Data Processing Addendum

This Data Processing Addendum (“DPA“) forms part of, and is incorporated by reference into, the Agreement between Acryl Data, Inc. (“Acryl Data” or “Company”) and Customer. Capitalized terms not defined in this DPA will have the meanings given to them in the Agreement. In the event of a conflict between this DPA and the Agreement with respect to the subject matter of this DPA, this DPA will control to the extent of such conflict.

For purposes of this DPA:

“Agreement” means the agreement or general terms and conditions that reference this DPA.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data.

“Customer” means the entity that enters into the Agreement with Company.

“Customer Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer data, including Personal Data, transmitted, stored or otherwise Processed by Company or its Sub-Processors under this DPA.

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

“Personal Data” means any information that relates to an identified or identifiable natural person.

“Processing” or “Process” means the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, or other use of Personal Data.

“Processor” means the entity that Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

“Products and Services” means the Software, Services, and support services provided by Company.

“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

Section 1 – Processing of Personal Data

1.1. Primary Processing Roles:

(a) When using the Software, Customer acts as both the Controller and Processor of any Personal Data.

(b) In the case of Services and support services, Company acts as a Processor only when providing the Services or support services that require access to Personal Data, and Customer is the Controller.

1.2. Customer’s Processing of Personal Data. Customer shall comply with Data Protection Laws and Regulations applicable to its use of the Products and Services. Customer is responsible for determining whether the Products and Services are appropriate for storage and Processing of information subject to any specific law or regulation and for using the Products and Services in a manner consistent with Customer’s legal and regulatory obligations. Customer maintains full control over: (a) what Personal Data is Processed using the Software; (b) the purposes and means of processing Personal Data; (c) the categories of Data Subjects whose Personal Data is Processed; and (d) the retention period of Personal Data. Customer is responsible for responding to any request from a third party regarding Customer’s use of the Products and Services. Customer represents and warrants that it will: (a) provide all notices and obtain all rights and consents required for Processing Personal Data; (b) implement appropriate technical and organizational measures to ensure compliant Processing; and (c) maintain all necessary records of Processing activities.

1.3. Company’s Processing of Personal Data. Company shall materially comply with Data Protection Laws and Regulations applicable to its providing the Products and Services. Company may Process Personal Data solely when: (a) providing the Services and technical support services requested by Customer; (b) assisting with Software installation, configuration, or updates; (c) investigating and resolving reported issues; or (d) performing maintenance activities explicitly authorized by Customer. Company does not determine whether Customer’s data includes information subject to any specific law or regulation.

1.4. Details of the Processing. The subject matter, nature and purpose of the Processing by Company are to provide the Products and Services. Company shall: (a) access Personal Data only when necessary for support services; (ii) process only the minimum Personal Data required for support services; and (iii) not use Personal Data for any other purpose. The duration of the Processing is until Company returns or deletes the Personal Data in accordance with this DPA. The categories of Personal Data and affected individuals are the first and last names, email addresses, and titles of prospects’, customers’, and business partners’ personnel.

Section 2 – Security Requirements

2.1. Customer Security Obligations. Customer shall implement and maintain: (a) appropriate technical security measures, including: (i) network security controls and firewalls; (ii) access controls and authentication systems; (iii) encryption for Personal Data at rest and in transit; (iv) monitoring and logging systems; and (v) backup and recovery procedures, and (b) organizational security measures, including: (i) security policies and procedures; (ii) personnel training programs; (iii) access management processes; and (iv) incident response procedures.

2.2. Company Security Obligations. Company will implement appropriate technical and organizational safeguards designed to protect Personal Data against a Customer Data Incident. Company shall: (a) provide security-related Software updates and patches; (b) maintain secure support access methods; (c) notify Customer of known Software security vulnerabilities; (d) follow Customer’s security requirements during support; and (e) provide security documentation and best practices. Company may modify such safeguards from time to time, provided that such modifications will not materially reduce the overall level of protection for Personal Data.

Section 3 – On-Premise Environment Requirements

3.1. Technical Requirements. Customer’s environment must include:

(a) network security controls: (i) firewalls; (ii) intrusion detection/prevention; and (iii) network segmentation;

(b) access controls: (i) role-based access control; (ii) multi-factor authentication; and (iii) session management;

(d) monitoring and logging: (i) security event logging; (ii) access logging; and (iii) log retention.

3.2. Operational Requirements. Customer shall maintain: (a) security policies and procedures; (b) incident response plans; (c) business continuity plans; and (d) disaster recovery procedures.

3.3. Documentation Requirements. Customer shall maintain records of: (a) security measures; (b) risk assessments; (c) incident responses; and (d) personnel training.

Section 4 – Confidentiality

Company and Customer shall: (a) maintain the confidentiality of Personal Data; (b) ensure that persons authorized to process Personal Data have committed to confidentiality; (c) limit access to Personal Data to those who need it for authorized purposes; and (d) train personnel on confidentiality requirements.

Section 5 – Data Subject Rights

5.1. Customer Responsibilities. Customer is responsible for: (a) ensuring the accuracy of any Personal Data provided to Company; (b) responding to Data Subject requests or complaints; (c) implementing procedures to fulfill Data Subject rights; (c) managing communications with Data Subjects; and (d) maintaining records of Data Subject requests.

5.2. Company Support. Company will: (a) provide technical assistance to Customer for Data Subject requests; (b) forward, unless prohibited by applicable laws, any received Data Subject requests to Customer; and (c) not respond directly to Data Subjects.

Section 6 – Sub-Processors

6.1. Customer Authority. Customer maintains full control over any sub-processors it engages.

6.2. Company Sub-Processors. Customer agrees that Company may disclose Personal Data to its subcontractors for purposes of providing the Products and Services to Customer (“Sub-Processors”), provided that Company will impose on its Sub-Processors no less onerous obligations than as set forth in this DPA. Company will maintain a list of its Sub-Processors and will provide this list to Customer upon Customer’s request or otherwise make this list available to Customer, which may include providing access to this list available on Company’s website. At least thirty (30) days before adding any Sub-Processor to this list, Company will provide Customer notice of such addition(s), which may include notice provided on the same page of Company’s website that contains such list. Company will remain responsible for all actions by Sub-Processors with respect to Customer’s Personal Data and for Company compliance with its obligations under this DPA.

Section 7 – Audit Rights

7.1 Customer acknowledges that Company is regularly audited by independent third-party and Company internal auditors.

7.2 In order to establish Company compliance with this DPA, Company will provide to Customer, upon Customer’s written request, a copy of third-party assessments such as SSAE 18 SOC report or comparable report (“Third-Party Report”) where Company has obtained such a Third-Party Report for the applicable Products and Services, and written responses to all reasonable requests for information related to the applicable Products and Services, including responses to information security and audit questionnaires.

7.3 Only to the extent that information provided under Section 7.2 above is insufficient to reasonably establish Company compliance with this DPA, or where required by a competent regulator, Customer and its authorized representatives may conduct an audit of Company books and records as necessary to establish Company compliance with this DPA during the term of the Agreement. Any audit must be conducted not more than once per year, during Company’s regular business hours, with reasonable advance notice of not less than forty-five (45) days, conducted in good faith, and subject to reasonable confidentiality procedures. Such audit must not require Company to disclose to Customer or its authorized representatives any information of other Company clients, internal accounting or financial information, trade secrets, or information that, in Company’s reasonable opinion, could compromise the security of Company’s systems or premises or cause Company to breach its obligations under applicable Data Protection Laws and Regulations or privacy obligations to third parties. Customer must promptly provide Company with information regarding any non-compliance discovered during the course of an audit.

7.4 Any information provided to Customer pursuant to this Section will be considered Company Confidential Information under the confidentiality provisions of the Agreement and will be handled accordingly.

Section 8 – Data Protection Impact Assessments

8.1. Customer Responsibilities. Customer is responsible for: (a) conducting data protection impact assessments; (b) evaluating processing risks; and (c) implementing risk mitigation measures.

8.2. Company Support. Company shall: (a) provide information about Software security features; (b) assist with technical aspects of impact assessments; and (c) recommend security best practices.

Section 9 – Customer Data Incident Management

9.1. Customer Obligations. In connection with a Customer Data Incident, Customer shall: (a) implement breach detection and response procedures; (b) notify relevant authorities and Data Subjects as required; (c) maintain records of all Customer Data Incidents; and (d) investigate and remediate the Customer Data Incident.

9.2. Company Obligations. In the event of a Customer Data Incident of which Company becomes aware, Company will notify Customer promptly in accordance with the time frames prescribed by applicable laws, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Following such notification, Company will provide reasonable assistance and cooperation requested by Customer in the furtherance of any correction or remediation of any Customer Data Incident.

Section 10 – Government Access Requests

Upon Customer’s request, Company will provide reasonable assistance to Customer in the event of an investigation by a competent regulator, including a data protection regulator or similar authority, or the submission by Customer of a data protection impact assessment or prior consultation document, if required by the competent regulator, solely if and to the extent that such data protection impact assessment or prior consultation document relates to Company’s Processing of Personal Data on behalf of Customer pursuant to this DPA.

Section 11 – Cross-Border Data Transfers

11.1. Customer Control. Customer controls where Personal Data is stored and Processed.

11.2. Company Obligations. In connection with the performance of the Agreement, Company may transfer Personal Data outside the jurisdiction in which Customer is established. Company will protect Personal Data in accordance with this DPA regardless of the jurisdiction in which it is located. If required by Data Protection Laws and Regulations, the parties will enter into Standard Contractual Clauses or maintain another method of adequacy or implement other measures sufficient to allow Company to receive Personal Data in compliance with Data Protection Laws and Regulations, including entering into any similar data transfer agreements required by Data Protection Laws and Regulations in other countries. Company will maintain a list of its processing locations and will provide this list to Customer upon Customer’s request or otherwise make this list available to Customer. At least thirty (30) days before adding any processing location to this list, Company will provide Customer notice of such addition(s), which may include notice provided on Customer’s website that contains such list, so that Customer has the opportunity to object to such addition(s), subject to the remaining terms of this Section. Any objections made by Customer pursuant to this Section must be in writing, substantiated with a reasonable and valid explanation for the objection, and submitted to the Company contact identified on the aforementioned website before the end of the stated thirty (30) day period. If Customer provides such a reasonable and substantiated objection to such addition(s) in accordance with this Section, and Company is unable to provide a suitable alternative, then Customer may elect to exercise its termination rights without any action, claim or proceedings for liability, costs, refunds or damages against Company under the Agreement.

Section 12 – Term and Termination

12.1. Term. This DPA remains in effect as long as Personal Data is Processed under the Agreement.

12.2. Post-Termination. Upon termination or expiration of the Agreement or this DPA for any reason: (a) Customer retains responsibility for Personal Data; (b) Company will, except as otherwise required by law applicable to Company, return or destroy any Personal Data; and (c) confidentiality obligations in the Agreement or this DPA, as applicable, survive such termination.

Section 13 – Liability

Claims arising out of this DPA shall be limited as set forth in the Agreement between the Processor and the Controller.

Section 14 – California Consumer Privacy Act

If applicable, the following terms govern how Company will treat all personal information subject to the CCPA that Company collects pursuant to the Agreement with Customer. In the event of a conflict, these terms shall govern and control with respect to personal information subject to the CCPA that Company collects pursuant to the Agreement. Terms used below have the same definitions set forth in the CCPA when explicitly defined in the CCPA.

14.1 Company shall not sell or share personal information it collects pursuant to the Agreement with Customer.

14.2 Customer is only disclosing the personal information to Company for the limited business purpose specified in the Agreement.

14.3 Company shall not retain, use, or disclose the personal information that it collected pursuant to the Agreement with Customer for any purposes other than those specified in the Agreement or as otherwise permitted by the CCPA.

14.4 Company shall not retain, use, or disclose personal information it collected pursuant to the Agreement with Customer for any commercial purpose other than those specified in the Agreement, unless expressly permitted by the CCPA.

14.5 Company shall not retain, use, or disclose the personal information it collected pursuant to the Agreement with Customer outside the direct business relationship between Company and Customer, unless expressly permitted by the CCPA.

14.6 Company shall comply with all applicable sections of the CCPA, including — with respect to the personal information that it collected pursuant to the written contract with Customer — providing the same level of privacy protection as required of businesses by the CCPA.

14.7 Customer has the right to take reasonable and appropriate steps to ensure that Company uses the personal information it collected pursuant to the Agreement with Customer in a manner consistent with Customer’s obligations under the CCPA.

14.8 Company shall notify Customer after it determines that it can no longer meet its obligations under the CCPA.

14.9 Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Company’s unauthorized use of personal information.

14.10 Company must enable Customer to comply with consumer requests made pursuant to the CCPA.

Section 15 – General Provisions

15.1. Amendments. This DPA may be amended only by written agreement duly executed by an authorized representative of each party. Unless otherwise expressly set forth therein, if any amendments to the Agreement are agreed to between the parties, the terms of such amendments shall complement but not supersede any terms in this DPA.

15.2. Notices. All notices required to be given under this DPA must be in writing and delivered to a well-defined email address. Customer may email notices to Company at notices@acryl.io.

15.3. Severability. If any provision of this DPA is or becomes illegal, void, invalid, or unenforceable, such provision must be severed from the other terms and conditions, which will continue to be valid and enforceable to the fullest extent permitted by law.

15.4. Assignment. Except (i) to a Sub-Processor, (ii) as otherwise permitted by this DPA, or (iii) in the event of a merger, acquisition, sale of assets, or similar business transaction, neither party may assign or otherwise transfer any or all of such party’s rights or obligations under this DPA to any third party (or attempt to do so) without the prior written consent of the other party.

15.5. Entire Agreement. The parties agree that this DPA constitutes the entire agreement and understanding between the parties in respect of the Processing of Personal Data and supersedes any previous agreement between the parties relating to the Processing of Personal Data. Notwithstanding anything to the contrary herein, this DPA will not apply where Processor is subject to stricter obligations with respect to its Processing of Personal Data than those herein.

15.6. Governing Law. This DPA is governed by and will be construed in accordance with the law of the State of California, without regard to its conflict of laws rules.

16.7. Survival. The obligations placed upon the Processor under this DPA shall survive so long as Processor and/or its sub-processors Process Personal Data on behalf of Controller.

15.8. Costs. Each party shall perform its obligations under this DPA at its own cost.

15.9. Third Party Rights. Except as expressly provided for in this DPA or the Agreement, this DPA does not create any rights for any person who is not a party to it, and no person who is not a party to this DPA may enforce any of its terms or rely on any exclusion or limitation contained in it.