How Esimi.io Complies with EU GDPR and UK GDPR

Last Updated: December 15, 2025
Effective Date: June 1, 2025

This Data Processing Addendum (“Addendum”) forms part of, and is incorporated into, the Master Services Agreement (“Agreement”) entered into between you and Esimi.io. This Addendum applies automatically upon your use of any Esimi.io services. Capitalized terms not defined herein shall have the meanings set forth in the Agreement.

1. Definitions

“Covered Personal Data”
Means any Personal Data processed by Esimi.io in connection with the provision of the services.

“Personal Data”
Has the meaning given under the EU GDPR and UK GDPR, and refers to any information relating to an identified or identifiable natural person.

“Data Subject”
Means any identified or identifiable natural person to whom Personal Data relates.

“Security Incident”
Means a confirmed breach of Esimi.io’s technical or organizational security measures that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Personal Data processed by Esimi.io, excluding incidents caused by the actions or omissions of the Customer or its users.

2. Processing Instructions

You authorize Esimi.io to process Covered Personal Data solely for the purpose of providing the services and in accordance with the Agreement and this Addendum.

If you require processing that falls outside the scope of the Agreement, you must provide Esimi.io with documented written instructions at least thirty (30) days in advance. You are solely responsible for ensuring that such instructions comply with applicable data protection laws.

3. Authority and Safeguards

• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
• Engage subprocessors only after ensuring they provide sufficient guarantees of compliance with applicable data protection laws; and
• Notify you without undue delay after becoming aware of a confirmed Security Incident and provide reasonable assistance to support your legal notification obligations.

4. Use and Disclosure of Personal Data

Esimi.io shall process Covered Personal Data solely for the purpose of providing the services or as otherwise permitted under the Agreement.

Esimi.io shall not disclose Covered Personal Data to third parties except:

• To authorized subprocessors engaged to support service delivery and bound by equivalent data protection obligations; or
• Where disclosure is required by applicable law.

5. Processing of EU and UK Personal Data

Applicability

This section applies to Covered Personal Data originating from the European Union / EEA, and the United Kingdom.

Additional Definitions

“EU GDPR” means Regulation (EU) 2016/679.

“UK GDPR” means the GDPR as incorporated into UK law under the Data Protection Act 2018.

“Controller” and “Processor” have the meanings assigned under the EU GDPR and UK GDPR.

“Standard Contractual Clauses (SCCs)” mean the EU-approved standard contractual clauses and, where applicable, the UK International Data Transfer Addendum or IDTA.

“Subprocessor” has the meaning assigned under applicable GDPR law.

Allocation of Roles

For EU and UK Personal Data:

• You act as the Data Controller in respect of your end users;
• Esimi.io acts as a Data Processor or Subprocessor, depending on the data flow;
• Esimi.io has no direct contractual relationship with your end users.

International Data Transfers

Where Covered Personal Data is transferred outside the EU or the UK, such transfers shall be governed by:

• EU SCCs for EU Personal Data; and
• UK SCC Addendum or IDTA for UK Personal Data, where required.

Use of the services constitutes acceptance of the applicable transfer mechanisms.

Compliance Commitments

• Comply with applicable EU GDPR and UK GDPR obligations;
• Protect the confidentiality and integrity of Covered Personal Data;
• Cooperate with lawful data access requests from supervisory authorities; and
• Delete or return Covered Personal Data within thirty (30) days following termination of this Addendum, unless retention is required or permitted by law.

6. Processing of California Personal Data

Applicability

This section applies to Covered Personal Data subject to the California Consumer Privacy Act (CCPA).

Roles

You act as the Business; Esimi.io acts as a Service Provider / Subprocessor; Esimi.io does not maintain a direct relationship with end users.

Each party agrees to:

• Comply with the CCPA and applicable regulations;
• Maintain appropriate security safeguards;
• Process Personal Data only as instructed;
• Cooperate with lawful consumer requests; and
• Delete or return California Personal Data within thirty (30) days after termination, unless otherwise permitted by law.

7. Governing Effect

This Addendum governs all data protection and privacy matters related to the services. In the event of any conflict between this Addendum and any other agreement between the parties, this Addendum shall prevail.