DPA | doForms

DATA PROTECTION ADDENDUM

THIS DATA PROTECTION ADDENDUM (this “DPA”) supplements and is part of each end user license or similar contractual arrangement entered into between doForms Inc., a Delaware corporation (“doForms” or “Company”) and customers of Company (each, “Customer”) governing Customer’s access to and use of doForm’s technology and related services solution (each, an “Agreement”). The effective date of this DPA is the effective date of the first Agreement entered into between the parties (the “DPA Effective Date”). Words and phrases used in this DPA, other than those capitalized for grammatical purposes, are defined in the Section of this DPA in which they first appear as indicated by bold type or, if not so defined, have the meanings given to them in the Agreement. References to Articles and Sections are references to those in this DPA unless otherwise indicated. The English language version of this DPA controls over any translation.

SCOPE AND PURPOSE.

The two-fold purpose of this DPA is to set forth Company’s obligations with respect to the:

(a) security of all data processed by Company through the doForms solutions to which Customer subscribes regardless of whether that data is personal data (“Processed Data”);

(b) privacy and protection of data meeting the definition of “personal data” that is processed through the solutions (the “Customer Personal Data”); and

This DPA shall control over any conflicting data protection and/or privacy related terms or conditions in the Agreement (excluding terms governing use and disclosure of general confidential information) as well as any data security or privacy document or policy posted on Customer’s websites, its supplier portals, or similar locations. Company may update this DPA to reflect material changes in Company’s business practices or changes in applicable law, but in no event will any such change materially reduce the level of protection afforded to Processed Data when measured against Company’s obligation on the DPA Effective Date. If this DPA is changed, Company will provide Customer advance electronic notice thereof and 10 business days to object. As used herein, “Comprehensive Data Protection Laws” means the General Data Protection Regulations separately adopted by the United Kingdom and by the European Union for use throughout the European Economic Area (collectively, the “GDPR”), the California Consumer Privacy Act (and as amended by the CPRA), and/or the similar laws in other United States jurisdictions (such as Colorado and Virginia) or around the world (such as the Personal Data Protection Act in Thailand).

DATA SECURITY PROGRAM.

Generally; Annual Updates. Company has adopted and implemented an enterprise-wide corporate information security program that includes physical, technical, organizational, and administrative measures designed to protect, in a manner consistent with accepted industry standards and applicable law, against anticipated or actual threats or hazards to the security, and/or integrity of Processed Data, as well as the destruction, loss, unauthorized access to, or unauthorized use of, Processed Data (“Data Security Program”). Company reviews and, as necessary, updates the Data Security Program at least annually and whenever there is a material change in Company’s business practices or applicable law, but in no event will any such change materially reduce the level of protection afforded to Processed Data when measured against Company’s Data Security Program on the DPA Effective Date.

Duration; Standards and Controls. Company will maintain the Data Security Program for the duration of each Agreement and thereafter for so long as Company has access to, or stores, Processed Data as part of any archival or related right at law or under an Agreement. The Data Security Program is designed by reference to recognized industry standards such as the ISO 270xx series of data security and information management standards, and the AICPA’s SOC1 and SOC2 reporting standards. Consequently, the Data Security Program includes standards and controls for:

Data Categorization and Management; Asset Management; Access Controls and Monitoring; Encryption;Vulnerability Prevention, Detection, Mitigation and Testing;

Third Party Oversight; Data Incident Response and Management; Workforce Member Awareness; Data Retention and Destruction; and Business Continuity and Disaster Recovery.

Scope of Data Security Program.

Company Systems and Personnel. The Data Security Program applies to all computing, networking, and telecommunications systems owned and operated by Company to store and process Processed Data. The Data Security Program further applies to all Company employees, onsite contractors, and those of Company’s off-site contractors who Company anticipates will have access to Processed Data. The Data Security Program requires that Company adopt standards and controls for reasonable due diligence and oversight of its third party sub-contractors and sub-processors including the Cloud Providers, if applicable (defined below). As part of such due diligence, and whether or not Section 3.7 also applies, Company confirms all such third parties will maintain data security programs or equivalent processes meeting industry standards and applicable regulatory requirements. Company’s own Data Security Program does not, however, otherwise apply directly to the Cloud Providers, sub-processors, or similar third parties.

Sub-contractors; Cloud Providers. In delivering the Company offerings, Company may use third party business partners and sub-contractors including either or both a cloud platform and a data storage infrastructure provider (collectively, the “Cloud Providers”). If applicable the below will apply:

Data Security Programs. Cloud Providers operate on a shared-responsibility model whereby they, and not Company, are responsible for protecting the overall computing infrastructure and physical facilities of their cloud or storage platform, while Company is responsible for securing its technology environment (sometimes referred to as a “pod” or “tenant”) deployed on and operated from those platforms. Company will pass through to Customer the benefits of its sub-contractors’ (including the Cloud Providers’) data security and privacy practices and procedures for the applicable cloud or data storage infrastructure.

Vulnerability Testing. Company has adopted standards and implemented controls under its Data Security Program for vulnerability prevention, detection, and mitigation. Company periodically tests those controls. In addition, during the term of each Agreement, Customer may, at its cost and expense, perform its own penetration testing and other vulnerability assessments of Cloud Providers and those portions of the Company technology loaded thereon, by following the Cloud Providers’ published procedures. As Company does not typically store material amounts of Processed Data in electronic form outside of the Cloud Providers’ infrastructure, Customer shall not be permitted to conduct vulnerability testing of Company’s or its other sub-contractors’ internal systems unless otherwise agreed in writing.

Data Security Questionnaires and Audits. Company shall reasonably cooperate with Customer’s internal security personnel and/or regulators to complete questionnaires as they relate to Processed Data; provided, however, that Company reserves the right to charge Customer at Company’s standard hourly rates if such questionnaires are submitted more than once per year and/or if any such questionnaire requires more than 10 hours of total person effort in a calendar year. In addition, if an Auditable Event (defined below) occurs, Customer may conduct reasonable remote reviews of the security controls used by Company and, if reasonably necessary thereafter, conduct an on-site audit of Company. Customer will schedule all such reviews and audits by contacting Customer’s assigned Company relationship manager to determine a mutually agreed upon audit plan and timeline. The time and length of the audit shall be reasonable with respect to the type of auditable event that occurs, and will take into consideration the time needed to discuss and remediate any of the purported security concerns. Customer will conduct the review or audit itself or through a reputable third party designee that is not an Company competitor, does not already represent Company, and who is subject to customary confidentiality obligations at least as protective of Company as those under the Agreement. All audits shall be at Customer’s cost and expense. The results of all audits and Company’s responses to all questionnaires shall be the confidential information of Company subject to the confidentiality terms of each Agreement. As used herein, an “Auditable Event” is any one or more of the following: (a) the lapse or revocation of, or the finding of a material deficiency under, a previously provided ISO 27001, SOC 2 Type 2, or equivalent or similar certification or report for the cloud infrastructure; and/or (b) the occurrence of a Data Security Breach (defined in Section 2.5), provided that such review and audit shall not be conducted until after resolution of the Data Security Breach to permit Customer to confirm that the causes thereof have been reasonably remedied. Cloud Providers do not permit Company or any of Company’s customers or their regulators to visit the Cloud Providers’ data centers or facilities, whether remotely or in-person, and therefore site visit rights under this Section do not extend to facilities under the control of Cloud Providers. Some Cloud Providers do, however, permit Company to submit data security questionnaires on Company’s customers’ behalf if required to satisfy regulatory obligations. Company will do so upon written request from Customer, if applicable. Company shall further reasonably cooperate with Customer’s request to obtain data security and privacy information from any of Company’s material sub-contractors (including the Cloud Providers), such as copies of their ISO certifications or SOC reports.

Incident Response and Management. Company will evaluate and respond to all incidents that are, or create reasonable suspicion of, a Data Security Breach. The goal of Company’s incident response is to identify and contain the potentially unauthorized activity and restore the security, integrity, and availability of the affected systems as well as to establish root causes and remediation steps. Company’s information security team will be informed of all such incidents and will define escalation paths and response teams to address them. As used herein, “Data Security Breach” means the confirmed unauthorized access, acquisition, disclosure or use of Processed Data protected under the Data Security Program.

Data Security Breach Notification. If Company determines that an incident actually was, or resulted in, a Data Security Breach, Company will, as relevant information is collected or otherwise becomes available to Company, provide Customer with a description of the Data Security Breach, the Processed Data adversely affected, and other information Customer may reasonably request, unless Company is prohibited by law from doing so. In any event, Company will notify Customer as soon as practical and without any unreasonable delay following Company’s determination that a Data Security Breach occurred, but in no event later than would allow Customer a reasonable period of time to meet Customer’s own reporting or notice obligations under applicable law. Typically, this means Company will notify Customer no more than 24 hours after Company has confirmed that Customer Personal Data has suffered a Data Security Breach. Additionally, the Company information security team will work with Customer, and, where necessary, with outside forensics investigators and regulatory and law enforcement authorities, to respond to and attempt to mitigate the adverse effects of a Data Security Breach. Company agrees to coordinate in good faith with Customer on developing the content of any related public statements that relate to Customer or any required notices to Customer’s data subjects resulting from a Data Security Breach.

PROTECTION OF PERSONALDATA.

Capacity; Duration; Nature and Purpose. With respect to Customer Personal Data, the parties acknowledge and agree that: (a) Company primarily acts in the capacity of Customer’s “service provider” or “processor”, as applicable under Comprehensive Data Protection laws; (b) the duration of Company’s processing is at Customer’s discretion, commensurate with the time period described in Section 2.2; (c) the nature and purpose of Company’s processing is limited to what is needed to perform for the benefit of Customer under an Agreement; and (d) the types of Customer Personal Data processed and categories of data subjects will be determined and disclosed in each Agreement. All of Company’s processing of such Customer Personal Data will further be subject to the obligations described in Sections 3.3 through 3.12 of this DPA below. If ordered under the Agreement, certain of doForm’s services lines may require doForm’s to act in the capacity of a “contractor” under California’s Comprehensive Data Protection Law. In such cases, and only such cases, doForm’s certifies that it understands and intends to comply this Section 3.1 and Sections 3.3 and 3.11 hereof.

Customer as Processor. In circumstances where the scope of work performed by Customer pursuant to the Underlying Contract requires Customer to act as Company’s Processor, Customer shall comply with the terms and conditions of this Article. Customer shall be automatically deemed a Processor for all Data Handling Activities that are not specifically listed in this Agreement.

Customer Instruction; No Sale. Company will never sell Customer Personal Data nor combine it with personal data received from other sources. Company will process (including cross-border transfers described in Section 3.4) Customer Personal Data only on Customer’s instructions as documented in the applicable Agreement. If Company is required by law to process Customer Personal Data in a manner not covered by the instruction Company received from Customer, Company will, unless prohibited by law, inform Customer before so processing. Company will also promptly inform Customer if, in Company’s opinion, the Customer’s instruction violates the applicable Comprehensive Data Protection Laws.

Cross-border Transfers.

Generally. To the extent the parties agree that transfer of Customer Personal Data from the Jurisdiction of Origin (defined below) is required, but the applicable Comprehensive Data Protection Laws restrict such transfer, the transferring party will conduct a transfer impact assessment (where Company is the transferring party, the assessment will be conducted in such manner and form Company believes necessary based on the relative risks) to determine if appropriate safeguards are present in the Destination Jurisdiction (defined below). If the result of an assessment supports the transfer, it will occur only as permitted under the applicable Comprehensive Data Protection Laws and this Section 3.4. Where Company is the transferring party, the transfer shall be disclosed to Customer. As used herein, “Jurisdiction of Origin” means the country, and if applicable, territory, province, or state in which the data subjects were either located or resident (as determined by the applicable Comprehensive Data Protection Law) at the time their personal data was collected, and “Destination Jurisdiction” means the country, and if applicable, territory, province, or state, to which such personal data is being transferred.

Transfers under GDPR; SCCs. Where a transfer is governed by the GDPR, the transfer will be conducted in accordance with an approved mechanism, respectively, set forth in Articles 46 through 49 of the EU GDPR or UK GDPR, as applicable which may, if determined by the transferring party in consultation with the receiving party, require binding the receiving party to the applicable Standard Contractual Clauses (“SCCs”) module appropriate to the roles of the parties in such transfer. Where SCCs Modules 2, 3, and/or 4 are used, the parties agree that if there is any conflict or contradiction between such SCC’s and this DPA, the required resolution of such conflict in favor of the SCCs shall apply only to the act of transfer/importation and the sub-set of personal data directly involved therewith.

Customer Acknowledgement. Customer acknowledges that except as otherwise expressly stated in an Agreement, Company operates from its own and its Cloud Providers’ facilities around the world. If the parties agree that cross-border transfer by Customer from a Jurisdiction of Origin to Company in one or more of those locations as the Destination Jurisdiction, then, subject to Sections 3.4(a) and 3.4(b), Customer is, as between Company and Customer, solely responsible for ensuring it is authorized to deliver its data to Company in the Destination Jurisdiction and for fulfilling the obligations of a data controller/collector/exporter under the applicable Comprehensive Data Protection Laws.

Appropriate Measures; Security of Processing. The Data Security Program is designed to satisfy the requirement under the Comprehensive Data Protection Laws that Company adopt appropriate technical and organizational measures to protect Customer Personal Data. Company will apply its Data Security Program to Customer Personal Data including as necessary to permit Customer to comply with applicable Comprehensive Data Protection Laws such as the measures required under GDPR Article 32.

Workforce Confidentiality Obligations. Company requires that members of its workforce (including contractors) who are authorized to process Customer Personal Data have committed themselves to the confidentiality thereof or are otherwise under an appropriate statutory obligation of confidentiality.

Sub-processors. If Company engages a sub-processor to carry out Customer Personal Data processing activities that are otherwise part of Company’s obligation to Customer, Company will conduct due diligence to confirm they are capable of protecting Customer Personal Data to the same extent as Company is required to under this DPA, including by way of a contract or other legal act under applicable law and, to the extent required by applicable law (such as GDPR Article 28, paragraphs (2) and (4)), Company will obtain Customer’s consent prior to such engagement and notify Customer, with a reasonable opportunity to object, should Company change a previously approved sub-processor; provided that by entering into an Agreement, Customer is giving general consent to Company’s use of its Affiliates as sub-processors, as well as the use of sub-processors in the roles of the Cloud Provider .

Data Subject Requests. Taking into account the nature of Company’s processing, Company will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to requests from data subjects to exercise their rights under applicable law including, where a data subject whose personal data Company is processing contacts Company instead of Customer, Company will, to the extent legally permitted, promptly notify Customer and reasonably cooperate with Customer to fulfil Customer’s obligations, subject to the fact that Customer is responsible for any reasonable costs arising therefrom.

Verification; Assistance with Compliance. Company will assist Customer in ensuring compliance with Customer’s obligations to consult with certain regulatory authorities regarding the processing of Customer Personal Data including, where applicable, such obligations as are enumerated under GDPR Article 28 with respect to GDPR Articles 32 through 34 and 36, taking into account the nature of processing and the information available to Company. As described in Section 2.4 of this DPA, Company will make available to Customer information reasonably necessary to demonstrate Company’s compliance with this DPA.

Supervisory Inquiries. If Company becomes subject to a Supervisory Inquiry (defined below), unless otherwise prohibited by law, Company shall immediately notify Customer thereof and may not independently respond thereto except as expressly instructed in writing by Customer. As between Customer and Company, Customer is the only party who shall respond to DPA Inquiries related to Customer Personal Data, unless expressly authorized by Customer or compelled by the express language of an applicable statute or regulation comprised by the Data Handling Rules. Company shall reasonably assist Customer in asserting and protecting the Customer Personal Data including by preventing and/or limiting disclosure. If such disclosure cannot be prevented, Customer, and not Company, shall disclose the required portion of Customer Personal Data directly to the applicable authority. “Supervisory Inquiry” means a non-subpoena request for access to, or information about, Customer Personal Data from any governmental authority (including the U.S. Securities and Exchange Commission, U.S. Federal Trade Commission, and the Data Protection Authorities in the various GDPR Jurisdictions) and/or self-regulatory bodies.

Deletion or Return. Company will, at Customer’s election, delete or return all Customer Personal Data at the end of each Agreement, and delete existing copies unless applicable law requires otherwise. Company will, however, avail itself of any right that applicable law provides permitting Company to retain archival copies of such Customer Personal Data or to delete such data in the ordinary course of Company’s documented back-up, retention, and destruction procedures. In those situations, Company acknowledges that this DPA continues to govern all such retained Customer Personal Data.

Breach Notification. Company will notify Customer of and respond to any Data Security Breach as described in Section 2.6 of this DPA. If applicable laws requires that such notification contain specific information (as is the case under GDPR Article 33(3)), Company will provide the same to Customer to the extent such information is reasonably available to Company. For purposes of this Section 3.12 “personal data” includes such data as defined under those breach notification statutes in the various United States that are not Comprehensive Data Protection Laws.

DOFORMS AS SUCCESSIVE INDEPENDENT CONTROLLER.

In certain circumstances, such as issuing administrator credentials for Customer access to doForm’s services, doForms may be required to make independent decisions regarding the manner and means by which Customer Personal Data is processed and, as such, shall be a successive independent controller to Customer with the Customer Personal Data used in such circumstances. To the extent relevant under Comprehensive Data Protection Laws applicable to Customer Presonal Data, doForms and the applicable local entity, doForms Global S.L., are independent successive controllers with respect to all processing of such data as described in this notice. Each party, as a successive independent controller, shall comply with applicable Comprehensive Data Protection Laws including: (a) determining its legitimate interests or other lawful bases for processing; (b) providing all required notices at both the time of collection (including where GDPR is applicable, conducting its own evaluation of whether the exception under notice GDPR Article 14(5)(a) is available), and upon the occurrence of a Data Security Breach; and (c) manage and respond to all verified data subject attempts to exercise their rights. DoForms and Customer will reasonably cooperate with one another to the extent required to comply with Comprehensive Data Protection Laws applicable to their respective roles as successive independent controllers, including in responding to the exercise of rights by verifiable data subjects. Certain Comprehensive Data Protection Laws make each independent controller jointly and severally liable for the acts and omissions of the other. Whenever that is the case, the party whose acts and omissions gave rise to the applicable claim shall indemnify and hold the other harmless (with no obligation of defense), from such liability. Under no circumstances will the parties act as joint controllers as that term is defined and construed under GDPR Article 26.

EXCLUSIONS AND CONDITIONS.

The collection and processing of business contact information (such as name, title, and corporate domain email address) presents a very low likelihood of risk of harm to data subjects. As such, following the majority of Comprehensive Data Protection Laws, such business contact information as is exchanged between the parties to administer their contractual relationship and receive credentials to Company’s customer portals or similar tools is not treated as Customer Personal Data under this DPA. In addition, Company is not responsible under this DPA for any event related to or arising out of: (a) Customer’s own connection to the Public Network (defined below); (b) negligence by Customer, including its personnel or contractors; (c) breach of an Agreement by Customer or those under its reasonable control; (d) failures beyond Company’s reasonable control; and/or (e) Customer’s failure to implement and maintain the required Customer-side data security and privacy standards and controls. “Public Network” means the circuits, overland and/or submarine cabling, and other telecommunications and connectivity infrastructure from a point of demarcation starting immediately after the ingress/egress router or similar appliance for Customer’s network to the point immediately before the ingress/egress router or similar appliance at the facilities doForms uses for its own networks and communications infrastructure including those operating on the Cloud Providers’ infrastructure.

END OF DATA PROTECTION ADDENDUM