DREAMTEAMOS DATA PROCESSING ADDENDUM

Customer (“Customer”) has entered into an agreement with DreamTeamOS, Inc. (“Provider”, “we”, “us”) under which Provider has agreed to provide the Services (as defined below) in accordance with such agreement (the “Agreement”). This Data Processing Agreement (the “DPA”) is incorporated into and forms part of the Agreement and shall be effective on the effective date of the Agreement. Customer and Provider are each referred to as a “Party” and collectively as the “Parties”.

To the extent that Provider processes any Personal Data (as defined below) on behalf of the Customer (or, where applicable, the Customer Affiliate) in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.

Except as modified below, the terms of the Agreement shall remain in full force and effect. Notwithstanding anything to the contrary in the Agreement, if there is a conflict between this DPA and the Agreement, this DPA will control. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

1. Definitions

The terms used in this DPA shall have the meanings set forth in this DPA or as defined by Applicable Privacy Law, whichever is broader. Capitalized terms not otherwise defined herein or defined by Applicable Privacy Law shall have the meaning given to them in the Agreement.  The following terms have the meanings set forth below:

1.1 “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with either Provider or Customer, respectively.

1.2 “Applicable Privacy Law” shall mean applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which Provider is subject, including, but not limited to, (a) the US Data Protection Laws, (b) the EU General Data Protection Regulation 2016/679 (“GDPR”) including the applicable implementing legislation of each Member State (“EU GDPR”), (c) the UK Data Protection Act 2018 and the UK General Data Protection Regulation as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR” and together with the EU GDPR, the “GDPR”), (d) the Swiss Federal Act on Data Protection of 19 June 1992 (the “Swiss DPA”), (e) any other applicable law with respect to any Personal Data in respect of which the Provider is subject to, and (f) any other data protection law and any guidance or statutory codes of practice issued by any relevant Privacy Authority, in each case, as amended from time to time and any successor legislation to the same.

1.3 “Data Subject” shall mean an identified or identifiable natural person.

1.4 “EEA” means the European Economic Area.

1.5 “Personal Data” shall mean (i) personal data, personal information, personally identifiable information, or similar term as defined by Applicable Privacy law or (ii) if not defined by Applicable Privacy Law, any information that relates to a Data Subject; in each case, to the extent Processed by Provider, on behalf of Customer, in connection with Provider’s performance of the Services.

1.6 “Privacy Authority” shall mean any competent supervisory authority, attorney general, or other regulator with responsibility for privacy or data protection matters in the jurisdiction of Provider.

1.7 “Process”, “Processing” or “Processed” shall mean any operation or set of operations, as defined in the Applicable Privacy Law, performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.

1.8 “Security Breach” means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Provider’s possession, custody or control. Security Breaches do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.9 “Services” shall mean the services as described in the Agreement or any related order form or statement of work.

1.10 “Standard Contractual Clauses” means (a) with respect to restricted transfers (as such term is defined under Applicable Privacy Law) which are subject to the EU GDPR and other Applicable Privacy Laws pursuant to which the same have been adopted, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), (b) with respect to restricted transfers subject to the UK GDPR pursuant to which the EU Clauses have not been adopted, such other transfer clauses as may be adopted from time to time under the UK GDPR (the “UK SCCs”) and other Applicable Privacy Laws, and (c) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) (the “Swiss SCCs”).

1.11 “Subprocessor” shall mean any subcontractor (including any third party and/or Provider Affiliate) engaged by Provider to Process Personal Data on behalf of Customer.

1.12 “Supervisory Authority” shall mean: (a) in the context of the UK GDPR the UK Information Commissioner’s Office; and (b) in the context of the EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR

1.13 “US Data Protection Laws” means (a) the California Consumer Privacy Act as amended by the California Privacy Rights Act and any binding regulations promulgated thereunder (“CCPA”), (b) the Colorado Privacy Act (“CPA”), (c) the Virginia Consumer Data Protection Act (“VCDPA”), (d) the Connecticut Data Protection Act (“CTDPA”), and (e) the Utah Consumer Privacy Act (“UCPA”); in each case, as updated, amended or replaced from time to time.

2. Processing Requirements.

2.1 Provider shall comply with Applicable Privacy Law in the Processing of Personal Data and only Process Personal Data for the purposes of providing the Services and in accordance with Customer’s instructions, and as may subsequently be agreed between the Parties in writing. The details of Provider’s Processing of Customer’s Personal Data are described in Exhibit A. Provider shall promptly inform Customer if (a) in Provider’s opinion, an instruction from Customer violates Applicable Privacy Law; or (b) Provider is required by applicable law to otherwise Process Personal Data, unless Provider is prohibited by that law from notifying Customer under applicable law.

2.2 Provider shall implement and maintain reasonable and appropriate technical measures that will ensure that Customer’s reasonable and lawful instructions can be complied with, including the following:

a. updating, amending, correcting, or providing access to the Personal Data of any Data Subject upon written request of Customer from time to time;

b. cancelling, deleting, or blocking access to any Personal Data upon receipt of written instructions from Customer;

c. otherwise facilitating Customer’s responses to Data Subject requests as required under Applicable Privacy Law; and

d. Provider shall promptly re-direct any request from a Data Subject to exercise any of its Data Subject rights to Customer, and shall not respond directly to the Data Subject unless instructed so by Customer in writing.

2.3 Provider acknowledges that (a) Customer discloses Personal Data to Customer solely for the business purpose of Customer, and (b) Provider has not and will not receive any monetary or other valuable consideration in exchange for their receipt of the Personal Data, and that any consideration paid by Customer to Provider under the Agreement relates only to Provider’s provision of the Services.  Provider shall not: (i) retain, use, or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services under the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose (as defined in CCPA) other than providing the Processing Services under the Services Agreement; (ii) combine the Personal Data with any other personal information, except as specifically instructed by Customer in writing; and (iii) include Personal Data in any product or service offered to third parties  In addition, Provider shall not sell, or share (as that term is defined in the CCPA) rent, transfer, purport to transfer to a third-party Personal Data with for any purpose, except as specifically instructed by Customer in writing, or otherwise disclose any Personal Data except to authorised Subprocessors needed to render the Services.

2.4 Provider shall provide to Customer such co-operation, assistance and information as Customer may reasonably request to enable it to comply with its obligations under Applicable Privacy Law and co-operate and comply with the directions or decisions of a relevant Privacy Authority, in each case (a) solely to the extent applicable to Customer’s provision of the Services, and (b) within such reasonable time as would enable Customer to meet any time limit imposed by the Privacy Authority

2.5 To the extent Provider receives deidentified Personal Data from Customer or the Services under the Agreement allow for the deidentification of Personal Data, Provider represents and warrants to not reidentify, attempt to reidentify, or direct any other party to reidentify any Personal Data that has been deidentified.

3. Confidentiality

Without prejudice to any existing contractual arrangements between the Parties, the Provider will treat all Personal Data as confidential and it will inform all its employees, agents and any approved sub-providers engaged in processing the Personal Data of the confidential nature of the Personal Data. The Provider will ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.

4. Security of Personal Data.

4.1 Provider shall maintain, during the term of the Agreement, appropriate technical and organizational security measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access, as set forth in Exhibit B.

4.2 Provider shall ensure the reliability of any employees who Process Personal Data.

5. Customer Obligations

1. Customer’s Security Responsibilities. Customer agrees that, without limitation of Provider’s obligations under Section 3 (Security of Personal Data), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) backing up Personal Data.
2. Prohibited Data. Customer represents and warrants to Provider that Personal Data provided to Provider under the Agreement does not and will not, without Provider’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such law; information subject to restrictions under Applicable Data Protection Laws governing Personal Data of children, including, without limitation, all information about children under 13 years of age; or any information that falls within any special categories of data (as defined under Applicable Privacy Laws).

6. Subprocessors

6.1 Provider shall not, without Customer’s prior written consent, sub-contract or outsource any Processing of Personal Data to any Subprocessor; provided that Customer shall not unreasonably withhold or delay consent to Provider’s appointment of any Subprocessor. Without limiting the foregoing, Provider authorizes Customer to engage the Subprocessors set forth on Exhibit C.

6.2 When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor.  Provider shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto.

6.3 When Provider engages any new Subprocessor after the effective date of the Agreement, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by notifying Customer of any changes in writing.  If Customer objects to such engagement in a written notice to Provider within 30 days after being informed of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to find a mutually acceptable resolution to address such objection.  If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and pay Provider for all amounts due and owing under the Agreement as of the date of such termination.

7. Breach Notification

7.1 Notification to Customer.  Unless otherwise prohibited by applicable law, Provider shall notify Customer without undue delay, and in any event within 72 hours after Provider becomes aware of a Security Breach.  Such notification shall include, to the extent such information is available (a) a detailed description of the Security Breach, (b) the type of data that was the subject of the Security Breach and (c) the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned).  In addition, Provider shall communicate to Customer (i) the name and contact details of Provider’s data protection officer or other point of contact where more information can be obtained, (ii) a description of the likely consequences of the Security Breach, (iii) a description of the measures taken or proposed to be taken by Provider to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.

7.2 Investigation. Provider shall take prompt action to investigate the Security Breach and shall use industry standard, commercially reasonable efforts to mitigate the effects of any such Security Breach in accordance with its obligations hereunder.

8. Privacy Impact Assessment

Provider shall, promptly upon receipt of written request by Customer (a) make available to Customer such information as is reasonably necessary to demonstrate Customer’s compliance with Applicable Privacy Law to the extent applicable to the Services, and (b) reasonably assist Customer in carrying out any privacy impact assessment and any required prior consultations with Privacy Authorities, taking into account the nature of the Processing and the information available to Provider.  Provider shall reasonably cooperate with Customer to implement such mitigation actions as are reasonably required to address privacy risks identified in any such privacy impact assessment.  Unless such request follows a Security Breach or is otherwise required by Applicable Privacy Law, Customer shall not make any such request more than once in any 12-month period.

9. Audit Rights.

Customer may audit Provider’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by Applicable Data Privacy Laws, including where mandated by Customer’s Supervisory Authority.  Provider will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance that Provider considers appropriate in the circumstances and reasonably necessary to conduct the audit. To request an audit, Customer must submit a proposed audit plan to Provider at least two weeks in advance of the proposed audit date and any third-party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof.  The proposed audit plan must describe the proposed scope, duration, and start date of the audit.  Provider will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Provider security, privacy, employment or other relevant policies).  Provider will work cooperatively with Customer to agree on a final audit plan.  Nothing in this Section 8 shall require Provider to breach any duties of confidentiality.  If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Provider has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.  The audit must be conducted during regular business hours, subject to the agreed final audit plan and Provider’s safety, security or other relevant policies, and may not unreasonably interfere with Provider business activities. Any audits are at Customer’s sole expense.  Customer shall reimburse Provider for any time expended by Provider and any third parties in connection with any audits or inspections under this Section 8 at Provider’s then-current professional services rates, which shall be made available to Customer upon request.  Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

10. Deletion of Personal Data.  Provider shall delete all the Personal Data on Provider’s systems on Customer’s request and after the end of the provision of Services, and shall delete existing copies unless continued storage of the Personal Data is required by (i) applicable laws of the European Union or its Member States, with respect to Personal Data subject to European Data Protection Laws or (ii) Applicable Data Protection Laws, with respect to all other Personal Data.  Provider will comply with such instruction as soon as reasonably practicable and no later than 180 days after such expiration or termination, unless Applicable Data Protection Laws require storage.  Customer may choose to request a copy of such Personal Data from Provider for an additional charge by requesting it in writing at least 30 days prior to expiration or termination of the Agreement.  Upon the parties’ agreement to such charge pursuant to a work order or other amendment to the Agreement, Provider will provide such copy of such Personal Data before it is deleted in accordance with this clause.

11. Third Party Disclosure Requests.

11.1 Unless prohibited by applicable law, Provider shall promptly notify Customer of any inquiry, communication, request or complaint, to the extent relating to Provider’s Processing of Personal Data on behalf of Customer, from:

1. any governmental, regulatory or supervisory authority, including Privacy Authorities or the U.S. Federal Trade Commission; and/or
2. any Data Subject,

and shall, taking into account the nature of the Processing, provide reasonable assistance to enable Customer to respond to such inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines.  Provider shall not disclose Personal Data to any of the persons or entities in (a) or (b) above unless it is legally required to do so and has otherwise complied with the obligations in this Section 9.1 and Section 9.2.

11.2 In the event that Provider is required by law, court order, warrant, or other legal judicial process (“Legal Request”) to disclose any Personal Data to any person or entity other than Customer, including any national security authority or other government body, Provider shall attempt to redirect the government request to Customer. If Provider is unable to redirect the request, Provider shall, unless prohibited by applicable law, notify Customer promptly and shall provide all reasonable assistance to Customer to enable Customer to respond or object to, or challenge, any such Legal Requests and to meet applicable statutory or regulatory deadlines.  If Provider is prohibited by applicable law from providing notice to Customer of a Legal Request, Provider shall use commercially reasonable efforts to object to, or challenge, any such Legal Request to avoid or minimize the disclosure of Personal Data.  Provider shall not disclose Personal Data pursuant to a Legal Request unless it is required to do so by applicable law and has otherwise complied with the obligations in this Section 9.2.

12. Transfers out of the EEA

If Customer transfers Personal Data out of the EEA to Provider in a country not deemed by the European Commission to have adequate data protection, such transfer will be governed by the EU SCCs, the terms of which are hereby incorporated into this DPA.  Provider shall provide a copy of the signed version of the EU SCCs to Customer upon request. In furtherance of the foregoing, the parties agree that:

12.1 Customer will act as the data exporter and Provider will act as the data importer under the EU SCCs;

12.2 for purposes of Annex 1 to the EU SCCs, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section B to Exhibit A;

12.3 for purposes of Annex 2 to the EU SCCs, the technical and organizational measures shall be the Security Measures;

12.4 Clause 7 of the EU SCCs (Docking Clause) does not apply.

12.5 Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 6.3 of the DPA.

12.6 the option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.

12.7 with regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that option one shall apply. The Parties agree that the governing law shall be the law of the Republic of Ireland.

12.8 in clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of the Republic of Ireland.

13. Transfers out of the UK

If Customer transfers Personal Data out of the UK to Provider in a country not deemed by the UK Government to have adequate data protection, such transfer will be governed by the UK SCCs, the terms of which are hereby incorporated into this DPA. Provider shall provide a copy of the signed version of the UK SCCs to Customer upon request.  In furtherance of the foregoing, the parties agree that

13.1 Customer will act as the data exporter and Provider will act as the data importer under the UK SCCs;

13.2 for purposes of Appendix 1 to the UK Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the Processing operations shall be as set out in Section B to Exhibit A;

13.3 for purposes of Appendix 2 to the UK Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures;

13.4 Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the transfer of Personal Data outside the EEA or the UK in accordance with Applicable Privacy Laws  applies to the transfer.

14. Transfers out of Switzerland

If Customer transfers Personal Data out of the Switzerland to Provider in a country not deemed by the FDPIC to have adequate data protection, such transfer will be governed by the Swiss SCCs, the terms of which are hereby incorporated into this DPA. Provider shall provide a copy of the signed version of the Swiss SCCs to Customer upon request.  In furtherance of the foregoing, the parties agree that

14.1 in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply in accordance with Sections 7.3(a) -(b), with the following modifications: (i) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA;

14.2 (ii) references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

14.3 (iii) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCS shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs shall be populated using the information contained in Exhibit A and B.

15. Claims

Any claims brought under, or in connection with, this DPA, shall be subject to the exclusions and limitations of liability set forth in the Agreement.

EXHIBIT A

1. LIST OF PARTIES

Data exporter(s):

• Name: Customer
• Address: As specified in the Agreement.
• Contact person’s name, position and contact details: As specified in the Order Form
• Activities relevant to the data transferred under these Clauses: The provision of Services by data importer to data exporter.
• Role (Controller or Processor): Controller
  

Data importer(s):

• Name: DreamTeamOS, Inc.
• Address: 1800 Wazee St, Suite 300, Denver, Colorado, 80202
  
• Contact person’s name, position and contact details: Dave Cahill, COO, dave@dreamteamos.com
• Activities relevant to the data transferred under these Clauses: Storing, copying, accessing, sharing, modifying.
• Role (Controller or Processor): Processor
  

1. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: Customer (and Customer’s employees)

Categories of personal data transferred:

• First and last name
• Employer
• Contact information (company, email, phone, physical business address)
• IP address, device identifier and browser type

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.

The frequency of the transfer (whether the data is transferred on a one-off or continuous basis): On a continuous basis during the term of the Agreement.

Nature of the processing: Provider will Process Personal Data for the purpose of providing Services in accordance with the Agreement.

Purpose(s) of the data transfer and further processing: Provider will Process Personal Data for the purpose of providing Services in accordance with the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Duration of performance of the Services.

1. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be the supervisory authority that has jurisdiction over the Data Exporter/Controller.

EXHIBIT B

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The data importer has implemented and maintains comprehensive technical and organizational safeguards, which contain those safeguards described below:

• Organizational management and dedicated staff responsible for the development, implementation and maintenance of the Provider’s information security program.
• Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Provider’s organization, monitoring and maintaining compliance with the Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
• Data security controls which include, at a minimum, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilization of commercially available industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e. the Internet) or when transmitted wirelessly or at rest or stored on portable media (i.e. laptop computers).
• Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
• Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that the Provider’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on the Provider’s computer systems; (iii) must have defined complexity; and (iv) newly issued passwords must be changed after first use.
• Physical and environmental security of data centers, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of the Provider’s facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
• Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Provider’s possession.
• Change management procedures designed to test, approve and monitor all material changes to the Provider’s technology and information assets.
• Incident management procedures design to allow Provider to investigate, respond to, mitigate and notify of events related to the Provider’s technology and information assets.
• Network security controls designed to protect systems from intrusion and limit the scope of any successful attack.
• Vulnerability assessment, patch management and threat protection technologies, and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

EXHIBIT C

LIST OF SUB-PROCESSORS

The sub-processors listed below have been engaged to by Provider on or before the Effective Date, and may assist in Processing within the scope of Service provided to Customer under the Agreement.

• Sub-Processor Name: Auth0 (Okta Inc.)
  Location: United States
  Description of Sub-Processors’ Activities: User Authentication and Identity Management

• Sub-Processor Name: Amazon Web Services Inc.
  Location: United States
  Description of Sub-Processors’ Activities: Cloud Service Provider

• Sub-Processor Name: Datadog Inc.
  Location: United States
  Description of Sub-Processors’ Activities: Metrics & Analytics

• Sub-Processor Name: Google Inc.
  Location: United States
  Description of Sub-Processors’ Activities: User Authentication and Identity Management

• Sub-Processor Name: Intercom Inc.
  Location: United States
  Description of Sub-Processors’ Activities: Customer Success & Support

• Sub-Processor Name: LaunchDarkly Inc.
  Location: United States
  Description of Sub-Processors’ Activities: In-App Feature Management
• Sub-Processor Name: Mixpanel
  Location: United States
  Description of Sub-Processors’ Activities: Metrics & Analytics

• Sub-Processor Name: OpenAI
  Location: United States
  Description of Sub-Processors’ Activities: Application AI Functionality

• Sub-Processor Name: Raintank Labs DBA Grafana
  Location: United States
  Description of Sub-Processors’ Activities: Operational Support Management

• Sub-Processor Name: Sentry Inc.
  Location: United States
  Description of Sub-Processors’ Activities: Metrics & Analytics