This Data Processing Agreement (the "DPA") forms part of and is incorporated into the Contract for Services, Order Form, Terms of Service, Master Services Agreement, or other written or electronic agreement governing the provision of the Services by Zaui Software Ltd. to Customer (the "Main Agreement").

This DPA is entered into by and between:

Customer: The legal entity identified in the Main Agreement ("Customer" or "Controller"); and

Zaui Software Ltd., a company organized under the laws of British Columbia, Canada ("Zaui", "Processor", and, where applicable under U.S. state privacy laws, "Service Provider" and/or "Contractor"),

each a "Party" and together the "Parties."

1. Purpose and Scope

1.1 This Data Processing Agreement ("DPA") forms part of and is incorporated into the Customer Agreement between Customer and Zaui.

1.2 For purposes of this DPA, "Customer Agreement" means the Zaui Software Licensing Agreement, Order Form, signed commercial agreement, or other ordering document entered into between the Parties, together with the Zaui Terms of Service and any schedules, addenda, or other documents expressly incorporated into either of them, including this DPA.

1.3 For clarity, the Zaui Privacy Policy is a transparency notice and does not, by itself, expand Zaui's rights to Process Customer Personal Data beyond the rights and obligations expressly set out in this DPA and the Customer Agreement.

1.4 This DPA applies only to the extent that Zaui Processes Personal Data on behalf of Customer in connection with the Services.

1.5 As between the Parties, Customer is the Controller and Zaui is the Processor of Customer Personal Data, except to the extent Zaui acts as an independent controller under Applicable Data Protection Laws for limited purposes such as billing, account administration, legal compliance, fraud prevention, abuse prevention, and network and information security. For clarity, Zaui's use of anonymized, de-identified, and/or aggregated data is governed by Section 18.

1.6 This DPA does not apply to:

1. anonymized, de-identified, and/or aggregated data that does not constitute Personal Data under Applicable Data Protection Laws, including as described in Section 18;
2. personal data for which Zaui is an independent controller; or
3. any processing outside the scope of the Services.

2. Definitions

2.1 In this DPA:

"Applicable Data Protection Laws" means all laws applicable to the Processing of Customer Personal Data under the Main Agreement, including, to the extent applicable:

1. Regulation (EU) 2016/679 ("GDPR");
2. the UK GDPR and the UK Data Protection Act 2018;
3. the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA");
4. the California Consumer Privacy Act, as amended by the California Privacy Rights Act, together with implementing regulations ("CCPA");
5. the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs");
6. the New Zealand Privacy Act 2020; and
7. any other applicable privacy, data protection, data security, or data transfer laws.

"Customer Personal Data" means Personal Data Processed by Zaui or a Subprocessor on behalf of Customer in connection with the Services.

"EEA" means the European Economic Area.

"Personal Data", "Processing", "Processor", "Controller", "Data Subject", "Personal Data Breach", and "Supervisory Authority" have the meanings given to them under the GDPR, and equivalent terms under other Applicable Data Protection Laws shall be interpreted consistently where applicable.

"Restricted Transfer" means any transfer of Customer Personal Data for which Applicable Data Protection Laws require specific safeguards, including Chapter V GDPR or equivalent UK transfer rules.

"Services" means the Zaui platform and related services provided under the Main Agreement.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission from time to time for transfers of personal data to third countries.

"Subprocessor" means any third party appointed by or on behalf of Zaui to Process Customer Personal Data on behalf of Customer in connection with the Services.

"UK Addendum" means the UK International Data Transfer Addendum to the EU SCCs, as amended or replaced from time to time.

3. Details of Processing

3.1 The details of the Processing are set out in Annex 1.

3.2 Customer acknowledges that the description in Annex 1 is intended to describe Customer's reasonably anticipated use of the Services in general terms and does not require Zaui to accept categories of data or processing activities outside the Services or beyond what is reasonably supported by Zaui's systems and security posture.

4. Customer Instructions

4.1 Zaui shall Process Customer Personal Data only:

1. on documented instructions from Customer;
2. as necessary to provide the Services in accordance with the Customer Agreement, this DPA, and Customer's configuration and use of the Services; or
3. as otherwise required by applicable law.

4.2 The Parties agree that Customer's documented instructions include the following processing activities, to the extent they involve Customer Personal Data:

1. hosting, storing, organizing, retrieving, and otherwise Processing Customer Personal Data as necessary to provide the Services;
2. providing support, maintenance, troubleshooting, implementation, migration, and other customer-requested service functions;
3. monitoring, detecting, preventing, and remediating security incidents, fraud, abuse, service disruption, and unlawful use of the Services;
4. complying with applicable law, lawful requests from public authorities, and obligations relating to security, retention, accounting, and audit, in each case to the extent applicable to Zaui as processor; and
5. generating anonymized, de-identified, and/or aggregated data derived from Customer Personal Data, provided such data does not identify, and cannot reasonably be used to identify, any individual, household, or Customer, and Zaui shall not attempt to re-identify such data.

4.3 For the avoidance of doubt, Zaui shall not use Customer Personal Data that remains Personal Data under Applicable Data Protection Laws for analytics, benchmarking, product development, or training, testing, or improving artificial intelligence or machine learning models except to the extent expressly authorized by Customer's documented instructions, the Customer Agreement, or a separate written agreement between the Parties.

4.4 Zaui is not required to comply with any instruction that:

1. is not in writing;
2. would materially alter the scope of the Services;
3. would impose obligations beyond Applicable Data Protection Laws or Zaui's generally offered compliance commitments;
4. is technically infeasible or commercially unreasonable; or
5. in Zaui's reasonable opinion infringes Applicable Data Protection Laws.

4.5 If Zaui is required by law to Process Customer Personal Data other than on Customer's instructions, Zaui shall inform Customer before such Processing unless prohibited by law.

4.6 If Zaui reasonably believes that an instruction infringes Applicable Data Protection Laws, Zaui may suspend the affected Processing until the issue is resolved.

5. Customer Responsibilities

5.1 Customer represents, warrants, and undertakes that:

1. it has all rights, permissions, consents, and lawful bases necessary to provide Customer Personal Data to Zaui and authorize the Processing contemplated by the Main Agreement, this DPA, and Annex 1, including any Processing for analytics, service improvement, product development, and artificial intelligence or machine learning purposes expressly described therein;
2. it has provided and will provide all notices required under Applicable Data Protection Laws, including any notices required in connection with Customer's use of service providers, cross-border processing, analytics, service improvement, and any artificial intelligence or machine learning-related Processing expressly contemplated by the Main Agreement, this DPA, and Annex 1;
3. its instructions to Zaui are lawful, sufficiently documented, and appropriate for the nature of the Customer Personal Data submitted;
4. it will not cause Zaui to Process Customer Personal Data in violation of Applicable Data Protection Laws; and
5. unless otherwise expressly agreed in writing, Customer will not instruct or permit Zaui to use special categories of personal data, highly sensitive regulated data, or children's data for artificial intelligence or machine learning training, testing, tuning, validation, or improvement.

5.2 Customer is solely responsible for:

1. determining whether the Services are appropriate for the nature and volume of Customer Personal Data submitted;
2. responding to Data Subject or consumer requests, except to the extent Zaui is expressly required to assist under this DPA;
3. any required privacy notices, consents, authorizations, and impact assessments;
4. the lawfulness, quality, and accuracy of Customer Personal Data; and
5. its use of the Services, including any integrations, exports, disclosures, or remote access initiated by Customer or its users.

5.3 Unless otherwise expressly agreed in writing, Customer shall not use the Services to Process:

1. special categories of personal data under GDPR;
2. highly sensitive regulated data requiring enhanced contractual or technical controls; or
3. children's data subject to heightened statutory obligations,

where such use would materially increase Zaui's compliance burden or risk profile beyond the scope of this DPA and the standard Services.

6. Confidentiality and Authorized Personnel

6.1 Zaui shall ensure that persons authorized to Process Customer Personal Data are bound by confidentiality obligations by contract, policy, or law and access such data only on a need-to-know basis.

6.2 Zaui shall use reasonable efforts to ensure that such persons receive appropriate training or guidance on privacy and security responsibilities relevant to their role.

7. Security of Processing

7.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks to individuals, Zaui shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, or other unlawful Processing.

7.2 Zaui's technical and organizational measures are described in Annex 2.

7.3 Customer acknowledges that:

1. security measures are subject to technical progress and ongoing improvement;
2. Zaui may update or modify the measures in Annex 2 from time to time, provided such changes do not materially diminish the overall security of the Services; and
3. no security measure can guarantee absolute security.

8. Subprocessors

8.1 Customer grants Zaui general written authorization to engage Subprocessors in connection with the Services.

8.2 Zaui shall maintain a current list of Subprocessors, including their general function and processing location, in Annex 3 or on an online page made available by Zaui.

8.3 Zaui shall provide notice of any new or replacement Subprocessor by updating Annex 3 or the online list.

8.4 Customer may object to a new or replacement Subprocessor only on reasonable, documented grounds relating to data protection law and only by written notice to Zaui within ten (10) business days after Zaui's notice.

8.5 If Customer objects, the Parties shall work in good faith to address the objection. If Zaui cannot reasonably address the objection, Customer may terminate the affected Services for convenience on written notice. Termination of the affected Services shall be Customer's sole and exclusive remedy with respect to the objected-to Subprocessor.

8.6 Zaui shall impose data protection obligations on each Subprocessor that are no less protective than the obligations imposed on Zaui under this DPA, to the extent applicable to the relevant subprocessing activity.

8.7 Zaui shall remain responsible for the acts and omissions of its Subprocessors to the extent required by Applicable Data Protection Laws.

9. Data Subject and Consumer Rights

9.1 Taking into account the nature of the Processing, Zaui shall provide commercially reasonable assistance to Customer, through appropriate technical and organizational measures and functionality made available through the Services, to enable Customer to respond to requests from Data Subjects or consumers under Applicable Data Protection Laws.

9.2 If Zaui receives a request directly from a Data Subject or consumer relating to Customer Personal Data, Zaui shall:

1. notify Customer without undue delay; and
2. not respond to such request except on Customer's documented instructions or as required by law.

9.3 To the extent legally permitted, Customer shall be responsible for any costs arising from assistance requested under this Section 9 that falls outside the standard functionality or support included in the Services.

10. Assistance with Compliance

10.1 Taking into account the nature of the Processing and the information available to Zaui, Zaui shall provide commercially reasonable assistance to Customer with:

1. compliance with obligations relating to security of processing;
2. Personal Data Breach notifications;
3. data protection impact assessments; and
4. consultations with Supervisory Authorities,

in each case only to the extent required by Applicable Data Protection Laws and only insofar as such assistance relates to Processing by Zaui on behalf of Customer.

10.2 Zaui may charge reasonable fees at its then-current professional services rates for assistance under this Section 10 except to the extent such assistance is required due to Zaui's material breach of this DPA.

11. Personal Data Breach

11.1 Zaui shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.

11.2 Such notice shall, to the extent reasonably available at the time, include:

1. the nature of the Personal Data Breach;
2. the categories and approximate number of affected Data Subjects and records, where feasible;
3. the likely consequences of the Personal Data Breach;
4. the measures taken or proposed to address and mitigate the Personal Data Breach; and
5. a contact point for further information.

11.3 Zaui may provide the information in phases as it becomes available.

11.4 Zaui shall take commercially reasonable steps to contain, investigate, and mitigate the effects of the Personal Data Breach.

11.5 Zaui's notification of a Personal Data Breach does not constitute an admission of fault or liability.

12. Records of Processing

12.1 To the extent required by Applicable Data Protection Laws, Zaui shall maintain records of categories of Processing activities carried out on behalf of Customer.

13. Compliance Information and Audit Rights

13.1 Zaui shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

13.2 Zaui may satisfy Section 13.1 by providing one or more of the following, in Zaui's discretion:

1. summaries of technical and organizational measures;
2. security, privacy, or audit questionnaires;
3. relevant certifications, attestations, or audit reports, if available;
4. policies or excerpts reasonably relevant to the Processing; and
5. information regarding Subprocessors.

13.3 Customer agrees that the documentation provided under Section 13.2 shall, in the ordinary course, satisfy Customer's audit and inspection rights under Article 28 GDPR, UK GDPR, and equivalent rights under other Applicable Data Protection Laws.

13.4 Only if the information made available under Section 13.2 is reasonably insufficient to demonstrate compliance, Customer may request an additional audit, provided that:

1. such audit is limited to matters directly relevant to Customer's Processing;
2. no more than one (1) audit may be conducted in any twelve (12) month period, unless required by a competent regulator or following a confirmed material Personal Data Breach affecting Customer Personal Data;
3. Customer provides at least thirty (30) days' prior written notice;
4. the audit is conducted during normal business hours and in a manner that minimizes disruption;
5. the auditor is independent, subject to written confidentiality obligations, and not a competitor of Zaui;
6. Customer shall not obtain access to data relating to other customers, proprietary source code, internal risk assessments, penetration test results in full, or information that would compromise Zaui's security; and
7. Customer shall bear all costs of the audit and reimburse Zaui for its reasonable internal costs, unless the audit identifies a material breach of this DPA by Zaui.

13.5 For purposes of the CCPA, the rights granted in this Section 13, together with Section 17.3, are intended to constitute Customer's right to take reasonable and appropriate steps to help ensure and verify Zaui's compliant use of personal information and, upon notice, to stop and remediate unauthorized use.

14. Return and Deletion

14.1 On termination or expiry of the provision of services relating to the Processing of Customer Personal Data, Zaui shall, at Customer's choice, return all Customer Personal Data to Customer and delete existing copies unless Union, Member State, or other applicable law requires storage of the personal data.

14.2 To the extent deletion from backup or archival systems is not immediately technically feasible, such copies may be retained solely in secure, access-restricted backup or archival systems until overwritten or deleted in the ordinary course, provided that such copies are put beyond use and are not otherwise Processed except as required by applicable law.

14.3 Upon Customer's written request, Zaui shall provide written confirmation that return and/or deletion has been completed in accordance with this Section 14.

15. International Transfers

15.1 Customer acknowledges that Zaui and its Subprocessors may Process Customer Personal Data in Canada, the United States, the EEA, the United Kingdom, Australia, New Zealand, and other jurisdictions identified in Annex 3 or Zaui's subprocessor list, subject to lawful transfer mechanisms where required.

15.2 Where required by Applicable Data Protection Laws, Zaui shall ensure that Restricted Transfers are subject to an appropriate transfer mechanism, which may include:

1. an adequacy decision;
2. the SCCs;
3. the UK Addendum or UK IDTA, as applicable;
4. the EU-U.S. Data Privacy Framework, where applicable; or
5. another lawful transfer mechanism recognized under Applicable Data Protection Laws.

15.3 To the extent required for a Restricted Transfer, the SCCs are incorporated by reference and apply as follows:

1. Module Two applies where Customer is a Controller and Zaui is a Processor;
2. Module Three applies where Customer is a Processor and Zaui is a subprocessor;
3. the optional docking clause applies; and
4. the Annexes to the SCCs shall be deemed completed using the information contained in this DPA and its Annexes.

15.4 For UK Restricted Transfers, the SCCs shall be deemed supplemented by the UK Addendum.

15.5 Customer acknowledges that:

1. Canada is recognized by the European Commission as adequate for commercial organizations;
2. the EU-U.S. Data Privacy Framework may be relied upon for participating U.S. organizations where applicable; and
3. where no adequacy mechanism applies, the SCCs and supplementary measures may be used.

15.6 Zaui shall provide, upon reasonable written request, information reasonably necessary to support Customer's transfer impact assessment, provided that Zaui may satisfy this obligation by making available standard documentation, whitepapers, transfer materials, or security summaries prepared for customers generally.

16. Government Requests

16.1 If Zaui receives a legally binding request from a government authority for Customer Personal Data, Zaui shall, where legally permitted:

1. review the request for facial validity;
2. notify Customer before disclosure; and
3. disclose only the minimum amount required by law.

16.2 Nothing in this DPA requires Zaui to challenge a legally binding request where such challenge would be unlawful, futile, or unreasonable in the circumstances.

17. Supplemental Terms for Specific Jurisdictions

17.1 UK GDPR

Where Customer Personal Data is subject to the UK GDPR, references in this DPA to the GDPR shall be deemed to include the UK GDPR and the Data Protection Act 2018, as applicable.

17.2 Canada / PIPEDA

Where Customer Personal Data is subject to PIPEDA:

1. Zaui shall provide a level of protection for such data that is comparable to the protection required under PIPEDA while the information is being processed by Zaui or its Subprocessors;
2. Customer acknowledges that transfers for processing, including cross-border transfers for processing, may occur in accordance with the Main Agreement, this DPA, and Customer's instructions; and
3. Customer remains responsible for its own transparency obligations to individuals concerning such processing arrangements.

17.3 California / CCPA-CPRA

To the extent Zaui Processes "personal information" or "sensitive personal information" as a service provider or contractor under the CCPA:

1. Customer discloses such information to Zaui only for the limited and specified business purposes described in the Main Agreement, this DPA, and Annex 1;
2. Zaui shall not sell or share such personal information;
3. Zaui shall not retain, use, or disclose such personal information for any purpose other than the business purposes specified in the Main Agreement, this DPA, and Annex 1, except as otherwise permitted by the CCPA;
4. Zaui shall not retain, use, or disclose such personal information outside the direct business relationship between Customer and Zaui, except as permitted by the CCPA;
5. Zaui shall not combine such personal information with personal information received from another person or collected from Zaui's own interaction with a consumer, except as permitted by the CCPA;
6. Zaui shall provide the same level of privacy protection required by the CCPA with respect to such personal information;
7. Zaui shall notify Customer if Zaui determines that it can no longer meet its obligations under the CCPA;
8. Customer may, upon notice, require Zaui to stop and remediate any unauthorized use of such personal information; and
9. Zaui shall bind its relevant subprocessors by written obligations that comply with CCPA requirements applicable to service providers or contractors, where required.

17.4 Australia / APPs

Where Customer Personal Data is subject to the Australian Privacy Act and the APPs:

1. Zaui shall handle such Personal Data in a manner consistent with the privacy, security, confidentiality, retention, and onward transfer protections in this DPA;
2. Zaui shall enter into equivalent contractual controls with relevant Subprocessors where appropriate to the subprocessing activity; and
3. Customer acknowledges that this DPA is intended to support Customer's taking of reasonable steps under APP 8, but does not relieve Customer of its own obligations under Australian law.

17.5 New Zealand Privacy Act 2020

Where Customer Personal Data is subject to the New Zealand Privacy Act 2020:

1. Zaui shall protect such Personal Data by safeguards that, taken as a whole, provide comparable protection to the safeguards required under that Act, to the extent Customer relies on this DPA for compliance with Information Privacy Principle 12;
2. Zaui shall Process such Personal Data only for the purposes set out in the Main Agreement, this DPA, and Customer's documented instructions; and
3. Customer acknowledges that it remains responsible for its own compliance analysis under New Zealand law, including whether a particular disclosure falls within an available statutory pathway.

18. De-Identified, Aggregated and AI/ML Use

18.1 Nothing in this DPA restricts Zaui from generating, using, and disclosing data derived from Customer Personal Data where such data has been anonymized, de-identified, and/or aggregated such that it does not identify, and cannot reasonably be used to identify, any individual, household, or Customer.

18.2 Zaui shall not attempt to re-identify any data described in Section 18.1.

18.3 Zaui may use data described in Section 18.1 for lawful business purposes, including analytics, benchmarking, security, fraud prevention, service improvement, product development, and training, testing, and improving artificial intelligence or machine learning models.

18.4 For the avoidance of doubt, where data remains Personal Data under Applicable Data Protection Laws, Zaui shall Process such data for training, testing, or improving artificial intelligence or machine learning models only to the extent expressly authorized by Customer's documented instructions, the Customer Agreement, or a separate written agreement between the Parties.

18.5 This Section 18 does not reduce or limit Zaui's obligations under this DPA with respect to Customer Personal Data that remains identifiable Personal Data under Applicable Data Protection Laws.

19. Liability

19.1 This DPA is subject to the exclusions, limitations, disclaimers, and liability allocation provisions set out in the Main Agreement, including any limitation of liability, except to the extent prohibited by Applicable Data Protection Laws, the SCCs, or the UK Addendum.

19.2 Nothing in this DPA excludes or limits either Party's liability to Data Subjects or regulators to the extent such liability cannot be excluded or limited under Applicable Data Protection Laws.

20. Order of Precedence

20.1 In the event of conflict:

1. the SCCs and/or UK Addendum shall prevail with respect to the relevant Restricted Transfer;
2. then this DPA shall prevail over the Main Agreement as to the subject matter of this DPA; and
3. otherwise the Main Agreement shall prevail.

21. Term and Termination

21.1 This DPA remains in effect for as long as Zaui Processes Customer Personal Data on behalf of Customer.

21.2 A material breach of this DPA by a Party shall be deemed a material breach of the Main Agreement.

21.3 Except where Applicable Data Protection Laws require otherwise, Customer's rights under this DPA with respect to a disputed Subprocessor, audit issue, or assistance dispute shall be limited to the remedies expressly set out in this DPA and the Main Agreement.

22. Governing Law and Jurisdiction

22.1 Except to the extent the SCCs, UK Addendum, or mandatory Applicable Data Protection Laws require otherwise, this DPA is governed by the laws of British Columbia, Canada.

22.2 Except to the extent the SCCs, UK Addendum, or mandatory Applicable Data Protection Laws require otherwise, the courts of British Columbia, Canada shall have exclusive jurisdiction over disputes arising out of this DPA.

23. Miscellaneous

23.1 This DPA may be entered into by signature, electronic acceptance, or Customer's acceptance of the Main Agreement referencing this DPA.

23.2 If any provision of this DPA is held invalid or unenforceable, the remainder shall remain in force.

23.3 Zaui may update Annex 2 and Annex 3 from time to time in accordance with this DPA.

Annex 1 — Details of Processing

Subject matter of the Processing
Provision of the Zaui SaaS platform and associated hosting, implementation, support, maintenance, monitoring, integrations, and related services.

Duration of the Processing
For the term of the Main Agreement and any limited retention period permitted under this DPA.

Nature of the Processing
Collection, recording, organization, storage, retrieval, consultation, use, transmission, alignment, support, backup, deletion, and destruction, in each case as necessary to provide the Services.

Purpose of the Processing
To host, operate, secure, maintain, support, and provide the Services; enable booking, reservation, operational, reporting, customer support, and integration functionality; prevent fraud, misuse, and service disruption; and, to the extent expressly described in the Main Agreement and this DPA and permitted by Applicable Data Protection Laws, to develop, train, test, tune, validate, monitor, secure, support, and improve analytics, automation, artificial intelligence, and machine-learning-enabled features and related functionality of the Services.

Categories of Data Subjects
As determined by Customer, which may include:

• Customer personnel and users
• travelers, guests, passengers, or end customers
• Customer contractors or agents
• business contacts and support contacts

Categories of Personal Data
As determined by Customer, which may include:

• contact and identity data
• account and profile data
• booking, itinerary, reservation, ticketing, and transaction data
• support and communications data
• technical, device, and usage data
• business contact information
• payment-related metadata

Sensitive / Special Category Data
Not intentionally required for the Services and not permitted unless expressly agreed in writing.

Annex 2 — Technical and Organisational Measures

Zaui shall maintain measures appropriate to the Services and associated risks, including where appropriate:

1. role-based access controls and least-privilege access
2. confidentiality obligations for personnel
3. user authentication controls
4. encryption in transit
5. encryption at rest where appropriate to the system or storage layer
6. logging and monitoring of relevant systems
7. backup and recovery procedures
8. vulnerability and patch management processes
9. incident response procedures
10. subprocessor due diligence and contractual controls
11. physical security controls at relevant facilities or via hosting providers
12. periodic review and evaluation of security controls

Zaui may update these measures from time to time provided that the overall security posture of the Services is not materially reduced.

Annex 3 — Subprocessors and Processing Locations

Zaui may use Subprocessors for:

• cloud hosting and infrastructure
• data storage and backup
• application monitoring and logging
• communications and ticketing tools
• support tooling
• security tooling
• analytics and performance monitoring
• professional services support
• integrated payment and other third-party service connections requested or enabled by Customer

For each Subprocessor, Zaui shall maintain and make available:

• name
• general function
• processing location(s)
• applicable transfer mechanism(s), where required

Primary processing regions may include Canada and the United States, the EEA, the United Kingdom, Australia, and New Zealand.