Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the service agreement between Kaperi Energy Services Inc. ("Kaperi Energy," "Processor," "we," "our," or "us") and the client ("Client," "Controller," "you," or "your") for the provision of oil and gas operational analytics and automation services.

This DPA governs the processing of personal data by Kaperi Energy on behalf of the Client and ensures compliance with applicable privacy laws, including the Personal Information Protection Act (Alberta), Personal Information Protection and Electronic Documents Act (Canada), and other relevant privacy legislation.

2. Definitions

3. Nature and Purpose of Processing

3.1 Subject Matter

The subject matter of processing is the provision of oil and gas operational analytics, task automation, and related professional services as specified in the main service agreement.

3.2 Duration

Processing will continue for the duration of the service agreement and any applicable data retention periods as specified in our Privacy Policy.

3.3 Nature and Purpose

Personal data processing is necessary to:

• Provide operational analytics and insights
• Automate oil and gas industry tasks
• Generate reports and recommendations
• Provide technical support and customer service
• Ensure service security and performance
• Comply with legal and regulatory requirements

3.4 Categories of Personal Data

The types of personal data that may be processed include:

• Employee identification and contact information
• Professional credentials and certifications
• Operational data containing personal identifiers
• Communication records and correspondence
• Technical logs and system access records
• Location data (when relevant to operations)

3.5 Categories of Data Subjects

Personal data may relate to:

• Client employees and contractors
• Third-party personnel involved in operations
• Regulatory and compliance contacts
• Vendors and service providers

4. Client Obligations and Instructions

4.1 Processing Instructions

Kaperi Energy will process personal data only on documented instructions from the Client, including those set forth in this DPA and the main service agreement. Additional instructions must be provided in writing and agreed upon by both parties.

4.2 Lawful Basis

The Client warrants that it has established a lawful basis for processing and has obtained all necessary consents, authorizations, and notices required under applicable privacy laws.

4.3 Data Accuracy

The Client is responsible for ensuring the accuracy, completeness, and lawfulness of personal data provided to Kaperi Energy.

5. Kaperi Energy Obligations

5.1 Processing Limitations

Kaperi Energy shall:

• Process personal data only as necessary to provide the contracted services
• Not process personal data for its own purposes
• Not disclose personal data to unauthorized third parties
• Implement appropriate technical and organizational security measures
• Ensure processing personnel are bound by confidentiality obligations

5.2 Security Measures

We implement robust security measures including:

• Encryption of data in transit and at rest
• Access controls and multi-factor authentication
• Regular security assessments and penetration testing
• Employee security training and background checks
• Incident response and breach notification procedures
• Secure data centers with physical access controls
• Regular software updates and vulnerability management

6. Sub-processing

6.1 Authorization

The Client authorizes Kaperi Energy to engage sub-processors for specific processing activities, subject to the conditions set forth in this section.

6.2 Sub-processor Requirements

Before engaging any sub-processor, Kaperi Energy will:

• Conduct appropriate due diligence on the sub-processor's security and privacy practices
• Enter into a written agreement imposing data protection obligations equivalent to those in this DPA
• Remain fully liable for the sub-processor's compliance with data protection obligations

6.3 Current Sub-processors

6.4 Changes to Sub-processors

Kaperi Energy will provide at least 30 days' notice before adding or replacing sub-processors. The Client may object to such changes on reasonable data protection grounds within 15 days of notification.

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

Kaperi Energy will assist the Client in responding to data subject requests, including requests for:

• Access to personal data
• Rectification of inaccurate data
• Erasure of personal data
• Restriction of processing
• Data portability
• Objection to processing

7.2 Response Timeframe

Upon receiving a request for assistance, Kaperi Energy will respond within 10 business days and provide necessary cooperation to enable the Client to respond to data subjects within applicable legal timeframes.

8. Data Breach Notification

8.1 Incident Response

In the event of a personal data breach, Kaperi Energy will:

• Notify the Client without undue delay, and in any case within 24 hours of becoming aware
• Provide detailed information about the nature, scope, and potential consequences of the breach
• Describe measures taken or proposed to address the breach
• Assist the Client in breach notification obligations to supervisory authorities and data subjects
• Cooperate with any investigations or remedial actions

9. Data Transfers

9.1 International Transfers

Personal data may be transferred outside of Canada to jurisdictions where our sub-processors operate. Such transfers will only occur with appropriate safeguards, including:

• Adequacy decisions by Canadian authorities
• Standard contractual clauses
• Binding corporate rules
• Other legally recognized transfer mechanisms

10. Data Retention and Deletion

10.1 Retention Period

Personal data will be retained only as long as necessary to provide the contracted services and comply with legal obligations. Specific retention periods are detailed in our Privacy Policy.

10.2 Data Return and Deletion

Upon termination of the service agreement, Kaperi Energy will:

• Return or securely delete all personal data within 90 days
• Provide certification of deletion upon request
• Retain data only as required by applicable law or for legitimate business purposes

11. Audits and Compliance

11.1 Audit Rights

The Client may conduct audits of Kaperi Energy's data processing activities, subject to:

• Reasonable advance notice (at least 30 days)
• Execution of appropriate confidentiality agreements
• Limitation to normal business hours
• Reimbursement of reasonable costs incurred by Kaperi Energy

11.2 Compliance Documentation

Kaperi Energy will maintain records demonstrating compliance with this DPA and make such records available for audit upon reasonable request.

12. Liability and Indemnification

12.1 Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the main service agreement.

12.2 Data Protection Indemnification

Kaperi Energy will indemnify the Client against claims arising from Kaperi Energy's breach of this DPA, subject to the Client's compliance with notification and cooperation requirements.

13. Term and Termination

This DPA will remain in effect for the duration of the main service agreement and will automatically terminate upon expiration or termination of such agreement, except for provisions that by their nature should survive termination.

14. Governing Law

This DPA is governed by the laws of Alberta, Canada, and any disputes will be resolved in accordance with the dispute resolution provisions of the main service agreement.

15. Contact Information