Hilos undertakes to Process Customer’s Personal Data in the conditions set forth in this DPA, if and
to the extent the undertakings set out herein are required by applicable Data Protection Laws.
Customer agrees that Hilos may collect, use, and disclose data concerning and derived from
Customer’s use of the Services, but excluding Personal Data, for industry analysis, benchmarking,
analytics, marketing, research and development, improvement of the Services and other business
purposes during and after the term of the DPA, provided that any such data collected, used, and
disclosed for such purposes will be in aggregate form only and will not identify Customer or Data
Subjects and Hilos complies with all applicable laws in collecting, using and disclosing such
anonymized data.  These anonymized data shall not be considered confidential information of
Customer.  
3.4. Details of the Processing
Details of the Processing (e.g. duration, purpose, type of Personal Data, categories of Data Subject)
carried out under this DPA are further specified in Schedule 2 (Description of Processing) to this
DPA.
Customer undertakes to maintain a record of the Processing activities it performs as a Controller,
and Hilos undertakes to maintain a record of the Processing activities it performs as a Processor, in
accordance with the Data Protection Laws.
4. CONFIDENTIALITY AND SECURITY
Hilos undertakes to implement appropriate technical, contractual and organizational measures to
ensure the confidentiality of the Personal Data it Processes in accordance with this Section.
In particular, Hilos must ensure that (i) all employees, agents or contractors who may have access
on its behalf to Customer’s Personal Data (and, where applicable, any subsequent Processor) are
informed of the confidential nature of the Personal Data and are subject to a non-disclosure
obligation, and (ii) access to Customer’s Personal Data is strictly limited to those individuals who
need to know or have access to the relevant Personal Data in the performance of the Agreement.
Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of the Processing as well as the risk of likelihood and severity of
infringement of the Data Subjects’ rights and freedoms, Hilos implements, with regard to
Customer’s Personal Data it directly Processes, the appropriate technical and organizational
measures to ensure a level of security appropriate to such risk and to prevent the occurrence of
Data Breaches, including, where applicable, the measures referred to Data Protection Laws, such
as article 32 of the GDPR:
(a) the pseudonymization and encryption of the Personal Data;

(b) the ability to ensure the confidentiality, integrity, availability and ongoing resilience of
Processing systems and services;
(c) the ability to restore availability and access to the Personal Data in a timely manner in
the event of a physical or technical incident;
(d) a process to regularly test, assess and evaluate the effectiveness of the technical and
organizational measures to ensure the security of the Processing.

Details of such measures are available upon Customer’s request only in order to enable Customer
to demonstrate compliance with Data Protection Laws, and on the condition that the Parties have
a separate non-disclosure agreement in place which protects such details as Hilos’s confidential
information.
Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is
responsible for its secure use of the Services, including (as applicable) (i) securing its account
authentication credentials, (ii) protecting the security of Personal Data when in transit to and from
the Services, and (iii) taking any appropriate steps to securely encrypt or backup any Personal Data
uploaded to the Services.
5. DATA BREACHES
Hilos shall notify Customer without undue delay after becoming aware of a breach of security
leading to the accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or
access to, Customer Personal Data Processed by Hilos or its Sub-Processor(s) of which Hilos
becomes aware.
Hilos will provide the notice in a report that may also include, within the reasonable control and
discretion of Hilos, relevant information about the nature, scope, circumstances, predictable
consequences and the measures taken or to be taken, to the extent that such information is
available to Hilos.
At Customer’s request, Hilos will reasonably cooperate to enable Customer to comply with
Customer’s notification obligation under Data Protection Laws, within the framework of the
assistance provided as set out in Section 7 of this DPA.
Hilos will take reasonable steps to mitigate and, where possible, to remedy the effects of, any such
security incident.
Hilos’s obligations in this Section do not apply to incidents that are caused by Customer or
Customer’s staff or users or to unsuccessful attempts or activities that do not compromise the

security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of
service attacks, and other network attacks on firewalls or networked systems.

6. SUB-PROCESSORS
Customer agrees that Hilos may use subsequent Processors (“Sub-Processors”) in connection with
the Services under the Agreement to Process its Personal Data, provided that such Sub-Processors
are contractually bound to Hilos by data protection obligations no less protective than those set
forth in this DPA.
Hilos must ensure that any Sub-Processor complies with its obligations, and in such respect
conduct any audit of the Sub-Processor it deems necessary to ensure compliance.
The current list of Sub-Processors engaged in Processing Personal Data for the performance of the
Services is listed under https://hilos.io/subprocessors and includes a description of the subject-
matter and nature of the Processing. Customer agrees that Personal Data may be Processed by
these Sub-Processors.
At any time during the performance of the Agreement, Hilos may call upon new Sub-Processors
and agrees to inform Customer of any such change.
Customer has the right to object to Hilos’s use of a new Sub-Processor by notifying Hilos in writing
within seven (7) calendar days following the receipt of Hilos notice of change. In the event where
Customer objects to a new Sub-Processor within the aforementioned period, Hilos will use
reasonable efforts to make available to Customer a change of the Services and/or of the
conditions under which they are used by Customer in order to avoid the Processing of Personal
Data by the Sub-Processor which has been rejected by Customer. Notwithstanding, Hilos may, at
its sole discretion, waive its right to work with the relevant Sub-Processor or maintain its decision
to work with such Sub-Processor.
In the event where Hilos decides to continue working with the rejected Sub-Processor and is
unable to make available to Customer an alternative way to deliver or use the Services, Customer
is entitled to cease entrusting Hilos with the Processing of its Personal Data upon written notice of
termination (corresponding to only the Services involving the subcontracting of Personal Data)
sent under the conditions provided for in the Agreement.
In no event Hilos may be held liable by Customer of the early termination of the Agreement by
Customer as a result of change in the Sub-Processor list.
7. ASSISTANCE AND COOPERATION

Each Party undertakes to provide reasonable assistance to the other Party in the performance of
the Agreement with regard to Personal Data protection.
Each Party undertakes:
(a) to perform in good faith its obligations under the DPA;
(b) to ensure the availability, cooperation and competence of its staff for the proper
performance of the DPA; and
(c) to provide the other Party with the information necessary for the performance of the
DPA or which may have an impact on its performance, to the extent that the Party
owing such obligation is reasonably able to have or have access to such information.
Each Party undertakes to perform its obligations in a manner and within a timeframe that enables
the other Party to perform its own obligations under the DPA. In addition, the Parties agree to
cooperate reasonably in the event of an inquiry or investigation by a supervisory authority.
In the event that, in accordance with the Data Protection Laws, Customer is required to carry out
an impact assessment on the protection of Personal Data or a prior consultation with a
supervisory authority, Hilos undertakes to reasonably assist Customer, upon its written request, by
providing it with all the documents and information available to it and reasonably necessary for
such purpose, depending on the nature of the Processing.
All additional assistance will be mutually agreed upon by the Parties and will give rise to payment
of additional compensation as reasonably determined by the Party providing the assistance
requested by the other Party.
8. RIGHTS OF DATA SUBJECTS
Hilos undertakes to notify Customer without undue delay of any request or complaint made by a
Data Subject to Hilos regarding the Processing carried out on their Personal Data and, upon
Customer’s written request, to reasonably cooperate with Customer to enable it to comply with
any request by the Data Subject to exercise their rights in accordance with the Data Protection
Laws, depending on the nature of the Processing. Customer will respond to the Data Subject
directly and Hilos undertakes not to respond directly to requests from Data Subject except to
confirm to the Data Subject that the request relates to Customer.
9. THIRD-PARTY ACCESS REQUEST

To the extent legally permitted, Hilos will notify Customer of any request or order it may receive
from third parties, administrative authorities or courts, as well as any actions and/or measures
initiated by such third parties, authorities or courts, seeking the disclosure of Customer Personal
Data and/or information relating to the Processing carried out by Hilos on behalf of Customer.
Hilos shall, upon Customer’s written request, provide commercially reasonable cooperation to
assist Customer to respond to any such data access request.
In the event that any such request is made directly to Hilos, Hilos shall not respond to such
communication directly without Customer’s prior authorisation, unless legally permitted to do so.
In the event where Hilos receives a legally binding request to access Personal Data from a public
authority (i.e. any government or law enforcement authority, including judicial authorities), Hilos
shall, unless otherwise legally prohibited, notify Customer without undue delay.
Hilos shall respond to the third parties, administrative authorities or courts as required by
applicable laws.
Each Party undertakes to cooperate and reasonably assist the other Party to enable it to respond
to such requests in accordance with the Data Protection Laws and within the given time limits.
10. AUDIT
To the extent required by Data Protection Laws and upon Customer’s written request no more
than once per year, Hilos acting as a Processor agrees to make available to Customer such
information, documents and access to its service providers as may be reasonably necessary to
enable it to ensure compliance by Customer of its obligations under this DPA.
For the DPA’s entire term, Hilos (acting as a Processor) authorizes Customer to conduct, or have
conducted by an independent auditor who is not a competitor of Hilos and bound by an
enforceable non-disclosure obligation, with a minimum of eight (8) weeks' prior notice and a
detailed audit plan describing the proposed scope, duration, and start date of the audit, an audit
in order to verify Hilos’ compliance with its obligations under the DPA, no more than once per
year, if such an audit is required by Data Protection Laws and Hilos’s compliance cannot be
demonstrated by means that are less burdensome on Hilos.
For this purpose, Hilos shall provide Customer (and/or its auditors bound by an enforceable non-
disclosure obligation) with all documents and information available to Hilos as reasonably
necessary to enable it to verify Hilos’s compliance with its obligations under the DPA.
Hilos undertakes (i) to cooperate in good faith with the auditor, (ii) to provide the auditor with all
information, documents available to Hilos and/or explanations which reasonably necessary to

conduct the audit, (iii) to allow the auditor access to the premises, systems, facilities and service
providers involved in the performance or documentation of the Processing.
Customer and the appointed auditor undertakes to avoid causing (or, if it cannot avoid it, to
minimize) any disruption to the Hilos’s business and to prevent any damage to the Hilos’ premises,
equipment, staff and business in the course of conducting the audit, and to conduct the audit
during Hilos’s regular business hours, subject to Hilos’s policies.
Customer must provide the results of the audit to Hilos as soon as it receives the auditor's report,
and will request Hilos to make its comments on the report, which are then recorded in writing as
an appendix to the report.
In the event an audit reveals a breach by Hilos to comply with its obligations under the DPA, Hilos
undertakes to take the necessary steps to correct such breach and mitigate its effects, where
applicable.
Customer will bear the cost of the audit. All information disclosed by Hilos pursuant to this Section
will be deemed Hilo’s confidential information and shall be protected by Customer (and/or its
auditors) in accordance with the applicable confidentiality provisions.
11. RETURN AND DELETION
Upon expiry or termination of this DPA for any reason whatsoever, Hilos undertakes to return
Customer Personal Data to Customer and to allow Customer to back-up the Customer Personal
Data prior to deleting Customer Personal Data, to the extent legally required. Until Customer Data
is deleted or returned, Hilos shall continue to Process Personal Data in accordance with this DPA,
to the extent required by Data Protection Laws.
Hilos will not retain any copies of the Personal Data, except for that relating to technical back-up
procedures or data retention processes or to the extent legally required.
12. LIABILITY
Each party’s liability, taken together in the aggregate, arising out of or in connection with this DPA,
whether in contract or tort, shall be subject to the liability limitations set forth in the Agreement
and any reference to a party’s liability in the Agreement shall be deemed to be a reference to the
aggregate liability of such party.

13. JURISDICTION SPECIFIC PROVISIONS

The following jurisdiction specific provisions apply to the extent that Hilos Processes Personal Data
originating from or protected by Data Protection Laws in a jurisdiction identified in this Section.
13.1 Europe Specific Provisions
Hilos will Process Personal Data in accordance with the GDPR and UK GDPR requirements directly
applicable to Hilos’s provision of its Services.
In the event where, within the framework of the performance or use of the Services, Personal
Data of European Data Subjects are transferred to a country outside Europe that is not subject to
an adequacy decision in accordance with the GDPR or the UK GDPR, the Module 2 of the EU
Standard Contractual Clauses of the European Commission attached in Schedule 1 and 2 to this
DPA shall apply (in the case of transfers subject to the GDPR) and the UK IDTA shall apply (in the
case of transfers subject to the UK GDPR).
The ”UK IDTA” (as used in this Section) means the International Data Transfer Addendum issued
by the UK Information Commissioner, which is incorporated (and deemed executed) by reference
into this DPA and amends Module 2 of the EU Standard Contractual Clauses of the European
Commission attached in Schedule 1 and 2 to this DPA. Neither Party can terminate the UK IDTA
pursuant to Table 4 and Section 19 thereof without the written consent of the other.
The EU SCCs and the UK IDTA do not apply to any transfer of Personal Data to an entity certified
under the EU-US Data Privacy Framework and its extensions.
As of the date of this DPA, Hilos has no reason to believe that the laws and practices in a country
outside Europe (which applies to its Processing of Personal Data) prevents Hilos from fulfilling its
obligations under the DPA. In the event where Hilos reasonably believes that any law and practice
in a country outside Europe applicable to its Processing of Personal Data prevent it from fulfilling
its obligations under this DPA, it shall promptly notify Customer.
Hilos shall use reasonable efforts to make available to Customer a change in the Services or
recommend a commercially reasonable change to Customer’s configuration or use of the Services
to facilitate compliance with applicable Data Protection Laws.
In the event Hilos is not in a position to propose such change, Customer may terminate the
Agreement in respect only to those Services which cannot be provided by Hilos in accordance
with Data Protection Laws by providing written notice in accordance with the Agreement.
13.2. Brazil Specific Provisions
In circumstances where: (i) the Processing of Personal Data involves Data Subjects located in
Brazil; (ii) the Personal Data subject to Processing has been collected in Brazil; or (iii) the

Processing operations are carried out in Brazil, such Processing activities shall be subject to the
provisions of the Brazilian General Data Protection Law (Federal Law No. 13.709/2018) (the
“LGPD”).
In such cases, the Customer, in its capacity as the Controller, shall be responsible for ensuring
compliance with the LGPD. This includes, but is not limited to: (a) identifying and establishing the
appropriate legal basis for each Processing activity involving Personal Data made available through
Hilos’s Services; (b) fulfilling the duty of transparency toward data subjects; (c) responding to data
subject requests in accordance with the rights guaranteed under the LGPD; and (d) performing
notifications to the competent supervisory authority or affected data subjects, where required by
applicable law.
Hilos, acting in its capacity as a Processor of Customer’s Personal Data, undertakes to provide
reasonable assistance and make available relevant information, to the extent of its responsibilities
and subject to applicable confidentiality obligations, for the purpose of supporting Customer’s
compliance with the LGPD. Such assistance shall be rendered solely upon Customer’s express and
documented request.
The Parties acknowledge that the Processing of Personal Data by Hilos, in connection with the
provision of its Services, may occur outside the territory of the Federative Republic of Brazil. In this
context, Customer, in its role as the Controller, shall remain fully responsible for complying with all
applicable legal and regulatory requirements governing international data transfers under
Brazilian law, including, but not limited to, fulfilling all transparency obligations toward data
subjects.
For the purpose of such international transfers in accordance with the LGPD and Resolution
CD/ANPD No. 19/2024, the Parties agree to adopt the standard contractual clauses issued by the
Brazilian Data Protection Authority (ANPD), as included in Schedule 3 to this DPA (“Brazilian
Standard Contractual Clauses”). Customer acknowledges and accepts the use of the Brazilian
Standard Contractual Clauses as the applicable instrument governing the international transfer of
Personal Data through Hilos’s Services.
13.3. Mexico Specific Provisions
Hilos will Process Personal Data in accordance with the Mexican Data Protection Law on the
Protection of Personal Data Held by Private Parties and its Regulations (the “Mexican Data
Protection Law”), to the extent directly applicable to Hilos’s provision of its Services.
Further, to the extent Hilos provides cloud services, Hilos undertakes to (i) apply personal data
protection policies in line with the applicable principles and duties set forth by the Mexican Data
Protection Law; (ii) transparent subcontracting involving the information in which the cloud
services are provided; (iii) refrain from including conditions, in the rendering of the cloud services,

that authorize or allow Hilos to assume ownership or property of the information in which the
cloud services are rendered; (iv) maintain confidentiality with respect to the Personal Data
Processed by the cloud services; (v) notify changes of the privacy policy or its terms of service; (vi)
allow the Controller to limit the type of processing regarding the cloud services; (vii) establish and
maintain adequate security measures; (viii) delete Personal Data under applicable data retention
standards; and (ix) prevent unauthorized access.
Upon expiry or termination of this DPA for any reason whatsoever, prior to the deletion of
Customer Personal Data by Hilos, Hilos undertakes to allow Customer to back-up the Customer
Personal Data.
In the event of international data transfers, Hilos may use contractual clauses or a data transfer
agreement providing at least the same obligations to which the Controller is subject, as well as the
conditions under which the Data Subject consented to the Processing of their Pesonal Data. The
Parties acknowledge and agree that the EU Standard Contractual Clauses may be used for such
international data transfers.
13.4 United States Specific Provisions
Hilos will Process Personal Data subject to the United States Data Protection Law requirements as
a “service provider” (as that term or its equivalent is defined under United States Data Protection
Law), in accordance with the United States Data Protection Law requirements directly applicable
to Hilos’s provision of its Services, and the Parties acknowledge and agree that Hilos does not
receive any Personal Data as consideration for the Services.
Hilos will not: (i) retain, use, or disclose Personal Data outside of its direct business relationship
with Customer, or for any purpose (including a commercial purpose) other than as necessary for
the specific purpose of performing the Services in accordance with the Agreement or as permitted
by Data Protection Law; and (ii) sell or share the Personal Data. Hilos will also not combine the
Personal Data that it receives on behalf of Customer, with Personal Data that it receives on behalf
of another person, except as permitted by Data Protection Law.
14. MISCELLANEOUS
Except as specifically set forth in this DPA, all terms of the Agreement remain in full force and
effect. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA
shall prevail.

SCHEDULE 1 – EU STANDARD CONTRACTUAL CLAUSES (MODULE 2 – CONTROLLER TO
PROCESSOR)
For the purposes of EU SCC Module 2, Customer is the data exporter and Hilos is the data importer
and the Parties agree to the following.
The provisions contained in the EU Standard Contractual Clauses (Module 2) are incorporated by
reference into and are an integral part of this DPA. The information required for the purposes of
the Appendix to the EU Standard Contractual Clauses are set out in Schedule 2 to the DPA.
The parties agree to amend the EU SCCs as follows:
Clause 7 (“Docking Clause”): The option under Clause 7 shall not apply.
Clause 8.1. (“Instructions”): For the purpose of Clause 8.1., the instruction of Customer to Hilos
are set out in Section 3.3 of the DPA.
Clause 8.5 (“Duration of processing and erasure or return of data”) and 16(d) (“Non Compliance
with the Clauses and termination”): The parties agree that the certification of deletion of Personal
Data that is described in Clause 8.5 and 16(d) of the EU Standard Contractual Clauses shall be
provided by Hilos to Customer upon Customer's written request.
Clause 8.9 (“Documentation and compliance”): Any audit arising out of Clause 8.9 of the EU SCCs
shall be carried out in the conditions set forth in Section 10 of the DPA.
Clause 9 (“Use of sub-processors – General written authorization”): The option 2 (General
written, authorization) provided in Clause 9 of the EU SCCs shall apply. Customer grants Hilos a
general authorization to engage sub-processors in accordance with Section 5 of this DPA.
Customer acknowledges and agrees that Hilos may engage new sub-processors as described the
DPA.
Clause 10 (“Data Subject Rights”): For the purpose of Clause 10, the assistance provided by Hilos
to Customer are set out in Sections 7 and 8 of the DPA.
Clause 11 (“Redress”): The option set out in Clause 11 shall not apply.
Clause 13 (“Supervision”):
Where Customer is established in the European Union, the supervisory authority with
responsibility for ensuring compliance by Customer with the GDPR as regards the data transfer
shall act as competent supervisory authority.

Where Customer is not established in the European Union, but falls within the territorial scope of
application of the GDPR in accordance with its Article 3(2) and has appointed a representative
pursuant to Article 27(1) of the GDPR, the supervisory authority of the Member State in which the
representative within the meaning of Article 27(1) of the GDPR is established shall act as
competent supervisory authority.
Where Customer is not established in in the European Union, but falls within the territorial scope
of application of the GDPR in accordance with its Article 3(2) without however having to appoint a
representative pursuant to Article 27(2) of the GDPR, the supervisory authority of one of the
Member States in which the Data Subject whose Personal Data is transferred under these Clauses
in relation to the offering of goods or services to them, or whose behaviour is monitored, are
located, shall act as competent supervisory authority.
Clause 15 (“Obligations of the data importer in case of access by public authorities”): For the
purposes of Clause 15(1)(a), Hilos shall notify Customer only (and not the Data Subjects) in the
event of access request by public authorities. Customer shall be solely responsible for promptly
notifying the Data Subject as necessary.
Clause 17 (“Governing Law”): These Clauses shall be governed by the law that is designated in the
Governing Law section of the Agreement. If the Agreement is not governed by an European Union
member state law, the EU Standard Contractual Clauses will be governed by the laws of Ireland.
Clause 18 (“Jurisdiction”): The competent courts shall be those designated in the Agreement. If
the Agreement does not designate an European Union member state court as having exclusive
jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the Agreement,
the parties agree that the courts of Ireland. Notwithstanding the foregoing, data subjects may also
bring legal proceedings against Customer or Hilos before the courts of the European Union
member state in which he/she has his/her habitual residence. The parties agree to submit
themselves to the jurisdiction of such courts.
Contractual Documentation: In the event of any conflict or inconsistency between the DPA and
the Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail.

SCHEDULE 2 – DESCRIPTION OF THE PROCESSING

A. List of Parties
Data exporter:
Name: Customer, as identified in the Agreement.
Address: Customer address provided in the Agreement.
Contact person’s name, position and contact details: representative identified in the Agreement.
Activities relevant to the data transferred under these clauses: performance of the Services
pursuant to the Agreement.
Role: Customer is a Controller.
Data exporter:
Name: Hilos, as identified in the Agreement.
Address: San Antonio No. 95, Nápoles, Benito Juárez, Ciudad de México, México C.P. 03840
Contact person’s name, position and contact details: as identified in the Agreement.
Activities relevant to the data transferred under these clauses: performance of the Services
pursuant to the Agreement.
Role: Hilos is a Processor.
B. Description of Transfer
Categories of data subjects whose personal data is processed/transferred:
Customer Personal Data include Personal Data of:
 Data Subjects with whom Customer interacts: Customer may elect to Process Personal
Data of its clients, prospects or message recipients through the Services.
Categories of personal data processed/transferred:
 Any information provided by Customer to Hilos regarding the Data Subjects.

 Any information disclosed by the Data Subject through Hilos.
Such information may include first name and last name, title, position, company/employer,
personal and/or professional contact information (email, phone, address), ID data, professional
life data, personal life data, commercial information, content of the messages send through Hilos.
Sensitive data transferred (if applicable):
Not applicable (per the conditions set forth in Section 3.2 of the DPA)
Frequency of the transfer:
Continuous basis depending on the use of the Services by Customer.
Nature of the processing:
Performance of the Services pursuant to the Agreement.
Purpose of the data transfer and further processing :
Hilos Processes Personal Data as necessary to perform the Services pursuant to the Agreement,
and as further instructed by Customer in the DPA.
Duration of processing:
Hilos will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon
in writing.
Sub-processor:
For transfers to (sub-) processors, also specify subject matter, nature and duration of the
processing:
Personal Data may be transferred to Sub-Processors in the conditions set forth in Section 6 of the
DPA.
Competent supervisory authority:
Competent supervisory authority is appointed in the conditions set forth in Schedule 1 (Clause 13)
to the DPA.

SCHEDULE 3 – Brazilian Standard Contractual Clauses

SECTION I - GENERAL INFORMATION
CLAUSE 1. Identification of the Parties
1.1. By this agreement, the Exporter and the Importer (hereinafter, “Parties”), identified below,
have agreed to these standard contractual clauses (hereinafter, “Clauses”) approved by the
National Data Protection Authority (ANPD), to govern the International Data Transfer described in
CLAUSE 2.
Customer is the Exporter and Hilos is the Importer.
Details of the Parties: as set forth in Schedule 2 to this DPA.
CLAUSE 2. Object
2.1 This Clauses shall apply to International Transfers of Personal Data between Data Exporters
and Data Importers, as described below.
Description of the international data transfer: as set forth in in Schedule 2 to this DPA.
CLAUSE 3. Onward Transfers
3.1. The Importer may carry out an Onward Transfer of Personal Data subject to the International
Data Transfer governed by these Clauses, in the cases and according to the conditions described
below and the provisions of CLAUSE 18.
Details of Onward Transfers: as set forth in in Schedule 2 to this DPA.
CLAUSE 4. Responsibilities of the Parties
4.1 Without prejudice to the duty of mutual assistance and the general obligations of the Parties,
the Designated Party below, as Controller, shall be responsible for complying with the following
obligations set out in these Clauses:
a) Responsible for publishing the document provided in CLAUSE 14;
(x) Exporter
b) Responsible for responding to requests from Data Subjects dealt with in CLAUSE 15:

(x) Exporter
c) Responsible for notifying the security incident provided in CLAUSE 16:
(x) Exporter
4.2. For the purposes of these Clauses, if the Designated Party pursuant to item 4.1. is the
Processor, the Controller remains responsible for:
a) compliance with the obligations provided in CLAUSES 14, 15 and 16 and other provisions
established in the National Legislation, especially in case of omission or non-compliance with the
obligations by the Designated Party;
b) compliance with ANPD’s determinations; and
c) guaranteeing the Data Subjects' rights and repairing damages caused, subject to the provisions
of Clause 17.

SECTION II – MANDATORY CLAUSES

CLAUSE 5 Purpose
5.1 These Clauses are presented as a mechanism to enable the secure international flow of
personal data, establish minimum guarantees and valid conditions for carrying out the
International Data Transfer and aim to guarantee the adoption of adequate safeguards for
compliance with the principles, the rights of the Data Subject and the data protection regime
provided for in National Legislation.
CLAUSE 6. Definitions
6.1 For the purposes of these Clauses, the definitions in art. 5 of LGPD, and art. 3 of the Regulation
on the International Transfer of Personal Data shall be considered, without prejudice to other
normative acts issued by ANPD. The Parties also agree to consider the terms and their respective
meanings as set out below:
a) Processing agents: the controller and the processor;
b) ANPD: National Data Protection Authority;
c) Clauses: the standard contractual clauses approved by ANPD, which are part of SECTIONS I, II
and III;
d) Related Contract: contractual instrument signed between the Parties or, at least, between one
of them and a third-party, including a Third-Party Controller, which has a common purpose, link or
dependency relationship with the contract that governs the International Data Transfer;
e) Controller: Party or third-party (“Third Controller”) responsible for decisions regarding the
processing of Personal Data;

f) Personal Data: information related to an identified or identifiable natural person;
g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political
opinion, affiliation to trade unions or to a religious, philosophical or political organization, data
regarding health or sexual life, genetic or biometric data, whenever related to a natural person;
h) Erasure: exclusion of data or dataset from a database, regardless of the procedure used;
i) Exporter: processing agent, located in the national territory or in a foreign country, who
transfers personal data to the Importer; j) Importer: processing agent, located in a foreign country,
who receives personal data from the Exporter;
k) National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the
protection of Personal Data, including the LGPD, the International Data Transfer Regulation and
other normative acts issued by ANPD;
l) Arbitration Law: Law No. 9,307, of September 23, 1996;
m) Security Measures: technical and administrative measures able to protect Personal Data from
unauthorized access and from accidental or unlawful events of destruction, loss, alteration,
communication or dissemination;
n) Research Body: body or entity of the government bodies or associated entities or a non-profit
private legal entity legally established under Brazilian laws, having their headquarter and
jurisdiction in the Brazilian territory, which includes basic or applied research of historical,
scientific, technological or statistical nature in its institutional mission or in its corporate or
statutory purposes;
o) Processor: Party or third-party, including a Sub-processor, which processes Personal Data on
behalf of the Controller;
p) Designated Party: Party or a Third-Party Controller, under the terms of CLAUSE 4, designated to
fulfill specific obligations regarding transparency, Data Subjects’ rights and notifying security
incidents;
q) Parties: Exporter and Importer;
r) Access Request: request for mandatory compliance, by force of law, regulation or determination
of public authority, to grant access to the Personal Data subject to the International Data Transfer
governed by these Clauses;
s) Sub-processor: processing agent hired by the Importer, with no link with the Exporter, to
process Personal Data after an International Data Transfer;
t) Third-Party Controller: Personal Data Controller who authorizes and provides written
instructions for the carrying out of the International Data Transfer between Processors governed
by these Clauses, on his behalf, pursuant to Clause 4 (“Option B”);
u) Data Subject: natural person to whom the Personal Data which are subject to the International
Data Transfer governed by these Clauses relate;
v) Transfer: processing modality through which a processing agent transmits, shares or provides
access to Personal Data to another processing agent;
w) International Data Transfer: transfer of Personal Data to a foreign country or to an international
organization which Brazil is a member of; and

x) Onward Transfer: transfer of Personal Data, within the same country or to another country, by
an Importer to a third-party, including a Sub-processor, provided that it does not constitute an
Access Request.
CLAUSE 7. Applicable legislation and ANPD supervision
7.1. The International Data Transfer subject to these Clauses shall subject to the National
Legislation and to the supervision of ANPD, including the power to apply preventive measures and
administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or
prohibit the international transfers arising from this agreement or a Related Contract.
CLAUSE 8. Interpretation
8.1. Any application of these Clauses shall occur in accordance with the following terms:
a) these Clauses shall always be interpreted more favorably to the Data Subject and in accordance
with the provisions of the National Legislation;
b) in case of doubt about the meaning of any term in these Clauses, the meaning which is most in
line with the National Legislation shall apply;
c) no item in these Clauses, including a Related Agreement and the provisions set forth in SECTION
IV, shall be interpreted as limiting or excluding the liability of any of the Parties in relation to
obligations set forth in the National Legislation; and
d) provisions of SECTIONS I and II shall prevail in case of conflict of interpretation with additional
clauses and other provisions set forth in SECTIONS III and IV of this agreement or in Related
Agreements.
CLAUSE 9. Docking Clause
9.1. By mutual agreement between the Parties, it shall be possible for a processing agent to
adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and
signing a written document, which shall form part of this contract.
9.2 The acceding party shall have the same rights and obligations as the originating parties,
according to the position assumed of Exporter or Importer and according to the corresponding
category of treatment agent.
CLAUSE 10. General obligations of the Parties
10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of
effective measures capable of demonstrating observance of and compliance with the provisions of
these Clauses and the National Legislation, as well as with the effectiveness of such measures and,
in particular:

a) use the Personal Data only for the specific purposes described in CLAUSE 2, with no possibility
of subsequent processing incompatible with such purposes, subject to the limitations, guarantees
and safeguards provided for in these Clauses;
b) guarantee the compatibility of the processing with the purposes informed to the Data Subject,
according to the processing activity context;
c) limit the processing activity to the minimum required for the accomplishment of its purposes,
encompassing pertinent, proportional and non- excessive data in relation to the Personal Data
processing purposes;
d) guarantee to the Data Subjects, subject to the provisions of Clause 4: (d.1.) clear, accurate and
easily accessible information on the processing activities and the respective processing agents,
with due regard for trade and industrial secrecy; (d.2.) facilitated and free of charge consultation
on the form and duration of the processing, as well as on the integrity of their Personal Data; and
(d.3.) accuracy, clarity, relevance and updating of the Personal Data, according to the necessity
and for compliance with the purpose of their processing;
e) adopt the appropriate security measures compatible with the risks involved in the International
Data Transfer governed by these Clauses;
f) not to process Personal Data for abusive or unlawful discriminatory purposes;
g) ensure that any person acting under their authority, including sub- processors or any agent who
collaborates with them, whether for reward or free of charge, only processes data in compliance
with their instructions and with the provisions of these Clauses;
h) keep a record of the Personal Data processing operations of the International Data Transfer
governed by these Clauses, and submit the relevant documentation to ANPD, when requested.
CLAUSE 11. Sensitive personal data
11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply
additional safeguards, including specific Security Measures which are proportional to the risks of
the processing activity, to the specific nature of the data and to the interests, rights and
guarantees to be protected, as described in SECTION III.
CLAUSE 12. Personal data of children and adolescents
12.1. In case the International Data Transfer governed by these Clauses involves Personal Data
concerning children and adolescents, the Parties shall implement measures to ensure that the
processing is carried out in their best interest, under the terms of the National Legislation and
relevant instruments of international law.
CLAUSE 13. Legal use of data
13.1. The Exporter guarantees that Personal Data has been collected, processed and transferred to
the Importer in accordance with the National Legislation.

CLAUSE 14. Transparency
14.1. The Designated Party shall publish, on its website, a document containing easily accessible
information written in simple, clear and accurate language on the conduction of the International
Data Transfer, including at least information on:
a) the form, duration and specific purpose of the international transfer;
b) the destination country of the transferred data;
c) the Designated Party's identification and contact details;
d) the shared use of data by the Parties and its purpose;
e) the responsibilities of the agents who shall conduct the processing;
f) the Data Subject's rights and the means for exercising them, including an easily accessible
channel made available to respond to their requests, and the right to file a petition against the
Exporter and the Importer before ANPD; and
g) Onward Transfers, including those relating to recipients and to the purpose of such transfer.
14.2. The document referred to in item 14.1. shall be made available on aspecific website page or
integrated, in a prominent and easily accessible format, to the Privacy Policy or equivalent
document.
14.3. Upon request, the Parties shall make a copy of these Clauses available to the Data Subject
free of charge, complying with trade and industrial secrecy.
14.4. All information made available to Data Subjects, under the terms of these Clauses, shall be
written in Portuguese.
CLAUSE 15. Rights of the data subject
15.1. The Data subject shall have the right to obtain from the Designated Party, as regards the
Personal Data subject to the International Data Transfer governed by these Clauses, at any time,
and upon request, under the terms of the National Legislation:
a) confirmation of the existence of processing;
b) access to data;
c) correction of incomplete, inaccurate or outdated data;
d) anonymization, blocking or erasure of unnecessary or excessive data or data processed in
noncompliance with these Clauses and the provisions of National Legislation;
e) portability of data to another service or product provider, upon express request, in accordance
with ANPD regulations, complying with trade and industrial secrecy;
f) erasure of Personal Data processed under the Data Subject’s consent, except for the events
provided in CLAUSE 20;
g) information on public and private entities with which the Parties have shared data;

h) information on the possibility of denying consent and on the consequences of the denial;
i) withdrawal of consent through a free of charge and facilitated procedure, remaining ratified the
processing activities carried out before the request for elimination;
j) review of decisions taken solely on the basis of automated processing of personal data affecting
their interests, including decisions aimed at defining their personal, professional, consumer and
credit profile or aspects of their personality; and
k) information on the criteria and procedures adopted for the automated decision.
15.2. Data subject may oppose to the processing based on one of the events of waiver of consent,
in case of noncompliance with the provisions of these Clauses or National Legislation.
15.3 The deadline for responding to the requests provided for in this Clause and in item 14.3 is 15
(fifteen) days from the date of the data subject's request, except in the event of a different
deadline established in specific ANPD regulations.
15.4. In case the Data Subject's request is directed to the Party not designated as responsible for
the obligations set forth in this Clause or in item 14.3., the referred Party shall:
a) inform the Data Subject of the service channel made available by the Designated Party; or
b) forward the request to the Designated Party as early as possible, to enable the response within
the period provided in item 15.2.
15.5. The Parties shall immediately inform the Data Processing Agents with whom they have
shared data with the correction, deletion, anonymization or blocking of the data, for them to
follow the same procedure, except in cases where this communication is demonstrably impossible
or involves a disproportionate effort.
15.6. The Parties shall promote mutual assistance to respond to the Data Subjects’ requests.
CLAUSE 16. Security Incident Reporting
16.1. The Designated Party shall notify ANPD and the Data Subject, within 3 (three) working days
of the occurrence of a security incident that may entail a relevant risk or damage to the Data
Subjects, according to the provisions of National Legislation.
16.2. The Importer must keep a record of security incidents in accordance with National
Legislation.
CLAUSE 17. Liability and compensation for damages

17.1. The Party which, when performing Personal Data processing activities, causes patrimonial,
moral, individual or collective damage, for violating the provisions of these Clauses and of the
National Legislation, shall compensate for it.
17.2. Data Subject may claim compensation for damage caused by any of the Parties as a result of
a breach of these Clauses.
17.3. The defense of Data Subjects' interests and rights may be claimed in court, individually or
collectively, in accordance with the provisions in relevant legislation regarding the instruments of
individual and collective protection.
17.4. The Party acting as Processor shall be jointly and severally liable for damages caused by the
processing activities when it fails to comply with these Clauses or when it has not followed the
lawful instructions of the Controller, except for the provisions of item 17.6.
17.5. The Controllers directly involved in the processing activities which resulted in damage to the
Data Subject shall be jointly and severally liable for these damages, except for the provisions of
item 17.6.
17.6. Parties shall not be held liable if they have proven that:
a) they have not carried out the processing of Personal Data attributed to them;
b) although they did carry out the processing of Personal Data attributed to them, there was no
violation of these Clauses or National Legislation; or
c) the damage results from the sole fault of the Data Subject or of a third- party which is not a
recipient of the Onward Transfer or not subcontracted by the Parties.
17.7. Under the terms of the National Legislation, the judge may reverse the burden of proof in
favor of the Data Subject whenever, in his judgement, the allegation is credible, there is a lack of
sufficient evidence or when the Data Subject would be excessively burdened by the production of
evidence.
17.8. Judicial proceedings for compensation for collective damages which intend to establish
liability under the terms of this Clause may be collectively conducted in court, with due regard for
the provisions in relevant legislation.
17.9. The Party which compensates the damage to the Data Subject shall have a right of recourse
against the other responsible parties, to the extent of their participation in the damaging event.
CLAUSE 18. Safeguards for Onward Transfers

18.1. The Importer shall only carry out Onward Transfers of Personal Data subject to the
International Data Transfer governed by these Clauses if expressly authorized, in accordance with
the terms and conditions described in CLAUSE 3.
18.2. In any case, the Importer:
a) shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes
described in CLAUSE 2;
b) shall guarantee, by means of a written contractual instrument, that the safeguards provided in
these Clauses shall be ensured by the third-party recipient of the Onward Transfer; and
c) for the purposes of these Clauses, and regarding the Personal Data transferred, shall be
considered responsible for any eventual irregularities committed by the third-party recipient of
the Onward Transfer.
18.3. The Onward Transfer shall also be carried out based on another valid modality of
International Data Transfer provided in National Legislation, regardless of the authorization
referred to in CLAUSE 3.
CLAUSE 19. Access Request Notification
19.1 The Importer shall notify the Exporter and the Data Subject of any Access Request related to
the Personal Data subject to the International Data Transfer governed by these Clauses, except in
the event that notification is prohibited by the law of the country in which the data is processed.
19.2. The Importer shall implement the appropriate legal measures, including legal actions, to
protect the rights of the Data Subjects whenever there is adequate legal basis to question the
legality of the Access Request and, if applicable, the prohibition of issuing the notification referred
to in item 19.1.
19.3. To comply with both the ANPD’s and the Exporter’s requests, the Importer shall keep a
record of Access Requests, including date, requester, purpose of the request, type of data
requested, number of requests received, and legal measures implemented.
CLAUSE 20. Termination of processing and erasure of data
20.1. Parties shall erase the personal data subject to the International Data Transfer governed by
these Clauses after the ending of their processing, being their storage authorized only for the
following purposes:
a) compliance with a legal or regulatory obligation by the Controller;
b) study by a Research Body, guaranteeing, whenever possible, the anonymization of personal
data;

c) transfer to a third-party, upon compliance with requirements set forth in these Clauses and in
the National Legislation; and
d) exclusive use of the Controller, being the access by a third-party prohibited, and provided data
have been anonymized.
20.2. For the purposes of this Clause, processing of personal data shall cease when:
a) the purpose set forth in these Clauses has been achieved;
b) Personal Data are no longer necessary or pertinent to attain the intended specific purpose set
forth in these Clauses;
c) at the termination of the treatment period;
d) Data Subject's request is met; and
e) at the order of ANPD, upon violation of the provisions of these Clauses or National Legislation.
CLAUSE 21. Data processing security
21.1. Parties shall implement Security Measures which guarantee sufficient protection of the
Personal Data subject to the International Data Transfer governed by these Clauses, even after its
termination.
21.2. Parties shall inform, in SECTION III, the Security Measures implemented, considering the
nature of the processed information, the specific characteristics and the purpose of the
processing, the technology current state and the probability and severity of the risks to the Data
Subjects’ rights, especially in the case of sensitive personal data and that of children and
adolescents.
21.3. The Parties shall make the necessary efforts to implement periodic evaluation and review
measures to maintain the appropriate level of data security.
CLAUSE 22. Legislation of country of destination
22.1 The Importer declares that it has not identified any laws or administrative practices of the
country receiving the Personal Data that prevent it from fulfilling the obligations assumed in these
Clauses.
22.2. In the event of a regulatory change which alters this situation, the Importer shall
immediately notify the Exporter to assess the continuity of the contract.
CLAUSE 23. Non-compliance with the Clauses by the Importer

23.1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being
the Importer unable to comply with any of them, the Exporter shall be immediately notified,
subject to the provisions in item 19.1.
23.2. Upon receiving the communication referred to in item 23.1 or upon verification of non-
compliance with these Clauses by the Importer, the Exporter shall implement the relevant
measures to ensure the protection of the Data Subjects' rights and the compliance of the
International Data Transfer with the National Legislation and these Clauses, and may, as
appropriate:
a) suspend the International Data Transfer;
b) request the return of the Personal Data, its transfer to a third-party, or its erasure; and
c) terminate the contract.
CLAUSE 24. Choice of forum and jurisdiction
24.1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising
from these Clauses shall be resolved before the competent courts in Brazil, observing, if
applicable, the forum chosen by the Parties in Section IV.
24.2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before
the competent courts in Brazil, including those in their place of residence.
24.3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these
Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions
of the Arbitration Law.
SECTION III - Security Measures
The Parties acknowledge that the security measures applicable to the Processing activities under
this Schedule are established in Section 4 of this DPA, which forms an integral part hereof.

‍

A fin de dar cumplimiento con lo establecido en la Ley Federal de Protección de Datos Personales en Posesión de los Particulares, su Reglamento y Lineamientos aplicables (la “Ley”), 11 Tecnologías, S.A.P.I. de C.V., sus filiales y/o subsidiarias, y/o sus partes relacionadas (“Hilos”), con domicilio en San Antonio No. 95, Nápoles, Benito Juárez, Ciudad de México, México C.P. 03840, (el “Domicilio”), dirección electrónica: https://hilos.io/ (el “Sitio”), titular de los derechos de la plataforma digital denominada “https://app.hilos.io/” (la“Plataforma”) y demás plataformas presentes y futuras de su propiedad, y con correo electrónico de contacto hey@hilos.io (el “Correo Electrónico”), pone a su disposición el presente:

‍‍

AVISO DE PRIVACIDAD

‍

Con la finalidad de dar un tratamiento legítimo, controlado e informado a sus datos personales, que actualmente nos proporcione o en el futuro y que obren en nuestras bases de datos, o que hayan sido recopilados por cookies, o cualquier otra tecnología de seguimiento web, así como para garantizar su privacidad y su derecho a la autodeterminación informativa al proporcionarnos dichos datos, siendo Hilos responsable del uso y protección de sus datos personales los cuales serán tratados con base en los principios de licitud, consentimiento, información, calidad, finalidad, lealtad, proporcionalidad y responsabilidad previstos en la Ley.

‍

UTILIZACIÓN DE LA INFORMACIÓN

La información que usted nos provea a través del acceso, registro y creación de perfil de Usuario en el Sitio y/o en la Plataforma, y/o correo electrónico, y/o llenado de formularios o encuestas físicas o electrónicas, en tiempo real o histórico, se procesará y ordenará, para que genere indicadores de datos, mismos que Hilos podrá usar para tomar decisiones pertinentes a su negocio. Toda la información que sea recopilada se utilizará con fines estadísticos, de manera genérica y no personalizada, y se asocian con el crecimiento, mantenimiento y administración de Hilos, respetando en todo momento su privacidad. Estos usos incluyen nuestras operaciones y administración internas, la comunicación con usted y el cumplimiento de las solicitudes de servicios y/o productos provistos por Hilos, así como para mejorar, desarrollar, perfeccionar y, proporcionar los servicios de Hilos, a través de sus partes relacionadas, filiales, o proveedores autorizados y/o socios comerciales, estableciendo las medidas adecuadas a fin de limitar el uso de la información recabada de usted, únicamente para fines legales y autorizados de conformidad con este Aviso, así como con las debidas medidas de confidencialidad y seguridad.

‍

Hilos también podrá recabar su dirección de IP (Internet Protocol) para ayudar a diagnosticar problemas con el servidor de Hilos y para administrar el Sitio y la Plataforma. Una dirección de IP es un número que se le asigna a su computadora cuando usa Internet. Su dirección de IP también es utilizada para ayudar a identificarle dentro de una sesión particular y para recolectar información demográfica general. Hilos podrá hacer uso de tecnología “push” a través de la aplicación que Hilos usa para enviar notificaciones con autorización previa del Usuario. Este medio de comunicación no tiene ningún tipo de acceso a otras funciones o información del equipo con el que se conecta al Sitio. La información puede incluir la URL de la que provienen (estén o no en el Sitio), a qué URL acceden seguidamente (estén o no en el Sitio), qué navegador están usando, así como también las páginas visitadas, las búsquedas realizadas, las publicaciones, preferencias comerciales, mensajes, etc.

‍

USO DE COOKIES

Hilos le informa que, mediante el uso de cookies y tecnologías similares, busca garantizar la mejor experiencia posible en el Sitio y/o la Plataforma, al proporcionarle información personalizada, recordando sus preferencias de servicios y de mercadeo y ayudándolo a obtener la información adecuada. En caso de que requiera mayor información respecto al uso de cookies y tecnologías similares, Hilos pone a su disposición la Política de Uso de Cookies.

‍

1. DATOS PERSONALES SOLICITADOS 

Hilos, y/o las empresas controladoras de éste y/o empresas filiales y/o subsidiarias y/o partes relacionadas (los “Terceros Relacionados”) y/o aquellos terceros que, por la relación comercial con Hilos hayan contratado el uso de la Plataforma para complementar su propuesta de negocios y tengan la necesidad de tratar y/o utilizar sus datos personales (el “Usuario”), solicita y obtiene datos personales en general, así como datos personales considerados sensibles por la Ley (en lo sucesivo “Datos Personales Generales” y “Datos Personales Sensibles”, respectivamente; y de manera conjunta referidos como los “Datos Personales”) de las personas en adelante descritas.

‍

Los Datos Personales Sensibles podrán ser solicitados por medios electrónicos o físicos, en el entendido de que toda información proporcionada en físico, será considerada y tratada como si se hubiera proporcionado y autorizado en el Sitio y/o la Plataforma, y por lo cual se regirá por el presente documento. 

‍

En todos los casos, la recolección de Datos Personales por parte de Hilos es realizada de buena fe y para los fines aquí expuestos; por tal motivo, se presume que los datos proporcionados por sus titulares son apegados a la verdad y completos, por lo que son responsabilidad del titular que los proporciona.

‍

Los Datos Personales que serán recabados de los Usuarios, responsables de los procesos de solicitud, selección, adquisición y administración de los servicios dispuestos en el Sitio y/o la Plataforma (los “Servicios”) así como de aquella información que se recopile por Hilos mediante el uso de la Plataforma, constan de información personal que es incluida o podrá ser incluida en formatos, listados, bases de datos u otros medios físicos y/o electrónicos, según corresponda, a efecto de que Hilos pueda proveer de los Servicios y consolidar el catálogo de trámites y servicios que realiza el Usuario a través de la Plataforma.

‍

1. USUARIOS DE LA PLATAFORMA. Los Datos Personales que serán recabados de los Usuarios que hagan uso de la Plataforma son necesarios para documentar la relación comercial y jurídica que existe o podrá existir con cada uno de ellos. Los Datos Personales que usted proporcionará voluntaria y libremente a Hilos, constan de información que es incluida o podrá ser incluida en contratos, cartas, formatos, listados, bases de datos u otros medios físicos y/o electrónicos, según corresponda, a efecto de que Hilos pueda documentar la relación entre las partes, el proceso de uso y selección que realice o vaya a realizar de los Módulos que conforman los Servicios de la Plataforma; así como para dar cabal cumplimiento a las políticas internas, procedimientos y demás obligaciones legales aplicables a Hilos. 

‍

Los Datos Personales que le serán solicitados a los Usuarios para su registro como Usuario en la Plataforma son los siguientes: 

• Nombre completo;
• teléfono;
• domicilio; 
• correo electrónico; y
• número de teléfono celular.

‍

2.  FINALIDADES DEL TRATAMIENTO DE LOS DATOS PERSONALES

Los Datos Personales proporcionados a Hilos a través de la Plataforma serán utilizados según se ha mencionado anteriormente, con la finalidad de:

1. Realizar el procesamiento de datos que permita crear un registro de los Clientes y de los Módulos de los Servicios que utilice, administre o gestione a través de la Plataforma;  
2. Que el Usuario pueda gestionar, operar, administrar y monitorear la relación de negocios; y 
3. Procesar los datos bancarios para realizar el pago de las órdenes de compra y/o cualquier trámite de negocios, a través de los motores de pago dispuestos por la plataforma. 

‍

Una vez cumplidas las finalidades del tratamiento de sus Datos Personales, y cuando no exista disposición legal que establezca lo contrario, Hilos procederá a la cancelación, eliminación y/o destrucción de los Datos Personales recibidos, en los términos establecidos por la Ley. 

‍

El tratamiento que el Usuario como los motores de pago dispuestos por el Usuario, estarán sujetos a los términos y condiciones del Aviso de Privacidad del Usuario como aquellos contenidos en la página web del tercero que realice los servicios de motor de pago.

‍

3. TRANSFERENCIA

TRANSFERENCIA DE LOS DATOS PERSONALES E INFORMACIÓN. Los Datos Personales a que se refiere este Aviso podrán ser transferidos a: (i) Terceros relacionados y/o aliados comerciales, con la finalidad de engrandecer la propuesta de valor de Hilos, así como ofrecerle, con base en sus necesidades, otros productos y servicios; (ii) Autoridades judiciales, mexicanas y extranjeras, con la finalidad de dar cumplimiento a la Ley, legislación, notificaciones, requerimientos u oficios de carácter judicial; (iii) A proveedores de servicios de internet sobre la cual esté montada la infraestructura tecnológica de Hilos; y/o (iv) a proveedores de servicios de soporte técnico de la Plataforma. En caso de realizar alguna transferencia de sus Datos Personales, en los que se requiera su consentimiento expreso, se lo informaremos a efecto de recabar el mismo.

‍

En todos los casos, Hilos comunicará el presente Aviso de Privacidad a estos terceros y se asegurará a través de la firma de convenios y/o la adopción de otros documentos vinculantes, que dichos terceros mantengan las medidas de seguridad administrativas, técnicas y físicas necesarias para resguardar sus Datos Personales, así como que dichos terceros únicamente utilicen sus Datos Personales para las finalidades para los cuales fueron recabados. Asimismo, tanto el Usuario como responsable de recabar los Datos Personales e Hilos que facilita a través de la Plataforma la recabación y procesamiento de los mismos, así como cualquier otra persona relacionada con Hilos que tenga acceso a la información contenida en este Aviso de Privacidad, quedarán obligados a resguardarla bajo las mismas normas de seguridad y confidencialidad, y a no revelarla ni hacer mal uso de la misma, o en caso contrario serán responsables de conformidad con las leyes aplicables. 

‍

No obstante lo anterior, Hilos no transferirá sus Datos Personales a terceros no relacionados con Hilos, salvo en los casos antes citados y los previstos en la Ley, sin su consentimiento previo.

‍

4. MEDIOS Y PROCEDIMIENTOS PARA EL EJERCICIO DE LOS DERECHOS ARCO 

Usted, como titular de los Datos Personales proporcionados a Hilos, podrá solicitar en cualquier momento, el ejercicio de sus derechos de acceso, rectificación, cancelación u oposición (los “Derechos ARCO”) al tratamiento de sus Datos Personales, consistentes en: (i) acceder a sus Datos Personales y a los detalles del tratamiento de los mismos; (ii) rectificar sus Datos Personales en caso de ser inexactos o incompletos; (iii) cancelar sus Datos Personales cuando considere que no se requieren para alguna de las finalidades señalados en este Aviso de Privacidad, estén siendo utilizados para finalidades no consentidas o haya finalizado su relación contractual o de servicio u otra con Hilos; y (iv) oponerse al tratamiento de sus Datos Personales para fines específicos.

‍

Para tal fin, usted deberá seguir el proceso de presentar su petición por escrito a Hilos, o bien, enviar su petición al Correo Electrónico, según sea aplicable, la cual deberá contener, como mínimo, la siguiente información: (a) Su nombre completo y domicilio, u otro medio idóneo para comunicarle la respuesta a su solicitud; (b) Los documentos que acrediten su identidad o, en su caso, la de su representante legal; (c) La descripción clara y precisa de los Datos Personales respecto de los que se busca ejercer alguno de los derechos antes mencionados; y (d) Cualquier otro elemento o información que facilite la localización de los Datos Personales, así como cualquier otro documento requerido por la regulación actual en el momento de presentar la solicitud. Usted también podrá solicitar al Correo Electrónico mayor información sobre el procedimiento para ejercer sus Derechos ARCO. 

‍

La respuesta a su solicitud le será dada a conocer por Hilos en los términos y plazos establecidos en la Ley. No obstante, usted podrá obtener más información acerca del estado que guarda su solicitud y del plazo de respuesta de la misma, contactando a Hilos o enviando su petición al Correo Electrónico, donde además podrán atender cualquier aclaración o duda que pudiera tener respecto al tratamiento de sus Datos Personales y el ejercicio de sus Derechos ARCO.

‍

5. REVOCACIÓN DEL CONSENTIMIENTO; LIMITACIÓN DE USO Y DIVULGACIÓN DE LOS DATOS PERSONALES  

Usted también podrá revocar, en cualquier momento, el consentimiento que haya otorgado a Hilos para el tratamiento de sus Datos Personales, así como solicitar que se limite el uso y divulgación de los mismos, siempre y cuando no lo impida una disposición legal. Para tal fin, usted deberá presentar su solicitud por escrito a Hilos, o bien, enviar su solicitud al Correo Electrónico, según sea aplicable. Dicha solicitud deberá cumplir con los mismos requisitos mencionados en la Sección 4. anterior. 

‍

La respuesta a su solicitud le será dada a conocer por Hilos en los términos y plazos establecidos en la Ley. No obstante, usted podrá obtener más información acerca del estado que guarda su solicitud y del plazo de respuesta de la misma, contactando a Hilos o enviando su petición al Correo Electrónico, donde además podrán atender cualquier aclaración o duda que pudiera tener respecto al tratamiento y estos derechos que le corresponden respecto a sus Datos Personales.

‍

En caso de que sus Datos Personales hubiesen sido remitidos con anterioridad a la fecha de revocación del consentimiento, y sigan siendo tratados por encargados de Hilos, éste hará del conocimiento de éstos últimos dicha revocación, para que procedan a efectuar lo conducente.

‍

6. CAMBIOS AL AVISO DE PRIVACIDAD

Hilos se reserva el derecho de modificar y/o actualizar este Aviso de Privacidad, en alguna o todas sus partes, a su entera discreción, en cuyo caso lo comunicará aquí mismo a través de su Sitio y/o la Plataforma; y, según sea el caso particular de cada titular, a través de sus redes internas, o por medio de un aviso que se colocará en los medios habituales (físicos o electrónicos) de comunicación de Hilos y en un lugar visible del Domicilio, o mediante un aviso por escrito dirigido a su correo electrónico, según sea legalmente requerido.

‍

7. FORMA DIGITAL, ELECTRÓNICA O EN LÍNEA

La Partes acuerdan que la forma para perfeccionar el acuerdo de voluntades entre ellas podrá ser el de formato Digital, Electrónico o en Línea, en donde bastará manifestar su voluntad por medio de su aceptación, así como proporcionar los datos personales, en el propio Sitio de Hilos  sin requerir estampar la firma en documento alguno.

‍

Fecha de primera emisión: 7 de diciembre de 2021.

Fecha de última actualización: 7 de diciembre de 2021.

‍