Data Processing Agreement

This Data Protection Agreement ("Addendum"), forms part of the Terms of Service ("Terms") between (i) Visdum Tech Inc. ("Visdum Tech") and (ii) You, each being a “Party” and together the “Parties”.

The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Terms and references in this Addendum to the Terms are to the Terms as amended by, and including, this Addendum.

1. Definitions

1.1 In this Addendum, the following termsshall have the meanings set out below and cognate terms shall be construed accordingly:

‍"Addendum Effective Date" has the meaning given to it in section 2;
‍
‍"Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or Visdum Tech (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

‍"Client Personal Data" means any Personal Data Processed by Visdum Tech (i) on behalf of Client (including for the sake of clarity, any Client Affiliate), or (ii) otherwise Processed by Visdum Tech, in each case pursuant to or in connection with instructions given by Client in writing, consistent with the Terms;
‍
“Data Protection Laws” shall mean the data protection laws of the country in which You are established and any data protection laws applicable to You in connection with the Terms, including but not limited to (a) laws and regulations applicable to the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom by virtue of section 3 of the United Kingdom European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act, 2019 (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”) in each case, as may be amended, superseded or replaced.
‍
‍"Services" means the services to be supplied by Visdum Tech to Client or Client Affiliates pursuant to the Terms; and

“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses as approved by the European Commission (Implementing Decision (EU) 2021/914 of 04 June 2021) Implementing Decision (EU) 2021/914 of 04 June 2021) and available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914 (“EU SCCs”); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, Version B1.0, in force from 21 March 2022 set forth as Appendix IV (“UK SCCs”) and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”) (in each case, as updated, amended or superseded from time to time).

‍1.2 The terms "Controller", "DataSubject", "Personal Data","Personal Data Breach","Process", "Processor" and “Supervisory Authority” have the same meanings as described in applicable Data Protection Laws, and cognate terms shall be construed accordingly.

‍1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.

2. Formation of this Addendum

This Addendum is deemed agreed by the Parties and comes into effect on the “Addendum Effective Date”,being the later of (i) the date that this Addendum is accepted by Client; and(ii) Visdum Tech.

3. Roles of the Parties

The Parties acknowledge and agree that with regard to the Processing of ClientPersonal Data, and as more fully described in APPENDIX 1 hereto, Client acts as a Controller and Visdum Tech acts as a Processor (as defined in section 5.2.4 below).

The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client’s Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enableClient’s Affiliates or the relevant Controller(s) to comply with such Laws.

4. Description of Personal Data Processing

In APPENDIX 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by VisdumTech pursuant to this Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable amendments to APPENDIX 1 by written notice to the other Party and as reasonably necessary to meet those requirements. APPENDIX 1 does not create any obligation or rights for any Party.

5. Data Processing Terms

5.1 Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Client shall be solely responsible for compliance with applicable DataProtection Laws regarding the collection of and transfer to Visdum Tech ofClient Personal Data. Client agrees not to provide Visdum Tech with any data concerning a natural person’s health, religion, or any special categories of data as defined in Article 9 of the GDPR.

‍5.2 Visdum Tech shall comply with all applicable Data Protection Laws in the Processing of Client Personal at a and Visdum Tech shall:

‍5.2.1 process the Client Personal Data relating to the categories of Data Subjects for the purposes of the Terms and for the specific purposes in each case as set out in APPENDIX 1 to this Addendum and otherwise solely on the documented instructions of Client, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers ofClient Personal Data to a third country outside to an international organization; Visdum Tech shall immediately inform Client if, in Visdum Tech’s opinion, an instruction infringes applicable Data Protection Laws;
‍
‍5.2.2 ensure that persons authorized to process the ClientPersonal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
‍
‍5.2.3 implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art,the costs of implementation and the nature, scope, context and purposes ofProcessing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data as per following:(a) pseudonymization and encryption of Client Personal Data;(b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that processClient Personal Data;(c) restoring availability and access to Client PersonalData in a timely manner in the event of a physical or technical incident; and(d) regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client Personal Data.Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an agreed change control process between VisdumTech and Client;
‍
‍5.2.4 Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically authorizes Visdum Tech to engage another Processor to Process the Client Personal Data ("Other Processor"), and specifically the Other Processors listed in Appendix III hereto, subject to Visdum Tech's: (a) notifying Client of any intended changes to its use of Other Processors listed in Appendix III by emailing notice of the intended change to Client; (b) including data protection obligations in its contract with each Other Processor that are materially the same as those set out in thisAddendum; and (c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations in relation to the Processing of theClient Personal Data.

The Client shall have a period of 30 (thirty) days from the date of the notice to inform Visdum Tech in writing of any reasonable objection to the use of that Other Processor. The parties will then, for a period of no more than 30 (thirty) days from the date of the Client's objection, work together in good faith to attempt to find a commercially reasonable solution for the Client which avoids the use of the objected-to Other Processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Terms) terminate the relevant Services immediately on written notice to theother Party, without damages, penalty, or indemnification whatsoever;
‍
‍5.2.5 to the extent legally permissible, promptly notify Client of any communication from a Data Subject regarding the Processing of Client Personal Data, or any other communication (including from a Supervisory Authority)relating to any obligation under the applicable Data Protection Laws in respect of the Client Personal Data and, taking into account the nature of theProcessing, assist Client (or the relevant Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevant Controller(s)’ obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR; Client agrees to pay Visdum Tech for time and for out of pocket expenses incurred by Visdum Tech in connection with the performance of its obligations under this Section 5.2.5;

‍5.2.6 upon Visdum Tech’s becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of anyPersonal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Controller) tocomply with its obligations under the applicable Data Protection Laws;

‍5.2.7 to the extent required by the applicable Data ProtectionLaws, provide reasonable assistance to Client, Client’s Affiliates’ or therelevant Controller(s)’ with its obligations pursuant to Articles 32 to 36 ofthe GDPR taking into account the nature of the Processing and information available to Visdum Tech; Client agrees to pay Visdum Tech for time and for outof pocket expenses incurred by Visdum Tech in connection with any assistance provided in connection with Articles 35 and 36 of the GDPR;

‍5.2.8 cease Processing the Client Personal Data upon the termination or expiry of the Terms, and at option of Client, Client’sAffiliates or the relevant Controller(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Client PersonalData Processed by Visdum Tech, unless (and solely to the extent and for suchperiod as) Country law requires storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, Visdum Tech may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations obligations. Any suchPersonal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms, and

‍5.2.9 make available to Client all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by Client, or an auditor mandated by Client. For the purposes of demonstrating compliance with this Addendum under section5.2.9, the Parties agree that once per year during the term of the Terms, VisdumTech will provide to Client, on reasonable notice, responses to cybersecurityand other assessments. Client agrees to pay Visdum Tech for time and for out-of-pocket expenses incurred by Visdum Tech in connection with assistance provided in connection with such audits, responses to cybersecurity, and other assessments.

6. Transfers

‍Visdum Tech is certified by Information Security Management as per SOC 2 Type 2 and ISO 27001:2013 standards. Visdum Tech shall notify Client in writing without undue delay if it can no longer comply with its obligations under the Privacy compliance, and, in such a case, Visdum Tech will have the option of (i)promptly taking reasonable steps to remediate any non-compliance with applicable obligations under this Addendum, or (ii) engaging in a good faith dialogue with Client to determine a new data transfer mechanism to carry outthe purposes of the Terms.

Visdum Tech acts as a Processor with respect to Personal Data received pursuant to a data transfer.In the event the Privacy Compliance is invalidated, Client and each Client Affiliate (on behalf of the relevant Controller(s), as the case may be), if applicable (as "data exporter") and Visdum Tech (as"data importer"), with effect from the commencement of the relevant transfer, shall enter into the Controller to Processor SCCs (mutatis mutandis, as the case may be) in respect of any transfer (or onward transfer) from Client or Client Affiliate to Visdum Tech, where such transfer would otherwise be prohibited by applicable Data Protection Laws or by the terms of data transfer agreements put in place to address applicable Data Protection Laws.

Appendix 1 to the Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Appendix III to this Addendum and the processing operations are deemed to be those described in the Terms. Appendix 2 to the Controller to Processor SCCs shall be deemed to be pre-populated with the following "Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of the varying likelihood for the rights and freedoms of natural persons, Visdum Tech shall implement appropriate technical and organizational measures as set forth in the Addendum."

‍7. Precedence

‍The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.

8. Indemnity

‍To the extent permissible by law, Client shall indemnify and hold harmless Visdum Tech against all (i) losses, (ii) third-party claims,(iii) administrative fines, and (iv) costs and expenses (including without limitation, reasonable legal, investigatory and consultancy fees and expenses)reasonably incurred in relation to (i), (ii) or iii), suffered by Visdum Tech and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.

9. Severability

‍The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.

9. Others

‍The organization ensures that the contract to process PII addresses the organization’s role in providing assistance with the customer'sobligations.The Agreement considers the following and follows

a. Privacy by Design and default
b. Achieving Security of Processing
c. Notification of breaches involving PII to a Supervisory authority
d. Notification of breaches involving PII to Customers andPII Principals,
e. Conducting Privacy Impact Assessment
f. Assurance of Assistance by the PII Processors if prior consultations with relevant PII Protection authorities are needed.
g. Visdum Tech shall inform the customer if, in its opinion, a processing instruction infringes applicable legislation or regulation.
h. The organization does not use PII processed under a contract for the purposes of Marketing and Advertising
i. Coordinate with Clients to help Audit the systems. The organization provides the customer with the appropriate information so that it can demonstrate compliance with its obligations
j. Visdum Tech shall use AWS and PIPL as sub-processors withSecurity and Privacy requirements full filled.
k. The organization shall comply with all statutory and regulatory requirements, ISO 27001:2013, ISO 27701:2019, and EU GDPR requirements.
l. The Data shall be deleted, or de-identified after the processing is complete (This is after the retention period selected is complete).
m. Visdum Tech shall inform 24 hours in advance to clients in case of any legally binding requests for disclosure of PII.
n. For Access, Correction,and/or Erasure of the PII of Data subjects can be done by contacting the Data Protection Officer (DPO) below. Also, raising concerns and/or any complaints related with PII that can be done by contacting the Data Protection Officer.

Email ID: dpo@visdum.com
Contact Number: +1 312 586 8696

The following Appendices form an integral part of this DPA:

APPENDIX 1

A. LIST OF PARTIES UNDER THE SCCs

Data exporter(s): The Data Exporter is the entity that has subscribed to the Terms and their contact details are as provided by them while subscribing to the Terms. Signature & Date: By entering into the Agreement, the Data Exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Role: Controller
‍
Data importer(s):
Name: Visdum Tech Inc.
Address: 1007 N Orange Street Ste 683, Wilmington DE 19801, United States
Contact person’s name, position, and contact details: Prashant Kumar, CISO, dpo@visdum,.com
‍
Activities relevant to the data transferred under these Clauses: As specified in Part B.
‍
Signature and data: By entering into the Agreement, the Data Importer is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
‍
Role (Controller / Processor): Processor

B. DESCRIPTION OF TRANSFER
‍
Categories of data subjects whose personal data is transferred
‍
Unless provided otherwise by the data exporter, transferred Personal Data relates to the following categories of Data Subjects: employees, contractors, business partners or other individuals having Personal Data stored, transmitted to, made available to, accessed or otherwise processed by the data importer.

Categories of personal data transferred
‍
The transferred Personal Data concerns the following categories of data:
‍
Customer determines the categories of data and/or data fields which could be transferred per Visdum’s Services as stated in the relevant Agreement. The transferred Personal Data typically relates to the following categories of data: name, phone numbers, e-mail address, address data, system access / usage / authorization data, company name, contract data, invoice data, plus any application-specific data transferred by authorised personnel.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
‍
No Sensitive Personal Information transferred. The data exporter shall not disclose (and shall not permit any individual to disclose) any Sensitive Personal Data to the data importer for processing.
‍
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Data is transferred on a continuous basis

‍Nature of the processing

Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).

Purpose(s) of the data transfer and further processing

‍Personal Data is transferred in the course of access and use of the data exporter’s Service so that the data importer may provide, support, maintain and improve the Service.
‍
The data importer may further transfer personal data to third-party service providers that host and maintain the data importer’s applications, backup, storage, payment processing, analytics and other services as specified in the section on sub-processors below. These third-party service providers may have access to or process personal data for the purpose of providing these services to the data importer.
‍
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Upon termination or expiry of the Terms, Visdum shall delete all Customer Data including Personal Data in accordance with the procedure contained in the Terms. This requirement shall not apply to the extent that Visdum is required by applicable law to retain some or all of the Personal Data, in which event Visdum shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

COMPETENT SUPERVISORY AUTHORITY
In respect of the SCCs:

Module 2: Transfer Controller to Processor

Where Customer is the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13 of the SCCs.
‍
Appendix II – Technical and Organizational Security Measures
‍
Visdum has implemented and shall maintain a security program in accordance with industry standards. Visdum has implemented and will maintain appropriate TOMS to protect Service Data from a Personal Data Breach. Reach out to us at security@visdum.com for our security policy document.
‍
Appendix III – List of Sub-Processors
‍
1.    Name of Sub-Processor: Amazon Web Services
Description of Processing: Hosting the Production Environment
Location of Sub-Processor: USA
‍
2.   Name of Sub-Processor: Google Workspace
Description of Processing: Email, File Repository
Location of Sub-Processor: USA

3.   Name of Sub-Processor: Slack
Description of Processing: Messaging
Location of Sub-Processor: USA

4.   Name of Sub-Processor: Atlassian
Description of Processing: Issue Management (Jira), Code Repository (BitBucket)
Location of Sub-Processor: USA

Appendix IV: UK SCCs

This UK SCCs shall stand included as an addendum to the EU SCCs set implemented under Clause 12.1 (a) of this DPA.Part 1: Tables

For data transfers from the United Kingdom that are subject to the UK SCCs, the UK SCCs will be deemed entered into (and incorporated into this Data Processing Addendum by this reference) and completed as follows:

(a) In Table 1 of the UK SCCs, the Parties’ details and key contact information shall be as set forth in Schedule A.A.

(b) In Table 2 of the UK SCCs, information about the version of the Approved EU SCCs, modules and selected clauses which this UK SCC is appended to shall be as set forth in Clauses 11.1 and 12.1(a)(i), (ii), (iii), (iv) of this DPA.

(c) In Table 3 of the UK SCCs:
i Annex 1A: List of Parties: Parties are as set forth in Appendix I.A.
ii Annex 1B: Description of Transfer: Description of Transfer is as set forth in Appendix I.B.
iii Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: TOMs are as set forth in Appendix II.
iv Annex III: List of Sub processors: Sub processors are as set forth in Appendix I.B.

(d) In Table 4 of the UK SCCs, both the data importer and the data exporter may end the UK SCCs in accordance with the terms of the UK SCCs.

Part 2: Mandatory Clauses

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.

DATA PROTECTION AGREEMENT