DATA PROTECTION AGREEMENT

Effective Date: March 14, 2021
Last Updated: September 3, 2025

This Data Protection Agreement (“DPA”) is entered into by and between:

  1. Visdum Tech Inc., a Delaware corporation with its registered address at 1007 N Orange Street Ste 683, Wilmington, DE 19801 (“Visdum” or “Processor”); and
  2. The entity identified as Customer in the Agreement (“Customer” or “Controller”),

(each a “Party” and collectively the “Parties”).

This DPA forms part of and is subject to the Agreement governing Customer’s use of Visdum’s Services.

RECITALS

A. Customer acts as a Controller of Personal Data.
B. Visdum provides cloud-based sales compensation and incentive management software and acts as a Processor on behalf of Customer.
C. The Parties seek to ensure compliance with Applicable Data Protection Laws, including GDPR, UK GDPR, Swiss FADP, and CCPA/CPRA.
D. This DPA governs the Processing of Customer Personal Data by Visdum in connection with the Services.

The Parties therefore agree as follows:

1. DEFINITIONS

For the purpose of this DPA:

<table style="width:100%; border-collapse:collapse;">  <thead>    <tr>      <th style="border:1px solid #ddd; padding:8px; text-align:left;">Term</th>      <th style="border:1px solid #ddd; padding:8px; text-align:left;">Meaning</th>    </tr>  </thead>  <tbody>    <tr>      <td style="border:1px solid #ddd; padding:8px;">Applicable Data Protection Laws</td>      <td style="border:1px solid #ddd; padding:8px;">GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and any similar laws governing personal data protection.</td>    </tr>    <tr>      <td style="border:1px solid #ddd; padding:8px;">Customer Personal Data</td>      <td style="border:1px solid #ddd; padding:8px;">Personal Data processed by Visdum on behalf of Customer under the Agreement.</td>    </tr>    <tr>      <td style="border:1px solid #ddd; padding:8px;">Data Subject</td>      <td style="border:1px solid #ddd; padding:8px;">The identified or identifiable natural person to whom Personal Data relates.</td>    </tr>    <tr>      <td style="border:1px solid #ddd; padding:8px;">Personal Data Breach</td>      <td style="border:1px solid #ddd; padding:8px;">A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.</td>    </tr>    <tr>      <td style="border:1px solid #ddd; padding:8px;">Subprocessor</td>      <td style="border:1px solid #ddd; padding:8px;">A third party engaged by Visdum to process Customer Personal Data.</td>    </tr>  </tbody></table>


Customer is the Controller. Visdum is the Processor.

2. DATA PRIVACY FRAMEWORK AND INTERNATIONAL TRANSFERS

2.1 Data Privacy Framework Participation
Visdum is a certified participant in:

  • EU-U.S. Data Privacy Framework (EU-U.S. DPF)
  • UK Extension to the EU-U.S. DPF
  • Swiss-U.S. Data Privacy Framework

2.2 Primary Transfer Mechanism
Transfers of Personal Data from the EU/UK/Switzerland to the United States rely primarily on the Data Privacy Framework.

2.3 SCC Fallback
In circumstances where the DPF is inapplicable or invalidated, the Parties automatically rely on the EU Standard Contractual Clauses (Module 2: Controller→Processor) and the UK/Swiss Addenda, without further action required.

3. INSTRUCTIONS AND PURPOSE LIMITATION

Visdum shall:

  1. Process Customer Personal Data solely to provide the Services;
  2. Follow Customer’s documented instructions; and
  3. Not:
    • Sell or share Customer Personal Data,
    • Use Customer Personal Data for advertising or profiling,
    • Combine Customer Personal Data with other datasets except as required to provide or secure the Services.

Visdum will notify Customer if it believes an instruction is unlawful.

4. DATA OWNERSHIP

Customer retains all ownership and rights in Customer Personal Data.
No right or license is granted to Visdum except to provide the Services.

5. CONFIDENTIALITY

Visdum ensures all personnel with access to Customer Personal Data are subject to confidentiality obligations.

6. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Visdum maintains industry-standard controls to protect Customer Personal Data, including:

  • Encryption: AES-256 at rest; TLS 1.2+ in transit
  • Access Controls: Role-based access, least privilege, MFA enforced for privileged operations
  • Monitoring: CloudTrail, CloudWatch, GuardDuty, audit logging
  • Network Security: VPC segmentation, Security Groups, WAF, IDS/IPS, threat detection
  • Resilience: Daily backups, multi-AZ redundancy, annual DR testing
  • Testing: Annual external penetration testing; quarterly vulnerability scanning
  • Secure SDLC: Code review, dependency and secret scanning, CI security gating
  • Incident Response: Documented IR plan and defined escalation runbooks

Full details provided in Appendix II.

7. SUBPROCESSORS

Customer authorizes the use of the following Subprocessors:

SubprocessorPurposeLocationAmazon Web Services (AWS)Cloud hosting & VPC infrastructureUSAGoogle WorkspaceEmail & file collaborationUSASlackSecure internal communicationUSAAtlassian (Jira, Confluence, Bitbucket)Issue tracking, knowledge management, source controlUSAAWS Simple Email Service (SES)Transactional email sendingUSA

Visdum will provide 30 days prior notice before adding a new Subprocessor.
Customer may object on reasonable data protection grounds.

8. DATA SUBJECT RIGHTS ASSISTANCE

Visdum will assist Customer in responding to rights requests under GDPR/CCPA where feasible and only under Customer instruction.

9. PERSONAL DATA BREACH NOTIFICATION

Upon confirmation of a Personal Data Breach impacting Customer Personal Data, Visdum will:

  • Notify Customer without undue delay and no later than 72 hours;
  • Provide known details, mitigation steps, and follow-up updates.

10. RETURN OR DELETION OF DATA

Upon termination or written request:

  • Customer Personal Data will be returned or deleted within 30 days; and
  • Backups will be securely overwritten within 90 days.

11. AUDIT RIGHTS

Visdum shall:

  • Provide SOC 2 Type II and ISO/IEC 27001 reports on request;
  • Respond to reasonable security questionnaires;
  • Permit additional audits only where legally required, subject to reasonable notice and scope.

12. CCPA/CPRA SERVICE PROVIDER CERTIFICATION

Visdum certifies it acts as a Service Provider and will:

  • Not “sell” or “share” Personal Data
  • Not use Personal Data beyond the Services
  • Not retain, disclose, or combine Personal Data except as permitted by law

13. LIABILITY

Liability under this DPA is subject to the liability limitations in the Agreement and is capped at twelve (12) months of fees.

14. PRECEDENCE

If this DPA conflicts with the Agreement, this DPA controls with respect to data protection.

APPENDIX I — DESCRIPTION OF PROCESSING

(Same as previous)

APPENDIX II — DETAILED TECHNICAL & ORGANIZATIONAL MEASURES

(This is where we will now expand to the 2–3 page security matrix.)

APPENDIX III — SUBPROCESSORS

(As listed in Section 7)