Data Processing Addendum

This Data Processing Agreement, including its schedules and annexes, (collectively, this “DPA”) forms part of the Exaforce Terms of Service, any Order Forms, or any other legally entered and binding written or electronic agreement (collectively, the “Agreement”) entered into between Exaforce, Inc. a Delaware (USA) corporation (“Exaforce”) and Customer, acting on its own behalf and on behalf of its Affiliates (defined below). This DPA sets forth each party’s respective obligations regarding the processing of Personal Data (defined below) in connection with the Services provided pursuant to the Agreement. 

This DPA shall become effective as of the Effective Date of the Agreement. All capitalized terms not defined in this DPA will have the meaning given to them in the Agreement. 

1. Definitions 

The following definitions and rules of interpretation apply in this DPA.

1. “Business Purposes” means the Services described in the Agreement and any other purposes identified in Annex A (Details of Processing), Section 4 (Processing Details).
2. “Customer Authorized Privacy Contact” means the persons or categories of persons that Customer authorizes to give Exaforce personal data processing instructions as identified in Annex A (Details of Processing), Section 1 (Data Exporter).
3. “Customer Personal Data” means Personal Data provided by or made available by Customer to Exaforce or collected by Exaforce on behalf of Customer, which Exaforce Processes to perform the Services. 
4. “Data Protection Laws” means all applicable global laws, regulations, or treaties concerning privacy, data security, data protection, or the Processing of Personal Data including, but not limited to, European Data Protection Laws and United States privacy laws, such as the California Consumer Privacy Act of 2018 (“CCPA”), each as amended, replaced, or superseded from time to time and the guidance and codes of practice issued by the relevant data protection or supervisory authorities and applicable to a Party.
5. “Disclosure Request” means (a) any order, demand, warrant, or any other document requesting or purporting to compel the production of Customer Personal Data (for example, by oral questions, interrogatories, requests for information or documents in legal proceedings, subpoenas, civil investigative demands, regulatory inspection or other similar processes); or (b) any other request, inquiry, or complaint involving Customer Personal Data or the Processing of such Customer Personal Data from any governmental, regulatory authority or law enforcement department, including, but not limited to, a data protection authority, or similar regulatory authority.
6. “European Data Protection Laws” means (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (b) the European Union (“EU”) e-Privacy Directive (Directive 2002/58/EC); (c) any and all applicable local data protection laws of any Member State of the EU or country within the European Economic Area (“EEA”) made under or pursuant to (a) or (b); (d) Swiss Data Protection Laws; and (e) United Kingdom (“UK”) Data Protection Laws; in each case as may be amended, superseded, or replaced from time to time.
7. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed.
8. The “Parties” means Exaforce and Customer.
9. “Sensitive Personal Data” or “Sensitive Personal Information” has the same meaning as “Restricted Information” as defined in the [ADD LINK].
10. “Standard Contractual Clauses” (“SCCs”) means the Standard Contractual Clauses for the transfer of Personal Data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as updated, amended, or replaced from time to time.
11. “Subprocessor” means any Processor engaged by Exaforce in accordance with the terms of this DPA, including, but not limited to, any Affiliate of Exaforce. “Subprocessor” shall include the entities set forth under Annex C (Approved List of Subprocessors) to this DPA.
12. “Swiss Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communication in force from time to time in Switzerland, including the Swiss Federal Act on Data Protection of 19 June 1992, SR 235.1, as amended, superseded, or replaced from time to time.
13. “UK Data Protection Laws” means all laws relating to data protection, the Processing of Personal Data, privacy and/or electronic communication in force from time to time in the UK including the Data Protection Act 2018, the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426), each as amended, superseded, or replaced from time to time.
14. “UK International Transfer Addendum” means the United Kingdom’s addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time.
15. Except as otherwise defined in this DPA, “Business,” “Controller,” “Data Subject,” “Personal Data” or “Personal Information,” “Process” or “Processing,” “Processor,” “Sell” or “Selling,” “Service Provider,” and “Share” or “Sharing” are as defined under the relevant Data Protection Laws, and the conjugation of these terms shall be defined accordingly. For purposes of this DPA, the term “Controller” shall also refer to the term “Business” and the term “Processor” shall also refer to the term “Service Provider.”

2. Purpose and Scope of Processing
   
   1. Roles of the Parties. Customer and Exaforce acknowledge and agree that under Data Protection Laws and this DPA, Customer may act as either a Controller or Processor. Where Customer is a Controller, Exaforce is a Processor. Where Customer is a Processor, Exaforce is a Subprocessor. All obligations placed on Processors under this DPA shall apply to Exaforce regardless of whether Exaforce acts as a Processor or Subprocessor. 
   2. Details of Processing. The subject matter, duration, nature and purpose of Processing, categories of Customer Personal Data, and Data Subject type(s), in respect of which Exaforce may Process to fulfill the Business Purposes are described in Annex A (Details of Processing).
3. Customer Processing Obligations
   
   1. Processing Instructions. Customer warrants and represents that Customer shall comply with, and Customer’s instructions for the Processing of the Customer Personal Data shall comply with, Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of (a) the Customer Personal Data provided to Exaforce by or on behalf of Customer, (b) the means by which Customer acquired the Customer Personal Data provided to Exaforce, and (c) the instructions it provides to Exaforce regarding the Processing of Customer Personal Data. Customer shall provide to Exaforce the minimum amount of Customer Personal Data necessary for the provision of the Services and shall not provide or make available to Exaforce any Customer Personal Data other than as specified in Annex A (Details of Processing), Section (Processing Details).
   2. Sensitive Personal Data. To the extent that Customer chooses to use any Services to Process Sensitive Personal Data, Customer acknowledges and agrees that Customer is Processing such Sensitive Personal Data in accordance with Data Protection Laws and the Agreement.
   3. Customer Affiliates. Customer enters into this DPA on behalf of itself and in the name and on behalf of its Affiliates, as applicable, thereby establishing a separate DPA between Customer and each such Customer Affiliate. Customer Affiliates shall be entitled to enforce the terms of this DPA as if each was a signatory to it. Customer shall remain responsible for coordinating all communication with Exaforce under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.
4. Exaforce Processing Obligations
   
   1. Compliance with DPA and Data Protection Laws. Exaforce shall comply with all Data Protection Laws with respect to performing the Services and Processing the Customer Personal Data. Exaforce shall not Process Customer Personal Data for any other purpose or in a way that does not comply with this DPA or applicable laws, including the Data Protection Laws. 
   2. Processing Limitations. Exaforce shall only Process Customer Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with this DPA and Customer's written instructions. Exaforce shall not collect, disclose, use, or otherwise Process Customer Personal Data: (a) except as necessary to perform the Services and the Business Purposes described this DPA; (b) outside of the direct business relationship between Customer and Exaforce; or (c) for its own purposes or those of any third party. Exaforce shall not sell or share Customer Personal Data, as “sell” and “share” are defined under Data Protection Laws. Exaforce shall not combine the Customer Personal Data received with Personal Data received from another business or that Exaforce collects itself (unless such combination is necessary for certain business purposes identified in the Applicable Data Protection Laws).
   3. Confidentiality. Exaforce shall protect the confidentiality of the Customer Personal Data in accordance with the terms of this DPA and ensure that any Customer Personal Data is not disclosed or otherwise made available to other persons or used in violation of this DPA. Exaforce shall ensure that any person that it authorizes to Process Customer Personal Data are informed of the confidential nature of the Customer Personal Data and are subject to an appropriate duty of confidentiality. 
   4. Compliance Assistance. Exaforce shall reasonably assist Customer with meeting Customer's compliance obligations under the Data Protection Laws, taking into account the nature of Exaforce's Processing and the information available to Exaforce. For example, Exaforce shall provide reasonable information to enable Customer to carry out Data Protection Impact Assessments or similar evaluations or assessments required under Data Protection Laws, and Exaforce shall provide reasonable assistance to Customer in its cooperation or prior consultation with supervisory or other regulatory authorities.
   5. Data Subject Rights. If Exaforce receives a request from a Data Subject for access to Customer Personal Data or to exercise any of their related rights under the Data Protection Laws, Exaforce shall notify Customer. Upon Customer’s reasonable request, Exaforce shall reasonably assist Customer to comply with the rights of Data Subjects under the Data Protection Laws and to respond to any inquiry, complaint, or other correspondence from a Data Subject. 
   6. Disclosure Requests, Complaints, and Other Communications. If Exaforce receives a Disclosure Request, complaint, or any other communication regarding the Processing of Customer Personal Data or about either party's compliance with the Data Protection Laws, Exaforce shall promptly notify Customer, unless prohibited to do so by law. Unless required by law, Exaforce shall not disclose Customer Personal Data with any third party other than at Customer’s request or instruction. Subject to applicable law, Exaforce shall oppose any Disclosure Request, and if legally required to respond, shall provide the minimal amount of Customer Personal Data or information about Processing of Customer Personal Data in response to such request or inquiry. Exaforce shall reasonably assist Customer in responding to any Disclosure Requests, complaints, or other communications regarding the processing of Customer Personal Data by Exaforce.
   7. Data Destruction or Return. Exaforce shall securely destroy or return and not retain, all Customer Personal Data Processed subject to this DPA in its possession promptly after the expiry or termination of the Agreement, except where retention of Customer Personal Data is required by any law, regulation, or government or regulatory body, in which case the protections of this DPA shall continue to apply to such retained Customer Personal Data for the period of time during which it is retained.
5. Security and Audits
   
   1. Security Measures. Exaforce shall implement appropriate technical and organizational measures against unauthorized or unlawful Processing, access, or disclosure of Customer Personal Data and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Customer Personal Data including, but not limited to, the security measures set out in Annex B (Security Measures). Exaforce shall periodically review and test the effectiveness of such security measures.
   2. Data Breach. Exaforce shall notify the Customer Authorized Privacy Contact promptly upon becoming aware of a Data Breach and promptly take such steps as Exaforce deems necessary and reasonable to investigate, contain, and mitigate such Data Breach. When notice is provided, Exaforce shall provide all reasonable information in Exaforce’s possession to the extent it affects Customer, including: (a) a summary of the nature of the Data Breach, including the types of Customer Personal Data impacted and, to the extent Personal Data is impacted, the categories and approximate number of both Data Subjects concerned; (b) the likely consequences; and (c) description of the measures taken or proposed to be taken to mitigate its possible adverse effects. Exaforce shall use reasonable efforts to provide Customer with additional updates regarding the Data Breach to the extent it affects Customer.
   3. Audit Reports and Documentation. At Customer’s written request at reasonable intervals, Exaforce shall provide Customer with the most recent copies of external third-party audit reports, certifications, or other documentation regarding Exaforce’s compliance with the obligations in this DPA.
   4. On-Site Audits. If the Customer reasonably believes the audit reports, certifications, or other documentation provided under Section 5.3 “Audit Reports and Documentation” above are inadequate to demonstrate compliance with the obligations of this DPA, Customer may reasonably request an on-site audit in writing and with no less than 30 days notice, once per calendar year during the Subscription Term. An on-site audit may also be requested if Exaforce has notified Customer of a Data Breach affecting Customer Personal Data or such an audit is required by Data Protection Laws or by the Customer’s competent supervisory authority. Exaforce shall cooperate in good faith with Customer to schedule any such audit on a mutually agreed upon date and time during Exaforce’s normal business hours (such agreement not to be unreasonably withheld by either party). In the event any data protection deficiencies are identified by the audit, Exaforce shall produce and provide Customer with a copy of a written report that includes plans to remedy such deficiencies and remedy any deficiencies identified within a reasonable time period mutually agreed between the Parties.
6. Cross-border Transfers
   
   1. Adequate Measures for Transfers. Exaforce shall not transfer or otherwise Process Personal Data outside of the country of origin of such Personal Data, either directly or via onward transfer, unless Exaforce takes measures to ensure the transfer in compliance with Data Protection Laws and guidance from data protection regulatory authorities in relevant jurisdictions.
   2. Transfer Assessment. To the extent required under or necessitated by Data Protection Laws and/or guidance issued by data protection regulatory authorities in relevant jurisdictions, Exaforce shall conduct a risk assessment of any such international transfer to determine if the level of protection provided under the laws of the recipient country are adequate to protect the Personal Data in advance of engaging in any such transfer (“Transfer Assessment”) and implement additional measures as necessary to ensure the protection of the Personal Data.
   3. Standard Contractual Clauses. The Parties agree that the Standard Contractual Clauses shall apply to transfers of Personal Data from the EEA, UK, or Switzerland to Exaforce under this DPA where such Personal Data is Processed in third countries not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. 
7. Subprocessors
   
   1. General Authorization. Customer acknowledges and agrees that Exaforce may subcontract Processing of Customer Personal Data to a Subprocessor to provide the Services. Exaforce’s current list of Subprocessors are listed in Annex C (Approved List of Subprocessors) of this DPA.
   2. Liability for Subprocessors. Prior to disclosing any Customer Personal Data to any Subprocessor, Exaforce shall: (a) enter into a written agreement with each such Subprocessor that imposes obligations that are no less protective than the obligations in this DPA; and (b) remain liable to Customer and responsible for the Subprocessor’s acts, errors, and omissions, and any failure to perform its obligations with respect to the Processing of Customer Personal Data and under Data Protection Laws.
   3. New Subprocessor. Prior to engaging any new Subprocessors that Process Customer Personal Data, Exaforce shall notify Customer via email (including details of the Processing it performs or shall perform) and allow Customer ten (10) calendar days to object. If Customer has legitimate objections to the appointment of any new Subprocessor, the Parties shall work together in good faith to resolve the grounds for the objection for no less than thirty (30) calendar days. Failing any such resolution, Customer may terminate the part of the Services performed under this DPA that cannot be performed by Exaforce without use of the objectionable Subprocessor. For the avoidance of doubt, Exaforce shall comply with the obligations set forth in Section 7.2 with respect to any new Subprocessor.
8. Term and Termination
   
   1. Survival. This DPA shall remain in full force and effect so long as Exaforce retains any Customer Personal Data in its possession or control, even if Exaforce has fulfilled its obligations under all existing Order Forms.
   2. Material Breach. A party’s failure to comply with the terms of this DPA is a material breach. In the event of a material breach by either party, the other party may terminate this DPA, in whole or in part, effective immediately on written notice without further liability or obligation.
   3. Noncompliance. If a change in any Data Protection Law prevents either party from fulfilling all or part of its obligations under this DPA, the Parties shall suspend the Processing of Customer Personal Data until that Processing complies with the new requirements. If the Parties are unable to bring the Processing of Customer Personal Data into compliance with the Data Protection Laws within sixty (60) days, they may terminate this DPA on written notice to the other Party.
9. General
   
   1. Annexes. The Annexes form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
   2. Conflicts with SCCs or DPA. In the event of any conflict or inconsistency between the Agreement, the DPA, the provisions of the following documents (in order of precedence) shall prevail: (a) the Standard Contractual Clauses or International Data Transfer Addendum; then (b) the DPA; and then (c) the Agreement.
   3. Limitation of Liability. Liability arising out of or related to this DPA shall be subject to the liability terms in the Agreement.
   4. Choice of Law. Without prejudice to Standard Contractual Clauses or the UK International Data Transfer Addendum, this DPA shall be governed by and construed in accordance with the laws of the Agreement. Any disputes or claims arising under this DPA shall be brought in the State of New York.
   5. Changes in Data Protection Laws. In the event of any changes to Data Protection Laws that may require variation to this DPA, and upon notice from Customer, the Parties shall promptly discuss such variations and negotiate in good faith with a view to agreeing on and implementing variations to the DPA designed to address the requirements of any such changes in Data Protection Laws as soon as reasonably practical.

‍

Annex A

Details of Processing

1. Data Exporter

2. Data Importer

3. Activities relevant to the data transferred

Activities related to data transferred are described below in Section 4 (Processing Details) under the “Nature of the processing” and “Purpose of the data transfer and further processing” fields.

4. Processing Details

Annex B

Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Exaforce’s Processing, as well as the risks to individuals, Exaforce will implement and maintain the following industry-standard technical and organizational security measures (“Security Measures”). Further details on Exaforce’s security posture can be found in Exaforce’s Trust Center, available at https://trust.exaforce.com. 

These Security Measures are subject to technical progress and development and Exaforce may modify these Security Measures from time to time without notice, provided that such updates (1) are equivalent to (or enhance) the overall security of Services used by Customer during the applicable Subscription Term, and (2) do not materially diminish the level of protection afforded to Customer Data processed through Services during the applicable Subscription Term.

1. Information Security Policies and Standards. Exaforce will implement and maintain industry-standard security requirements and measures for staff and all subcontractors, vendors, and agents who have access to Customer Personal Data, that are reasonably designed to:
   
   1. prevent unauthorized persons from gaining access to Customer Personal Data processing systems;
   2. prevent Customer Personal Data processing systems being used without authorization;
   3. ensure that persons entitled to use a Customer Personal Data processing system gain access only to such Customer Personal Data as they are entitled to access in accordance with their access rights and that, in the course of processing or use and after storage, Customer Personal Data cannot be read, copied, modified or deleted without authorization;
   4. ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Customer Personal Data by means of data transmission facilities can be established and verified;
   5. ensure the establishment of an audit trail to document whether and by whom Customer Personal Data have been entered into, modified in, or removed from Customer Personal Data processing;
   6. ensure that Customer Personal Data are processed solely in accordance with the instructions;
   7. ensure that Customer Personal Data are protected against accidental destruction or loss; and
   8. ensure that these measures are kept up to date and revised whenever relevant changes are made to the information system that uses or houses Customer Personal Data, or to how that system is organized.
2. Physical Security. Exaforce will maintain commercially reasonable security systems at all Exaforce sites at which an information system that uses or houses Customer Personal Data is located. Exaforce will ensure that such systems reasonably restrict access to such Customer Personal Data as appropriate.
3. Organizational Security. Exaforce will ensure that when media are to be disposed of or reused, procedures have been implemented to prevent any subsequent retrieval of any Customer Personal Data stored on them before they are withdrawn from the inventory. Exaforce will ensure that all Customer Personal Data security incidents are managed in accordance with appropriate incident response procedures.
4. Network Security. Exaforce will maintain and implement network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection and/or prevention systems, access control lists and routing protocols.
5. Access Control. Exaforce will ensure that only authorized staff can grant, modify or revoke access to an information system that uses or houses Customer Personal Data. Exaforce will implement and maintain commercially reasonable physical and electronic security to create and protect passwords.
6. Personnel. Exaforce will implement and maintain a security awareness program to train personnel about their security obligations. Exaforce will ensure this program includes training about data classification obligations, physical security controls, security practices and security incident reporting.
   

Annex C

Approved List of Subprocessors

The Subprocessors authorized to Process Customer Personal Data to help Exaforce provide Services are listed here: 

• Google Workspace 
• AWS
• Anthropic

Annex D

Approved Standard Contractual Clauses: Introduction and Supplemental Terms

1. EEA Personal Data Transfers

Transfers of Customer Personal Data originating in the EEA by Customer to Exaforce or Exaforce to Customer in Third Countries are subject to: (a) Module Two (Controller to Processor) where Customer is a Data Controller and Exaforce is a Data Processor; and (b) Module Three (Processor to Processor) where Customer is a Data Processor and Exaforce is a Sub-Processor. The information required for the purposes of the SCCs is provided in Annex B (Security Measures) to this DPA.

2. Swiss Personal Data Transfers

Where the Customer Personal Data is subject to the Swiss Federal Data Protection Act (“Swiss DPA”), the SCCs above shall apply and be read to be modified as follows:

1. References to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the Swiss DPA.
2. References to “EU,” “Union,” and “Member State” shall be interpreted to include references to “Switzerland.”

3. UK Personal Information Transfers

For Customer Personal Data transfers subject to UK Data Protection Laws and transferred in accordance with the UK International Transfer Addendum, the Parties agree as follows:

1. Each Party agrees to be bound by the terms and conditions set out in the UK International Transfer Addendum, in exchange for the other Party also agreeing to be bound by the UK International Transfer Addendum.
2. The SCCs shall be interpreted in accordance with Part 2 of the UK International Transfer Addendum.
3. Sections 9 to 11 of the UK International Transfer Addendum override Clause 5 (Hierarchy) of the SCCs.
4. For the purposes of Section 12 of the UK International Transfer Addendum, the EU SCCs shall be amended in accordance with Section 15 of the UK International Transfer Addendum.
5. Information required by Part 1 of the UK International Transfer Addendum is provided as Annex A (Details of Processing) of this DPA.
6. To the extent that any revised transfer addendums or mechanisms are issued by the UK ICO, the Parties agree to incorporate such revisions in accordance with Section 18-20 of the UK International Transfer Addendum.

4. Other Country Transfers

For Customer Personal Data transfers subject to other Data Protection Laws which require the use of SCCs (or other measures) to transfer Customer Personal Data to Third Countries, the parties agree to implement such SCCs or other measures as soon as practicable and document such requirements for implementation.

5. Signatures

The Parties agree that the SCCs and the UK International Transfer Addendum are incorporated by reference and that by executing this DPA each party is deemed to have executed the SCCs and the UK International Transfer Addendum.

6. European Area SCC and UK Transfer Addendum Information

Where this Section 6 does not explicitly state that it applies to a particular Module of the Standard Contractual Clauses, it applies to both Modules.

‍