Data Processing Addendum

EVA Data Processing Addendum

I. Introduction

The parties agree that this Data Processing Addendum (the "DPA") describes the parties' obligations with respect to the processing and security of Developer Data (including the Personal Information referred to therein). The parties also agree that the processing and security of data in EVA products and feature services are governed by the DPA, unless a separate, specific agreement exists.

In the event of any conflict or inconsistency between the terms of the DPA and any other data terms set out in applicable agreements relating to the EVA official website and services (the "EVA Agreements") the terms of the DPA shall prevail. The terms of the DPA shall supersede any conflicting terms in the EVA Privacy Policy that would otherwise govern the processing of Developer Data and Personal Information as defined herein.

The DPA may be amended by us from time to time and these amendments shall form a part of and have the same effect as the DPA. When updated, we will publish the updated version on our official website and remind you of the updated content by making a post on the official website or through other appropriate means before the updated terms come into effect, so that you can be constantly informed of the latest version of the DPA. If you continue to use the official website and related services, it is deemed that you agree to accept all contents of the revised DPA.

II. Interpretation

In the DPA, the following terms shall have the following meanings unless the context otherwise requires:

• "Developer Data" means: (1) all data uploaded by Developer when obtaining or creating a Bot through the EVA functions/services (such as database information, plug-in/API information uploaded by Developer, etc.); and (2) all data processed by EVA through the runtime of a Bot processed by the Developer after its release, including all text, sound, video or image files and software, as well as data that is derived from Developer's use of EVA products or services and which can be controlled and managed solely by Developer (such as configuration data, operation and maintenance data, etc.)
• "Personal Information" means all information recorded, electronically or otherwise, about an identified or identifiable natural person, excluding information processed anonymized. The Personal Information involved in the provision of specific services includes but is not limited to personally identifiable information (name), address, phone number, online identification information (including account name, e- mail address), personal frequent device information, location information, etc.
• The "processing of personal information" includes the collection, storage, use, processing, transmission, provision, publication and deletion of personal information.
• "Personal Information Owner" means the natural person identified by the personal information.
• "Applicable laws" include, but are not limited to, various laws and regulations under the Cybersecurity Law and Personal Information Protection System of the PRC and national mandatory standards.
• "Personal Information Security Impact Assessment" means the process to examine the degree of compliance of personal information processing activities, determine the risks of damage to the legitimate rights and interests of personal Information Owner, and evaluate the effectiveness of the measures taken to protect the Personal Information Owner.
• The term "personal information security incidents" refers to incidents in which personal information is divulged, lost, stolen or tampered are caused by unauthorized login to the system, or unauthorized access to, reading, copying, modifying or deleting of personal information, and occurrence of system bugs, computer viruses, network attacks and intrusions.
• "Personal Information cross-border Transfer" means the Personal Information Processor has to provide Personal Information outside the territory of the People's Republic of China.
• "China" means the Mainland China, excluding Hong Kong, Mainland China.
• An "entrusting party" refers to an organization or individual that (either individually, jointly or in concert with others) independently determines the purpose and manner of processing in the data processing activities.
• "Consignee" means any entity or person (other than an employee of Entrusting Party) that processes data on behalf of Entrusting Party.
• "Data Protection Requirements" means the Data protection provisions of the Personal Information Protection Law of the People's Republic of China, the Cybersecurity Law of the People's Republic of China, and all other applicable laws and regulations relating to the processing of Personal Information and privacy, including any guidances, recommendations, circulars, and industry codes of practice issued by any national or local regulatory authorities, as applicable.
• "Permitted Sublicensees" means other processors used by EVA, the Consignee, to process data and personal information about the Developer.
• Other capitalized terms used in the DPA shall have the same meaning as defined in the EVA Agreement, unless otherwise specified. In the absence of definitions, they shall be construed in accordance with applicable laws, regulations, administrative regulations and national standards (including recommended standards or their draft recommendations).

III. Data and Personal Information Protection Clauses

1. SCOPE OF APPLICATION

The terms of the DPA apply to all EVA official websites and services.

For clarity purposes, the terms of the DPA only apply to data processed in an environment controlled by EVA and EVA's Permitted Sublicensees, and does not include the data retained in the developer environment or in the operational environments of any third party selected by the developer.

2. NATURE AND PURPOSE OF DATA PROCESSING

DEVELOPER'S RIGHTS AND INTERESTS

EVA will use and otherwise process Developer Data and Personal Information solely as set forth below, and will also comply with the restrictions set forth below to: (a) make available to Developer the official website and services in accordance with Developer's recorded instructions, and (b) conduct operations for the purpose of making available to Developer the official website and services. As between the parties, the Developer shall own all rights and interests in and to the Developer Data. EVA shall not acquire any rights regarding Developer Data other than those rights granted to EVA by the Developer under the DPA and/or the EVA Agreement. This paragraph does not affect EVA's rights contained in the services EVA provides to the Developer.

EVA will not disclose or allow anyone to access Processed Data except: (a) as authorized or directed by the Developer; (b) as provided by this DPA; or (c) as required by law. For purposes of the DPA, "Processed Data" means: (a) Developer Data (including Personal Information); and (b) any other data which is Developer's Confidential Information and is processed by EVA in relation to the official website and services in accordance with the EVA Agreement. All Processed Data shall be processed in accordance with EVA's confidentiality obligations set forth in the EVA Agreement.

EVA will not provide any third parties with (a) direct, indirect, total or free access to Processed Data; or (b) encryption keys used to protect the security of Processed Data or the ability to break such encryption.

To meet the foregoing commitments, EVA may provide third parties with Developer's basic contact information.

EVA may use the Developer Data to improve EVA functionality, provided that the Developer Data is processed with secure encryption, strictly de-identified and not capable of re-identifying specific individuals.

3. PROTECTION OF PERSONAL INFORMATION

SCOPE OF PERSONAL INFORMATION

All personal information processed by EVA in connection with the provision of the official website and services will be obtained in the form of data provided by the Developer, or generated, derived or collected by EVA based on the Developer Data and the context in which the services and functions are provided, including data which Developer sends to EVA, or obtains data which Developer obtains from the products and services offered by EVA, as a result of Developer utilizing the services-based functionality. Personal information includes any personal information that is pseudonymous or de-identified, but not anonymous. Anonymized information is not personal information. Anonymization refers to the process by which personal information has been processed so that it no longer identifies a specific natural person and cannot be retrieved from such processed information.

Roles and Responsibilities of Entrusting and Entrusted Parties

The Developer and EVA agree that the Developer is the processor and entrusting party of personal information, and EVA acts as the entrusted party for accepting such entrustment in accordance with the instructions and purposes of the Developer except: (a) when the Developer acts as the entrusted processor of personal information in which case EVA is the Developer's permitted sub-entrusting party; or (b) as otherwise set forth in the terms for particular products or services or in this DPA.

In the event that EVA acts as the entrusted processor or permitted sub-entrusting party of personal information, EVA shall process personal information only in accordance with the instructions and purposes of the Developer. Meanwhile, the Developer undertakes that the Personal Information it processes is from a lawful and compliant source, the collection, use, processing and other processing activities have been legally authorized by the related personal information subjects, comply with the national laws and regulations regarding personal information protection and data security, and do not infringe the legal interests of any third party. Meanwhile, the Developer undertakes to have the right to sub-entrust the processing of personal information.

The Developer agrees that the EVA Agreement (including the terms of this DPA and any applicable updates) together with the documentation specifying Developer's use and configuration of the EVA related functionality as well as Developer's use of the Professional Services represent the entire instructions from the Developer to EVA regarding the processing of personal information.

RIGHTS AND OBLIGATIONS OF THE ENTRUSTING PARTY

The Entrusting Party shall have the right to:

(a) Upon learning or finding out that the Entrusted Party fails to comply with the DPA, EVA Agreement or any applicable laws in processing personal information, or the Entrusted Party fails to effectively fulfill its responsibility of protection of personal information, Entrusting Party shall have the right to request the Entrusted Party to cease the relevant behavior, and to take, or request the Entrusted Party to take, effective remedies to control or eliminate the security risks to the Personal Information at the Entrusted Party's cost;

(b) Unless otherwise required by laws and regulations regarding the retention period of certain personal information, after the Developer cancels the EVA account or permanently discontinues the EVA Services, EVA shall dispose of the relevant content and information in accordance with the laws and regulations, including without limitation, deletion, anonymization and other methods.

The Entrusting Party undertakes that:

(a) Obtaining authorization from the owner of the personal information: the Entrusting Party warrants that the personal information it obtains is legally based on a legal basis, so that the Entrusting Party can legally provide the personal information agreed by DPA to the Entrusted Party for agreed personal information processing within the terms of DPA term and purposes;

(b) The Entrusting Party shall comply with the DPA, EVA Agreement and any applicable laws on the processing of personal information, and shall perform relevant duties as a personal information processor in accordance with the Personal Information Protection Law and other applicable laws;

(c) Prior to the processing of personal information provided by the Entrusting Party, the Entrusting Party shall carry out an assessment of the impact of personal information protection to ensure that the matters and purposes of DPA comply with the laws and regulations, and do not infringe upon the legitimate rights and interests of any third party.

Rights and Obligations of the Entrusted Party

If the Entrusted Party has justifiable reasons to believe that the Entrusting Party's written instructions on personal information processing activities do not satisfy the needs of personal information security or violate any applicable law, the Entrusted Party shall promptly notify the Entrusting Party and shall be entitled to request the Entrusting Party to cease the relevant behavior, and to take, or request the Entrusting Party to take, effective remedies to control or eliminate the security risks to the Personal Information at the Entrusting Party's cost; If the Entrusting Party fails to solve the risks and problems mentioned in this Article within a reasonable period of time, the Entrusted Party shall be deemed to be in material breach of the DPA, and the Entrusted Party shall be entitled to unilaterally terminate the DPA and EVA Agreement.

The Entrusted Party undertakes that:

(a) The Entrusted Party shall comply with the provisions on personal information processing under DPA, EVA Agreement and applicable law. As the entrusted processing party, it shall perform relevant duties of the Entrusted Party in accordance with the Personal Information Protection Law and other relevant laws and regulations;

(b) The Entrusted Party shall take necessary measures to protect the security of the Personal Information provided by the Entrusting Party and provide assistance to the Entrusting Party in fulfilling legal obligations;

(c) The Entrusted Party shall use and process the personal information within the scope agreed by the DPA;

(d) The Entrusting Party can make assessment on the personal information security impact of data processing behavior prior to implementation of the agreement. The Entrusted Party shall provide necessary assistance as required by the Entrusting Party provided that the Entrusted Party does not prejudice the legal interests of the Entrusted Party and all third parties including the related parties of the Entrusted Party;

(e) The Entrusted Party acknowledges and warrants that it will conduct the Personal Information processing on behalf of the Entrusting Party and will take reasonable measures to ensure that those personnel who are authorized by the Entrusted Party to access the Personal Information will only process the Personal Information and to the extent instructed by the Entrusting Party;

(f) The Entrusted Party shall require its personnel engaging in the processing of personal information and any third-party service provider to keep the personal information processed strictly confidential, receive appropriate training and strictly comply with provisions of the DPA; and

(g) The Entrusted Party shall not process the personal information provided by the Entrusting Party beyond the purpose of the DPA. In the event that the DPA is invalid, revoked or terminated, the Entrusted Party shall delete or anonymize the personal information provided by the Entrusting Party.

Rights Requests of Personal Information Subjects

The Parties shall respond to and process the legal rights requests of personal information subjects in accordance with the applicable laws and their policies on personal information protection in a timely manner, and shall provide necessary assistance to the other Party: (a) if the Entrusted Party receives a rights request from a personal information subject, unless prohibited by the applicable laws, it shall forward such request to the Entrusting Party within reasonable period of time; (b) if the Entrusting Party is required by the applicable laws to respond to the rights requests from the personal information subjects, the Entrusted Party shall conduct sufficient cooperation with the Entrusting Party to protect the rights of the personal information subjects, and the Entrusting Party shall provide necessary assistance to the Entrusted Party.

Personal Information Security Incidents

Should a Personal Information Security Incident occur in the course of processing personal information, the Parties shall:

(a) Notify the other Party in a timely manner, informing the other Party of: (i) the nature of the Personal Information Security Incident, including the type, size of the Personal Information involved, (ii) the possible consequences of the Personal Information Security Incident, and (iii) the remedial measures that have been taken;

(b) Assist the other Party to investigate the Personal Information Security Incident and provide all related records, files, logs, reports and other reasonable materials;

(c) Take necessary actions in a timely manner pursuant to the emergency plan;

(d) Should the Personal Information Security Incident involve the leakage of personal information, the Parties shall comply with the applicable laws, report the incident to the relevant competent authorities in a timely manner, and perform the notification obligation to the personal information subject as required by the laws and regulations.

Data Transfer and Location

(a) General

Unless otherwise specified in the EVA Agreement or the terms of the DPA, the Developer shall entrust EVA with the transfer of the Developer Data or Personal Information to mainland China and storage and processing of the Developer Data and Personal Information at such location in order to provide the Products. Developer Data and Personal Information processed on behalf of Developer will not be transferred to, stored or processed in geographical locations outside mainland China by EVA, unless otherwise specified by the Developer.

(b) Overseas Storage of Data

Depending on the Developer's needs and in specific scenarios, EVA may transfer Developer Data or Personal Information to locations outside mainland China and store and process the Developer Data and Personal Information at such locations in order to provide the Products. In principle, the Developer is responsible for compliance responsibilities in respect of data security, personal information, and privacy protection in relation to the possible export of data. EVA, as Consignee, will coordinate with Developer to fulfill any regulatory and legal liabilities that may exist in connection with the export of data.

SECURITY TECHNOLOGY AND AUTHORITY

EVA will implement and maintain appropriate technical and organizational measures to protect Developer Data (including the personal information referred to therein) from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of data in transit, stored or otherwise processed.

Access to Developer Data required for the Services Activities is subject to rights-based access controls to ensure that such access is provided only where the purpose is reasonably consistent with the needs of the Developer's products and services.

DEVELOPER RESPONSIBILITIES

It is the Developer's sole responsibility to independently determine whether the technical and organizational measures for the Products and Professional Services are in compliance with Developer's requirements, including any its security obligations under applicable data protection requirements. The Developer acknowledges and agrees that (taking into account the state of the technology, the costs of implementation, as well as the nature, scope, context and purpose of the data processing activity and the risk to individuals) the security practices and policies implemented and maintained by EVA provide a level of security appropriate to the risk to the data. The Developer is responsible for implementing and maintaining privacy protection and security measures for the Module provided or controlled by the Developer.

NOTIFICATION OF SECURITY INCIDENT

In the event that EVA becomes aware of a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Developer Data or Personal Information processed by EVA (each hereinafter referred to as a "Security Incident"), EVA shall immediately: (a) notify the Developer of the Security Incident; (b) investigate the Security Incident and provide the Developer with detailed information regarding the Security Incident; and (c) take reasonable steps to mitigate its impact and minimize damages resulting from the Security Incident without undue delay.

Notification of Security Incident will be given to the Developer by whatever means EVA chooses including email. The Developer is solely responsible for ensuring that the Developer provides EVA with accurate contact details for each applicable Product and Professional Service. The Developer is solely responsible for observing and performing any third party notification obligations relating to any Security Incident.

The Developer must inform EVA immediately of any possible misuse of account or identity verification or any security incident in relation to the Official Website and the Services.

DATA RETENTION AND DELETION

The Consignee shall not keep and process personal data longer than necessary to achieve the agreed data processing purpose, unless there are special restrictions on the retention period of personal data according to the Applicable Law. After the Developer cancels the EVA account or permanently discontinues the EVA Services, EVA shall dispose of the relevant content and information in accordance with the requirements of laws and regulations, including without limitation, deletion, anonymization, etc.

In the event EVA is legally obliged to retain personal data beyond the period specified in the DPA, EVA will delete or anonymize the data as soon as practicable after the legally required retention period and in accordance with the DPA guidelines.

Following the expiration of the data processing period or the legal obligation related to data retention, EVA will not respond to Developer's data and personal information processing and requests except for the purpose of, among other things, Developer billing and account administration, remuneration (for example, for calculation of employee commissions and partner incentives).

CONFIDENTIALITY

(a) EVA will not publicize or disclose the Data to any specific or unspecific third parties, nor license or authorize the use thereof, expressly or impliedly, by EVA, except as may be necessary to achieve the purpose of DPA or to comply with national laws and regulations or to obtain the authorization from the Developer or the consent from the owner of the Data.

(b) The Personal Information agreed can only be used to the extent required for the purpose of DPA and shall not be disclosed by any means such as publicity or sub-entrustment, except for the following circumstances: (i) to the Consignee's agents, representatives, officers and employees and permitted third parties, who need to know the above information or the Personal Information provided by the Entrusting Party in order to perform the purpose of the DPA, (ii) when either party of DPA is required by a court or is obliged by law to disclose the said information or the Personal Information provided by the Entrusting Party, and then only to the minimum extent necessary to comply with such court order or legal obligation.

4. EFFECTIVENESS AND MISCELLANEOUS

TERMINATION AND CONSEQUENCES

(a) The Consignee shall have the right to terminate the DPA forthwith by written notice at any time if the Entrusting Party breaches any of its obligations under the DPA or any other agreement between the Entrusting Party and the Consignee.

(b) The DPA shall automatically terminate, without the need to serve any notice, on the date of expiry or termination of the last agreement between the Entrusting Party and the Consignee regarding the processing by the Entrusting Party of any data provided by the Entrusting Party. After termination of the EVA Agreement and the DPA, both Parties shall continue to implement their statutory obligations.

MISCELLANEOUS

(a) Notwithstanding the validity of the EVA Agreement or any of the provisions hereof, when EVA performs any data processing activities specified in the DPA, the Parties shall perform their respective rights and obligations in accordance with the provisions of the DPA.

(b) Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity or termination, the parties agree to submit to the jurisdiction of the court of competent jurisdiction located where the defendant resides. Except for the provisions in dispute, the performance of other provisions of the DPA shall not be affected during the course of dispute resolution.

(c) The matters not covered by this DPA shall be interpreted with reference to the EVA Agreement. In case of any inconsistence between the DPA and the EVA Agreement in respect of data processing and protection, the DPA shall prevail.