Shake Hands

Data Processing Agreement

This Data Processing Agreement (hereinafter referred to as the "DPA") is entered into on Dec 14 2023 (hereinafter referred to as the “Effective Date”) by and between:
MYSHRE LTD, is incorporated under the laws of United Kingdom, Company Registration no15085359 with its registered office at 25 Chronicle Tower, 261B City Road, London, UK, (hereinafter referred to as the "Data Processor," which expression shall include its successors, legal representatives and permitted assigns) and acting as DATA PROCESSOR


The other signing contracting party, hereinafter referred to as the “Client” and acting as DATA CONTROLLER.

For the purposes of this DPA, DATA PROCESSOR and DATA CONTROLLER shall be referred to individually, as the “Party” and collectively, as the “Parties”.

NOW THEREFORE, in consideration of the above and the promises hereinafter contained, the
Parties hereby agree as follows:

  1. Definitions and Interpretation

1.1 In this DPA and the Schedules, unless the subject or context otherwise requires, the following words and expressions shall have the following meanings respectively ascribed to them:
(a) “Applicable Law” means all applicable laws and regulations relating to the
processing of personal data and privacy including data protection for time being in force;
(b) “Authorized Personnel” means the person(s) named by the Data Processor from time to time in writing;
(c) “Business Day” means a day other than a Saturday, Sunday or public holiday in England when banks in the City of London are generally open for business;
(d) “Data Subject” means the identified or identifiable natural person to whom Personal Data relates, as defined by Data Protection Laws and Regulations.
(e) “Effective Date” means the signing date of this Agreement by both Parties;
(f) “GDPR” means the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(g) “Personnel” in relation to party, those of its employees, workers, agents, consultants, contractors, sub-contractors, representatives or other persons employed or engaged by that party on whatever terms;
(h) “Personal Data” means any information relating to an identified or identifiable natural person;
(i) “Personal Data Breach” means a breach of security leading to the unauthorized access, loss, or disclosure of Personal Data;
(j) “Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (k) Sub-processor any entity or personnel appointed by or on behalf of the Data Processor under this Agreement.

1.2 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.

1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality). A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.4 Unless the context otherwise requires, any reference to a party shall be deemed to include that party’s affiliates and where an obligation is imposed on a party under this Agreement, it will be required to procure compliance with such obligation by that party’s affiliates where appropriate.

1.5 Unless the context otherwise requires, words in the singular shall include the plural and,  in the plural, shall include the singular and a reference to one gender shall include a reference to the other genders.

1.6 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate legislation made from time to time under that statute or statutory provision.

  1. Nature and Purpose of Personal Data Processing

2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, CLIENT is the DATA CONTROLLER and MYSHRE is the DATA PROCESSOR.
2.2 The Processing of Personal Data by DATA PROCESSOR consists of various activities, including storing, analysing, and transmitting Personal Data pursuant to this DPA. These activities are carried out for the purpose of providing services to the Client/DATA CONTROLLER, as described in Annex 2 of this DPA. The primary services provided by DATA PROCESSOR include digital networking tools and services, as outlined in Annex 2. Annex 2 sets out the scope and purpose of the Processing of Personal Data by the DATA PROCESSOR, the duration of the Processing, the nature and purpose of the
Processing, the types of Personal Data and categories of Data Subject concerned.

2.3 The primary purpose for which Personal Data shall be processed by DATA PROCESSOR is to provide digital networking tools and services to the Client/DATA CONTROLLER, as described in Annex 2. These services include the creation and management of digital profiles and online business cards, as well as various methods for sharing digital business cards. Additionally, DATA PROCESSOR may process Personal Data to provide support
based on the DATA CONTROLLER’s request.

2.4 Personal Data processed by DATA PROCESSOR on behalf of the DATA 
CONTROLLER is considered confidential. DATA PROCESSOR is committed to upholding the principles of confidentiality and data protection as required by Applicable Laws and regulations.
2.5 Within the scope of this DPA, DATA PROCESSOR may process the following data 
Contact Details (such as first name, last name, telephone number, e-mail);
Social Media Profiles;
Additional Information that may be added by the Data Controller for the purpose of
creating and managing digital profiles and online business cards.

  1. Rights and Obligations of the Data Controller

3.1 The DATA CONTROLLER has the right and obligation to make decisions about the 
purposes and means of the Processing of Personal Data. 
3.2 The DATA CONTROLLER shall be responsible, among others, to ensure that the 
Processing of Personal Data, which the DATA PROCESSOR is instructed to perform, has a legal basis. 
3.3 The DATA CONTROLLER shall be responsible for ensuring that the Processing of 
Personal Data takes place in compliance with the Applicable Laws.
3.4 The DATA CONTROLLER shall transfer to the DATA PROCESSOR only Personal 
Data obtained in compliance with the relevant provisions of the applicable data protection legislation for the purposes stated in this DPA.
3.5 The DATA CONTROLLER shall keep up to date and correct all Personal Data 
transferred to the DATA PROCESSOR whenever required in particular as set out by the relevant provisions of the Applicable Law.
3.6 DATA CONTROLLER shall have sole responsibility for the accuracy, quality, and
legality of Personal Data and the means by which DATA CONTROLLER acquired Personal Data.
3.7 The DATA CONTROLLER is solely obliged to provide its Data Subjects with all 
information and explanations as required under Applicable Laws. As between the DATA PROCESSOR and DATA CONTROLLER, the DATA CONTROLLER is also solely responsible for dealing with Data Subjects in relation to their rights to access their respective data in accordance with Applicable Laws.
3.8 DATA CONTROLLER shall implement appropriate technical and organizational
measures to maintain the security, confidentiality and integrity of Personal Data,
including measures designed to protect against unauthorized or unlawful Processing
and against accidental or unlawful destruction, loss or alteration or damage, unauthorized
disclosure of, or access to, Personal Data.

  1. Obligations of the DATA PROCESSOR

4.1 The DATA PROCESSOR shall process the Personal Data on behalf of the DATA 
CONTROLLER pursuant to the written instructions of the DATA CONTROLLER in accordance with Applicable Laws and the terms and conditions set forth in this DPA.

4.2 The DATA PROCESSOR shall correct, modify, block or erase (as instructed by the 
DATA CONTROLLER) any Personal Data processed by the DATA PROCESSOR in case it is not possible for the DATA CONTROLLER to do so.

4.3 The DATA PROCESSOR warrants and represents that it has implemented (and shall 
maintain during the term of this DPA and as long as required by law) the technical and organizational security measures for the protection of Personal Data before Processing the Personal Data which are transferred, and additional security measures as mutually agreed by the DATA PROCESSOR and the DATA CONTROLLER. The DATA PROCESSOR has been adopting security measures based on best practices in order to protect the DATA CONTROLLER’s Personal Data. All of the organizational and technical measures are applied in accordance with appropriate information security (e.g. ISO 27001) practices and GDPR requirements. A general overview of the applied measures is given in Annex 2 below.

4.4 DATA PROCESSOR shall only process Personal Data on behalf of and in accordance
with DATA CONTROLLER’s instructions and for the following purposes: (i)
Processing for the specific purpose of performing the services specified in this DPA or as
otherwise required by law; and (ii) Processing to comply with other documented
reasonable instructions provided by DATA CONTROLLER where such instructions
are consistent with the terms of this DPA. DATA PROCESSOR shall immediately
inform DATA CONTROLLER if, in DATA PROCESOR’s opinion, an instruction is in violation of Applicable s. For the avoidance of doubt, DATA PROCESSOR will not
collect, retain, use, sell, or otherwise disclose Personal Data for any purpose other
than for the specific purpose of performing the Services or as otherwise required by law.

4.5 The DATA PROCESSOR shall not less than once per calendar year test the implemented 

4.6 In order to ensure compliance with such security measures, the DATA PROCESSOR 
shall permit the DATA CONTROLLER to conduct periodic inspections of its premises and the implemented security measures during usual business hours. The DATA CONTROLLER shall provide the DATA PROCESSOR with reasonable (but in no event less than thirty [30] days) advance written notice of each inspection.

4.7 The DATA PROCESSOR must ensure that its personnel engaged in the processing of
Personal Data comply and shall comply at all times with the data secrecy requirements.

4.8 The DATA PROCESSOR shall only allow access to the Personal Data to its staff or 
consultants where and to the extent that such access is required for the performance of the services and subject to such staff and consultants have entered into an adequate non-disclosure agreement.

4.9 In the event that the DATA PROCESSOR shall discover that the DATA CONTROLLER 
is in breach of any of its obligations provided by the relevant data protection under the Applicable Law, the DATA PROCESSOR shall without delay notify the DATA CONTROLLER of this fact and suspend the performance of the suspected infringing processing until such time as the breach is remedied.

4.10 The DATA PROCESSOR undertakes to inform the DATA CONTROLLER without delay 
about any complaints, requests, or other communications received by it from its Data Subjects, data protection regulator(s) or third parties related to the processing of Personal Data by the DATA PROCESSOR and/or the DATA CONTROLLER.

4.11 The DATA PROCESSOR shall immediately inform the DATA CONTROLLER if 
instructions given by the DATA CONTROLLER, in the opinion of the DATA PROCESSOR, contravene the Applicable Laws.

4.12 The DATA PROCESSOR must comply with this DPA at all times.

4.13 DATA PROCESSOR shall, upon DATA CONTROLLER’s written request, promptly
destroy, anonymize or return any Personal Data after the end of the provision of
Services, unless storage of the Personal Data is required by Applicable Law.

4.14 DATA PROCESSOR shall ensure only authorized personnel who have undergone
appropriate training in the protection and handling of Personal Data, and are bound in
writing to respect the confidentiality of Personal Data, have access to Personal Data.

  1. Sub- Processors

5.1 In order to provide services to the standard required by the Client/ DATA 
CONTROLLER, DATA PROCESSOR may engage other Data Processors as sub-
processors. DATA PROCESSOR will ensure that any engaged Sub-
Processor complies with the obligations to which DATA PROCESSOR is
subject, pursuant to this DPA and the Applicable Laws. The DATA CONTROLLER reserves the right to object to these engagements.

5.2 The DATA PROCESSOR must impose the same obligations on the Sub- Processor as set
out in this DPA. This is executed through a contract or another legal act under Applicable
5.3 The DATA CONTROLLER gives the DATA PROCESSOR general authorisation to
replace any of its Sub-Processors or to add a new Sub-Processor. However, before any
such replacement or addition the DATA PROCESSOR shall inform the DATA
CONTROLLER of any intended changes concerning the addition or replacement of Sub-
Processors, thereby giving the DATA CONTROLLER the opportunity to object to such
changes within 30 Business Days prior to a new Sub-Processor commencing Processing of the Personal Data. If no objection is raised within 30 Business Days, the proposed
replacement or addition will be considered as accepted. If an objection is raised, and the
Parties do not reach an agreement within 30 Business Days from the day the objection is
raised, the DATA PROCESSOR shall have the right to proceed with the proposed addition or replacement, and the DATA CONTROLLER shall have the right to terminate this DPA forthwith at no cost and with no need to provide notice.

5.4 The DATA CONTROLLER acknowledges and agrees that the DATA PROCESSOR uses
DigitalOcean Holdings, Inc as its infrastructure Sub-Processor for hosting services, as
specified in Annex 1. All hosted services and stored data are owned by DATA
PROCESSOR and can be accessed only by DATA PROCESSOR based on a service
contract between DATA PROCESSOR and DigitalOcean Holdings, Inc.

5.5 DATA PROCESSOR’s data hosting location is DigitalOcean Holdings, Inc in London,
United Kingdom, as specified in Annex 1. All services and platforms used for storing and
processing the DATA CONTROLLER’s data are hosted within this location. Data is not
transferred outside this hosting environment unless explicitly requested by the CLIENT/
DATA CONTROLLER and conducted in compliance with Applicable Laws.

5.6 DATA PROCESSOR’s shall store Personal Data originating from and sent to a country
located in the EU/EEA solely in countries situated in the EU/EEA, specifically in London, United Kingdom, as stated in Annex 1. DATA PROCESSOR shall not cause any cross-border transfer of Personal Data from a country situated in the EU/EEA to any country situated outside the EU/EEA unless it is specifically requested by the DATA CONTROLLER and conducted in compliance with Applicable Law. Ensure that its Sub- Processor/Sub-Contractors shall not transfer to or access any Personal Data from a Country outside of the European Economic Area without the prior written consent of the DATA CONTROLLER.

5.7 Disclosure, transfer and internal use of the DATA CONTROLLER’s personal data to 
third countries or international organizations may only take place in accordance with documented instructions from the DATA CONTROLLER– unless stipulated by
Applicable Law to which the DATA PROCESSOR is subject. If so, the DATA
PROCESSOR must notify the DATA CONTROLLER of the legal requirement before
Processing, unless the law prohibits such notification for important grounds of public
interests. If the Personal Data stipulated under this DPA is transferred to foreign Sub-
Processors, it must, in the said data processor agreement, be stated that the data
protection legislation applicable in the DATA CONTROLLER’s country applies to
foreign Sub- Processors.

  1. Personal Data Breaches and Reporting Procedures

6.1 The DATA PROCESSOR shall immediately notify the DATA CONTROLLER of any 
Personal Data Breach and no later than within 24 hours of the DATA PROCESSOR becoming aware of the breach, to enable the DATA CONTROLLER to comply with the DATA CONTROLLER’s obligation under this DPA, to notify the Personal Data Breach to a competent supervisory authority and/or notify the affected data subjects in accordance with the Applicable Law related to Data Protection and providing sufficient information to enable the Data Controller to evaluate the impact of such Personal Data Breach.

6.2 The DATA PROCESSOR shall be liable to, without undue delay,
communicate the Personal Data Breach to the Data Subject, when the Personal Data
Breach is likely to result in a high risk to the rights and freedoms of the Data Subject.

6.3 The DATA PROCESSOR shall provide the DATA CONTROLLER with such assistance
as the DATA CONTROLLER may reasonably request and take such reasonable
commercial steps as the DATA CONTROLLER may request in order to evaluate,
investigate, mitigate and remediate any personal data breach (including, where applicable, communicating any personal data breach to affected data subjects).
6.4 In respect of any Personal Data Breach, the DATA PROCESSOR shall provide the
following details regarding the Personal Data Breach to the DATA CONTROLLER:
(a) the description of the nature of the Personal Data Breach including, where 
possible, the categories and an approximate number of Data Subjects concerned as well as categories and an estimated number of Personal Data records concerned;
(b) name and contact details of the Data Protection Officer or another contact for 
further relevant inquires;
(c) the description of the likely consequences of the Personal Data Breach;
(d) the description of the measures taken or proposed to be taken to address the 
Personal Data Breach, including, where appropriate, measures to mitigate its  possible adverse effects.

6.5 DATA PROCESSOR shall, upon DATA CONTROLLER’s written request and taking
into account the nature of Processing and information available, provide reasonable
assistance to Data Controller in connection with obligations under Articles 32 and 36 of
the GDPR or equivalent provisions under Applicable Laws

6.6 DATA PROCESSOR shall, taking into account the nature of the Processing, assist the
DATA CONTROLLER, by appropriate technical and organizational measures,
insofar as this is possible, in fulfilling the CLIENT’s obligation to respond to requests
from a Data Subject exercising his/her/their rights under Applicable Laws.

  1. Retention Period and Deletion or Return of Personal Data

7.1 The Personal Data shall be retained by the DATA PROCESSOR in order to perform the
services for the time period as defined by the DATA CONTROLLER and in any case no
longer than what is strictly necessary for the DATA PROCESSOR to (i) provide requested services (ii) process the Personal Data in line with this DPA or (iii) as the case may be, to meet any of its legal obligations (in particular statutory archival and retention obligations).

7.2 Upon termination of this DPA, at the choice of the DATA CONTROLLER, or on the
written request of the DATA CONTROLLER, the DATA PROCESSOR shall delete
securely or return all Personal Data to the DATA CONTROLLER and delete all
existing copies of the Personal Data unless and to the extent that the DATA
PROCESSOR is required to retain copies of the Personal Data in accordance with
Applicable Laws in which case the DATA PROCESSOR shall notify the DATA
CONTROLLER in writing of the Applicable Laws which require the Personal Data to
be retained.

7.3 In the event that the Personal Data is deleted or destroyed by the DATA PROCESSOR,
the DATA PROCESSOR shall provide the DATA CONTROLLER with a certificate of
destruction evidencing that the Personal Data has been destroyed or deleted;

  1. Recording Keeping

8.1 The DATA PROCESSOR agrees to maintain records of all Personal Data processed 
Under this Agreement and its processing activities. The DATA CONTROLLER reserves the right to inspect the records maintained by the DATA PROCESSOR under this Clause at any time, with reasonable (but in no event less than 30 Business Days) advance prior written notice of each inspection.

8.2 If the Data Subject, in any case, requires information from the DATA CONTROLLER on
the subject of what type of that Data Subject’s Personal Data is being processed under this DPA, and if the DATA CONTROLLER is not able to provide this type of information without the DATA PROCESSOR’s help, the DATA PROCESSOR is obliged to provide any reasonable help.

8.3 The records shall be in writing, including in electronic form.

8.4 The DATA CONTROLLER or the DATA PROCESSOR and, where applicable, the
DACONTROLLER’s or the DATA PROCESSOR’s representative, shall make this record
available to supervisory authorities on request.

8.5 The DATA CONTROLLER reserves the right to inspect the records maintained by the
DATA PROCESSOR under this Clause at any time, with reasonable (but in no event less
than 30 Business Days) advance notice of each inspection.

8.6 If the Data Subject, in any case, requires information from the DATA CONTROLLER on
the subject of what type of that Data Subject’s Personal Data is being processed under this DPA, and if the DATA CONTROLLER is not able to provide this type of information without the DATA PROCESSOR’s help, the DATA PROCESSOR is obliged to provide any reasonable help.

  1. Confidentiality

9.1 The DATA PROCESSOR shall only grant access to the Personal Data being processed on
behalf of the DATA CONTROLLER to persons under the Data Processor’s authority who
have committed themselves to confidentiality or are under an appropriate statutory
obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this periodic review, such access to Personal Data can be withdrawn, if access is no longer necessary, then Personal Data shall consequently not be accessible anymore to those persons.

9.2 The DATA PROCESSOR shall at the request of the DATA CONTROLLER demonstrate
that the concerned persons under the DATA PROCESSOR’s authority are subject to the
above-mentioned confidentiality.

  1. The DATA CONTROLLER’s Rights to Monitor and Audit the DATA 

10.1 In addition to the monitoring and/or audit rights set out in this DPA, the DATA
CONTROLLER is entitled to proceed with any verifications (including on the DATA
PROCESSOR’s site(s)) during usual business hours, provided the DATA CONTROLLER
gives reasonable (but in any event no less than 30 Business Days) prior written notice to

10.2 The DATA PROCESSOR shall duly and promptly cooperate with the DATA
CONTROLLER, upon request of the DATA CONTROLLER, by giving access to all
documents, infrastructure, premises, information and/or staff reasonably required by the
DATA CONTROLLER to ensure such data Processing is compliant with this Agreement.

10.3 The costs and consequences of the monitoring and audits shall be borne by the DATA
CONTROLLER, including support costs.

10.4 Upon written request from the DATA CONTROLLER, the DATA PROCESSOR shall
conduct an audit and provide an audit report, regarding a Sub-Data Processor’s compliance with the obligations and requirements in the Sub-Processor agreement with the DATA PROCESSOR. A request for such an audit report may be made by the DATA CONTROLLER once per year, and shall be both conducted and provided at the DATA CONTROLLER’s expense.

  1. Notices

11.1 Any notice or other communication which is given under this DPA to the other party will
be addressed and sent to the other party at the address as specified in this DPA, or at any
other address as otherwise notified by the other party (including for the avoidance of doubt in a statement of work).

11.2 For data privacy and security-related questions and concerns the DATA CONTROLLER
should contact the DATA PROCESSOR’s Data Protection Office (“DPO”).

11.3 The specified address, telephone number, and email address for each Party for the 
purposes of this clause are listed on the last page of this DPA.

11.4 If DATA CONTROLLER has any questions regarding Processing of Personal Data by
DATA PROCESSOR, DATA CONTROLLER may send such questions to the
following email:

  1. General Provisions

12.1 The term of this DPA shall commence on the Effective Date and shall remain until the
termination of this Agreement by either Party.

12.2 The DATA CONTROLLER may terminate this DPA within 30 days prior written notice 
to the DATA PROCESSOR without any termination fees or penalty.

12.3 This DPA constitutes the entire agreement between the Parties with respect to the subject
matter contained herein.

12.4 This DPA may be altered or supplemented only in writing. and provided any such
amendment is signed by the duly authorized representatives of both Parties.

12.5 If any provision of this DPA is held invalid, illegal, or unenforceable for any reason, such
provision shall be severed, and the remainder of the provisions hereof shall continue in full force and effect as if this DPA has been executed with the invalid, illegal or unenforceable provision eliminated and the parties shall promptly discuss and amend this DPA with a valid, legal and enforceable provision.

12.6 The DATA CONTROLLER may modify this DPA at all times upon written notice to the
DATA PROCESSOR and such changes shall be effective and applicable to both Parties as indicated in the such written notice.

12.7 This DPA is governed by the laws of the United Kingdom, England and Wales without
regard to their conflicts of law principles.

12.8 Each party irrevocably agrees that any dispute or claim arising out of or in connection 
with this DPA or its subject matter or formation (including non-contractual disputes or claims) shall submit to the exclusive jurisdiction of the Courts of England and Wales.

12.9 The following Annexes shall form an integral part of this DPA:

Annex 1 – MYSHRE LTD
Annex 2 – Service Description
Annex 3 – Technical and Organizational measure

Annex 1 – MYSHRE LTD

MYSHRE LTD is the primary company associated with this business. MYSHRE LTD is solely responsible for providing and maintaining all MYSHRE products and services.
Business Information:
Company Name: MYSHRE LTD
Address: 25 Chronicle Tower, 261B City Road, London, UK, EC1V1AJ
Hosting Location: Digital Ocean in London, United Kingdom

Privacy and Security Measures within MYSHRE LTD:
Access Control: Access to data within MYSHRE LTD is restricted to authorized personnel based on the principle of least privilege. All employees have signed Non-Disclosure Agreements (NDAs) and adhere to stringent rules and principles regarding data protection and privacy when accessing any PERSONAL DATA.
Data Hosting: Data is hosted on DigitalOcean Holidng Inc., in London, United Kingdom. Data is not transferred outside this hosting environment unless explicitly requested by the client. Downloading or saving data to local machines is strictly prohibited unless necessary for authorized purposes.
Data Processing Agreements (DPA): MYSHRE LTD has entered into Data Processing Agreements (DPA) as required by relevant data protection regulations.
Encryption: Encryption is employed whenever data is accessed. TLS connections are used when accessing platforms through graphical user interfaces (GUI), and VPNs are utilized when employees access virtual machines on Digital Ocean. Access privileges are granted based on the least privilege model and are closely monitored. Access permissions are reviewed and revoked as needed during onboarding and offboarding processes.
Monitoring and Logging: MYSHRE LTD maintains system and software logs to ensure comprehensive monitoring of data access and related activities.
Data Transfer: Data will not be transferred between MYSHRE LTD and other entities unless explicitly requested by the client and conducted in compliance with applicable data protection regulations.
Prohibition on Processing: MYSHRE LTD strictly prohibits the processing of DATA CONTROLLER's PERSONAL DATA by any other entities not explicitly listed in this Annex.
MYSHRE LTD is dedicated to maintaining robust privacy and security measures to safeguard the confidentiality, integrity, and availability of data, as well as to ensure compliance with relevant data protection regulations.

Annex 2 - Service Description

MYSHRE provides digital networking tools and services that enable clients to share their professional contact details efficiently and interactively.
Our services include:

Digital Profiles: SHRE offers a platform, accessible through [Specify platforms or methods], where clients can create and personalize digital profiles. These profiles may include professional and personal contact information, links to social profiles, and custom web links.

Online Business Cards: The result of using SHRE's services is an online version of a business card. Clients can manage these digital business cards using our web-based platform [Specify platform name] or through our mobile applications.

Sharing Methods: SHRE offers various methods for sharing digital business cards. One such method is the use of reusable NFC smart cards or other NFC accessories (e.g., stickers, key tags, wristbands) that are linked to users' online profiles. Users can present these NFC cards or accessories to others, who can then scan the NFC tag with their smartphones. Alternatively, digital business cards can be shared via QR codes, which can be printed on NFC smart cards and are also stored within users' digital profiles.

In addition to the above services, SHRE provides an intelligent and powerful web-based platform, SHRE Team, designed specifically for our business/organization clients. SHRE Team offers advanced features for managing, automating, and analysing the data of digital business card profiles.

SHRE's digital networking tools are designed to enhance networking and communication efficiency for our business/organization clients.

Annex 3 - Additional GDPR-related Technical and Organizational Measures

In addition to the security measures mentioned above, the Contractor has implemented specific measures to ensure compliance with the General Data Protection Regulation (GDPR) requirements:

Data Protection Impact Assessment (DPIA): The Contractor conducts DPIAs as required under GDPR to assess and mitigate risks associated with the processing of personal data. DPIAs are performed for relevant processing activities, and the results are used to implement necessary safeguards.
Data Minimization: The Contractor applies data minimization principles by only collecting and processing personal data that is necessary for the intended purpose. Unnecessary data is not collected, and data retention periods are established in accordance with legal requirements.
Consent Management: The Contractor has established mechanisms for obtaining and managing consent from data subjects when required. Consent is collected in a clear and transparent manner, and data subjects have the ability to withdraw consent at any time.
Data Subject Rights: The Contractor has implemented processes to facilitate data subject rights, including the right to access, rectify, erase, and port personal data. Data subjects can exercise these rights through designated channels, and responses are provided in accordance with GDPR timelines.
Incident Response Plan: The Contractor maintains a robust incident response plan to address personal data breaches. In the event of a breach, the Contractor follows the GDPR requirements for notifying relevant authorities and data subjects when necessary.
Data Transfers: Personal data is transferred only in accordance with GDPR requirements. Adequate safeguards, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), are applied when transferring data to third countries.
Training and Awareness: The Contractor provides regular training and awareness programs to employees and contractors regarding GDPR compliance. All personnel are educated on the importance of data protection and their responsibilities under GDPR.
Security Audits and Assessments: Regular security audits and assessments are conducted to ensure that technical and organizational measures remain effective. Vulnerability assessments and penetration testing are performed to identify and address security weaknesses.
Privacy by Design and Default: The Contractor follows the principles of privacy by design and default when developing and maintaining systems and services. Data protection is an integral part of the development process, and data protection features are enabled by default.
Records of Processing Activities: The Contractor maintains records of processing activities as required by GDPR. These records include details about data processing activities, data categories, data subjects, and other relevant information.

These GDPR-related measures are in place to ensure compliance with the regulation and protect the rights and privacy of data subjects. The Contractor is committed to maintaining a high standard of data protection throughout its operations.