Appendix 1: Data Processing Terms

1. Background and purpose

These data processing terms govern your use of the Offshore Energy Manager (OSEM) system (the "OSEM System") when you subscribe to this service directly from Vissim AS ("Vissim"), with regard to content that you as a subscriber ("you" or "Customer") upload into the system such as gender, date of birth, next of kin, certifications and similar, and in so far as such content include personal data ("Content"). These terms are binding between you as a subscriber and Vissim only to that extent. If you subscribe to our service through an employer or another company, your relationship is directly with your employer or that company. These terms shall apply in addition to any other terms of use for the OSEM System betweenn the parties ("Terms of Use"), and in case of conflict, these data processing terms shall prevail. These data processing terms govern your use of the Offshore Energy Manager (OSEM) system (the "OSEM System") when you subscribe to this service directly from Vissim AS ("Vissim"), with regard to content that you as a subscriber ("you" or "Customer") upload into the system such as gender, date of birth, next of kin, certifications and similar, and in so far as such content include personal data ("Content"). These terms are binding between you as a subscriber and Vissim only to that extent. If you subscribe to our service through an employer or another company, your relationship is directly with your employer or that company. These terms shall apply in addition to any other terms of use for the OSEM System betweenn the parties ("Terms of Use"), and in case of conflict, these data processing terms shall prevail. These data processing terms govern your use of the Offshore Energy Manager (OSEM) system (the "OSEM System") when you subscribe to this service directly from Vissim AS ("Vissim"), with regard to content that you as a subscriber ("you" or "Customer") upload into the system such as gender, date of birth, next of kin, certifications and similar, and in so far as such content include personal data ("Content"). These terms are binding between you as a subscriber and Vissim only to that extent. If you subscribe to our service through an employer or another company, your relationship is directly with your employer or that company. These terms shall apply in addition to any other terms of use for the OSEM System betweenn the parties ("Terms of Use"), and in case of conflict, these data processing terms shall prevail. The purpose of these terms is to regulate the parties' rights and obligations under the applicable data protection law, including the EU regulation no. 2016/679 on data protection ("GDPR"). In so far as the Content you upload include personal data, i) Customer is the controller of such personal data, ii) Vissim is a processor of such data; (iii) Customer will comply with its obligations as a controller under the relevant data protection legislation; and iv) Vissim will comply with its obligations as a data processor. These terms only apply as far as Vissim actually processes personal data as part of the Content. Other data that Vissim may process is not regulated by these terms. Vissim will only process the type of personal data that Customer provides to Vissim via the Vissim OSEM System, and regarding the types of individuals that Customer provides to Vissim. The Customer shall ensure that there is an adequate basis for processing the personal data, and comply with applicable data protection law.

2. Vissim's general obligations

Vissim shall only process personal data it may access as part of fulfilling its contractual obligations to the Customer. Vissim has no right to hand over personal data to unauthorized third parties, unless compelled by applicable law. Vissim is only making the OSEM system available for Customer to manage personal information needed for project assignments. Vissim shall follow the procedures and instructions as laid out in this agreement for the processing of personal data that the Customer has reasonably laid out, within the functionality that is already available in the system and to the extent necessary to comply with applicable law. Vissim is obliged to inform the Customer if Vissim believes that a given instruction is not in accordance with applicable law. Vissim will in accordance with EU Regulation 2016/679 article 28 (h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in said article and allow for and contribute to audits, including inspections by a third party conducted by the Customer or another auditor mandated by the Customer. If Supplier has obtained a reasonably updated security audit certificate by a professional and acknowledged security auditor company, and the report for such audit is disclosed to Customer, the Customer may only require to carry out such an audit if there is reasonable cause to do so and the right to conduct an audit in such a situation follows from mandatory law. Vissim may charge a fee based on Vissim's reasonable costs for such audit, and Customer is responsible for its own costs and any costs related to any auditor appointed by Customer. Vissim may object in writing to an auditor appointed by Customer to conduct any audit if the auditor is, in Vissim’s reasonable opinion, not suitably qualified or independent, a competitor of Vissim, or otherwise manifestly unsuitable. The parties shall mutually agree to the further process and scope of any actual audit to be conducted. Vissim shall preform regular security audits and maintain Information Security Management Systems certification by third party according to ISO 27001 (Information Security Management Systems). Customer can at any time manage information in the My Details section. Upon Customer's request, Vissim is obliged to provide necessary assistance for the Customer to access the data processed on behalf of the Customer. Vissim has a duty of confidentiality regarding personal data that it has access to in accordance with these Data Processing Terms. This also applies after the agreement with Customer terminates. Vissim shall ensure that persons authorized to process personal data on behalf of Vissim are subject to confidentiality by law or contract. Vissim shall, considering the nature of the processing, as far as possible and with appropriate technical and organizational means, assist the Customer in answering the data subject's requests for fulfillment of the data subject's rights under the applicable data protection law. Correspondingly, the Customer may require that Vissim shall assist the Customer under any inspection by the relevant data protection authority. Vissim shall, considering which personal data is available for them and the nature of the processing, assist the Customer in complying with the information security requirements, notification requirements for data protection authorities and the data subjects, as well as impact assessments, pursuant to Articles 32-36 of EU Regulation 2016/679. Any assistance required by Customer under this Section 2 shall be compensated according to the applicable hourly rates agreed between the parties, or, if no hourly rates are agreed upon, by the current regular and reasonable fees for such services.

3. Location of data

Vissim is based in Norway and will access your data in EU/EEA countries, and mainly from our regular place of business. Vissim subcontractors may also access your data in Norway or other EU/EEA countries. Your personal data will be stored on servers within the EU/EEA, but may also be transferred to other countries, for example in relation to support services or intermediate storage. If personal data in this context should be transferred outside the EU/EEA, adequate safeguards as to such transfer to third countries are in place, such as transfer to companies in the USA that are covered by the EU-U.S. privacy shield or under agreement governed by the EU standard clauses accepted by the European Commission.

4. Use of subprocessors

Vissim shall only use subprocessors to process personal data that are authorized by the Customer. Customer hereby authorize the use of any subprocessors listed herein, and accepts that Vissim may change its subprocessors upon its own discretion. Such change of subprocessors that processes personal data in Content should be notified by the updating of the list of subprocessors in this document, or otherwise made available at the OSEM System. Customer may object to such appointment by terminating the subscription for the OSEM System by written notice to Vissim. Anyone who, on behalf of Vissim, carries out assignments in which the use of the personal data in question is included, shall be subject to similar obligations to Vissim pursuant to these Data Processing Terms. List of subprocessors Vissim Renewables Ltd, UK, org.no. 9440886 Vissim s.r.o, Slovakia, org.no. 48232513 Vector Software Ltd, org.no. 09236036 Web hosting provider within EU/EEA

5. Security and Data Incidents

Vissim will comply with the requirements for security measures under Article 32 of EU Regulation 2016/679, and be able to document procedures and other measures to meet these requirements. If Vissim becomes aware of a security breach ("Data Incident"), Vissim will promptly notify Customer of the Data Incident, and take reasonable steps to minimize harm and secure Content. Notification(s) of any Data Incident(s) will be delivered to the email address provided by Customer to Vissim, or, at Vissim’s discretion, by direct Customer communication (e.g., by phone call or an in-person meeting). Customer acknowledges that it is solely responsible for ensuring that the contact information provided to Vissim is current and valid, and for fulfilling any third-party notification obligations. Customer agrees that “Data Incidents” do not include: (i) unsuccessful access attempts or similar events that do not compromise the security or privacy of Content, including pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems; or (ii) accidental loss or disclosure of Content caused by Customer’s use of the Services or Customer’s loss of account authentication credentials. Vissim’ obligation to report or respond to a Data Incident under this Section will not be construed as an acknowledgement by Vissim of any fault or liability with respect to the Data Incident. Any notice for Data Incidents pursuant to the applicable data protection law shall be effected by Vissim to the Customer without undue delay and as far as possible within the deadlines provided by applicable regulations, hereunder EU Regulation 2016/679, Article 33.

6. Data Correction, Blocking, Exporting, and Deletion

Vissim will provide Customer with the ability to correct, block, export and delete Content in a manner consistent with the functionality of the Vissim OSEM System and the Terms of Use. Once Customer deletes Content via the Vissim OSEM System that Content cannot be recovered. One exception is the historical recordings of your offshore activity in Projects. In historical manifests, reports and similar provided to a specific project and a project owner, your name, company, profession and site ID will still be visible for the project for a period of 12 months after your account has been closed.

7. Access; Export of Data

Vissim will make available to Customer the Content in a manner consistent with the functionality of the Vissim OSEM System and in accordance with these terms and the Terms of Use. To the extent Customer, in its use and administration of the Vissim OSEM System does not have the ability to amend or delete Content (as required by applicable law), or migrate Content to another system or service provider, Vissim will, at Customer’s reasonable expense, comply with any reasonable requests from Customer to assist in facilitating such actions to the extent Vissim is legally permitted to do so and has reasonable access to the relevant Content.

8. Changes and duration of these terms

These Data Processing Terms may be amended as necessary and agreed between the parties. This may for example be relevant for product development, changes in customer service agreements or Vissim’s subcontracting agreements. In case of product development that entails changes in which personal data is processed, the Data Processing Terms must be amended. These Data Processing Terms apply between the parties as long as Vissim processes personal Data on behalf of the Customer in connection with the delivery of the OSEM System directly to Customer. In case of breach of these terms or the applicable data protection law, the Customer may order Vissim to stop further processing of the Content with immediate effect.

9. Termination

Upon termination of these Data Processing Terms, Vissim is obliged delete all personal data received on behalf of the Customer and covered under these Data Processing Terms, including any copies. The above applies only if nothing else follows from applicable law, such as obligation to store data for specific purposes. If Costumer at any point would not agree with the terms laid out in this agreement, the Costumer can at any point delete its personal data as described in this agreement.

10. Breach of contract

Upon breach of these Data Processing Terms, any regulation on indemnification, liability and limitation of liability in the Terms of Use applies. Last amended: 13.08.2018