Data Processing Agreement

This Data Processing Agreement ("DPA") amends and forms part of the written agreement between Intramark Inc. ("Company") and the customer ("Customer") identified in the Master Services Agreement (the "Agreement"). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.

1. Definitions

1.1

In this DPA:

• "Business", "Consumer", "Contractor", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Personal Information", "Processing", "Processor", "Sale", "Selling", "Service Provider", and "Supervisory Authority" have the meaning given to them in Data Protection Law;
• "Customer Personal Data" means Personal Data Processed by Company as a Processor on behalf of Customer or Third Party Controller;
• "EU-US Data Privacy Framework" means the adequacy decision laid down in the Commission Implementing Decision of July 10, 2023, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework, EU 2023/1795;
• "Data Protection Law" means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area ("EEA"), including the European Union, and all other data protection laws of the EEA, the United Kingdom ("UK"), Switzerland, and the United States ("US") (including the California Consumer Privacy Act or "CCPA") each as applicable, and as may be amended or replaced from time to time;
• "Data Subject Rights" means Data Subjects' rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;
• "International Data Transfer" means any disclosure of Customer Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;
• "Services" means the services provided by Company to Customer under the Agreement;
• "Share," "Shared," and "Sharing" have the meaning defined in the CCPA;
• "Subprocessor" means a Processor engaged by Company to Process Customer Personal Data;
• "SCCs" means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
• "Third-Party Controller" means a Controller for which Customer is a Processor; and
• "UK Addendum" means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

1.2

In the event of a conflict in the meanings of defined terms in the Data Protection Law, the meaning from the law applicable to the location of residence of the relevant Data Subject applies.

1.3

Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Scope

2.1

This DPA applies to the Processing of Customer Personal Data by Company subject to Data Protection Law to provide the Services.

2.2

The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

2.3

Customer is a Controller and appoints Company as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.

2.4

If Customer is a Processor on behalf of a Third-Party Controller, then Customer: is the single point of contact for Company; must obtain all necessary authorizations from such Third-Party Controller; and undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.

2.5

Customer acknowledges that Company may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

3. Instructions

3.1

Company will Process Customer Personal Data to provide the Services and in accordance with Customer's documented instructions.

3.2

The Controller's instructions are documented in this DPA, the Agreement, and any applicable statement of work.

3.3

Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions.

3.4

Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer's documented instructions.

4. Personnel

4.1

Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

5. Security and Personal Data Breaches

5.1

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.

5.2

Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer's intended Processing and will notify Company prior to any intended Processing for which Company's security measures may not be appropriate.

5.3

Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company's notification is delayed, it will be accompanied by reasons for the delay.

6. Subprocessing

6.1

Customer hereby authorizes Company to engage Subprocessors. A list of Company's current Subprocessors is included in Annex III.

6.2

Company will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.

6.3

Company will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company's notification of the intended change. Customer and Company will work together in good faith to address Customer's objection. If Company chooses to retain the Subprocessor, Company will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and either party may immediately discontinue providing or using the relevant parts of the Services, as applicable, and may terminate the relevant parts of the Services within thirty (30) days.

7. Assistance

7.1

Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer's own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

7.2

Company may charge a reasonable fee for assistance under this Section 7. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.

8. Audit

8.1

Upon reasonable request, Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once per year by Customer, and performed by an independent auditor as agreed upon by Customer and Company. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption.

8.2

Company will inform Customer if Company believes that Customer's instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.

8.3

Company and Customer each bear their own costs related to an audit.

9. International Data Transfers

9.1

Customer hereby authorizes Company to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum.

9.2

Where the transfer of Customer Personal Data from Customer to Company is an International Data Transfer and such transfer is not covered by an adequacy decision, the SCCs shall be incorporated by reference and form an integral part of this DPA.

9.3

For transfers from the UK, the UK Addendum shall apply. For transfers from Switzerland, the SCCs shall apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner.

10. CCPA

10.1

With respect to any Personal Information that is subject to the CCPA: Company is a "Service Provider" under the CCPA; Company will not Sell or Share Customer Personal Data; Company will not retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Services, or as otherwise permitted by the CCPA; Company will not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Company and Customer; and Company certifies that it understands the restrictions in this Section 10 and will comply with them.

11. Deletion or Return of Customer Personal Data

11.1

Subject to Sections 11.2 and 11.3, Company will delete or return all Customer Personal Data to Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Customer Personal Data.

11.2

Company may retain Customer Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law and always provided that Company shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

11.3

Company may retain Customer Personal Data to the extent contemplated by the Agreement.

12. General

12.1

Without prejudice to the provisions of the Agreement, in case of contradiction between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Personal Data.

12.2

The provisions of this DPA shall survive the termination of the Agreement.

Annex I: Description of Processing

A. List of Parties

Data Exporter (Customer):

• Name: As specified in the Order Form
• Address: As specified in the Order Form
• Activities relevant to the data transferred: Customer uses the Services as described in the Agreement
• Role: Controller, or Processor on behalf of Third-Party Controller

Data Importer (Company):

• Name: Intramark Inc.
• Address: 1 Dry Hill Ct, Norwalk, CT 06851
• Contact: privacy@intramark.io
• Activities relevant to the data transferred: Company provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context
• Role: Processor on behalf of Customer, or Subprocessor on behalf of Third-Party Controller

B. Description of International Data Transfer

Categories of Data Subjects whose Personal Data is transferred:

• Customer's personnel, staff and contractors

Categories of Personal Data transferred:

• Professional identification and contact information

Sensitive data transferred (if applicable):

• Workplace Feedback, Sentiment, and Perception Data (Non-Special Category) - Pseudonymized, processed under legitimate interest, aggregated outputs, minimum cohort sizes applied

Frequency of the transfer: On a continuous basis

Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement

Purpose(s) of the data transfer and further processing: The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement

Retention period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law

C. Competent Supervisory Authority

• The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority (a) of Customer's country of establishment, or, where not applicable, (b) of the country where Customer's EU data protection representative is located, or, where not applicable, (c) of one of the EEA countries where the Data Subjects are located.
• The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
• The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

Annex II: Technical and Organizational Measures

Company will, at a minimum, implement the following types of security measures:

1. Physical Access Control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:

• Establishing security areas, restriction of access paths
• Establishing access authorizations for employees and third parties
• Access control system (ID reader, magnetic card, chip card)
• Key management, card-keys procedures
• Door locking (electric door openers etc.)
• Security staff
• Surveillance facilities, video/CCTV monitor, alarm system
• Securing decentralized data processing equipment and personal computers

2. Virtual Access Control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

• User identification and authentication procedures
• Strong ID/password security procedures (special characters, minimum length and complexity requirements, change of password)
• Automatic blocking (e.g. password or timeout)
• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts
• Creation of one master record per user, user-master data procedures per data processing environment
• Encryption of archived data media

3. Data Access Control

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:

• Internal policies and procedures
• Control authorization schemes
• Differentiated access rights (profiles, roles, transactions and objects)
• Monitoring and logging of accesses
• Disciplinary action against employees who access Customer Personal Data without authorization
• Reports of access
• Access procedure
• Change procedure
• Deletion procedure
• Encryption

4. Disclosure Control

Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:

• Encryption/tunneling
• Logging
• Transport security

5. Entry Control

Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

• Logging and reporting systems
• Audit trails and documentation

6. Control of Instructions

Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:

• Unambiguous wording of the contract
• Criteria for selecting the Processor

7. Availability Control

Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:

• Backup procedures
• Mirroring of hard disks (e.g. RAID technology)
• Uninterruptible power supply (UPS)
• Remote storage
• Anti-virus/firewall systems
• Disaster recovery plan

8. Separation Control

Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:

• Separation of databases
• "Internal client" concept / limitation of use
• Segregation of functions (production/testing)
• Procedures for storage, amendment, deletion, transmission of data for different purposes

9. Testing Controls

Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:

• Periodical review and test of disaster recovery plan
• Testing and evaluation of software updates before they are installed
• Authenticated (with elevated rights) vulnerability scanning
• Test bed for specific penetration tests and Red Team attacks

10. IT Governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

• Certification/assurance of processes and products
• Processes for data minimization
• Processes for data quality
• Processes for limited data retention
• Processes for ensuring accountability
• Data subject rights policies

Company will contractually require its Subprocessors to implement the same or at least equivalent technical and organizational measures to be able to provide assistance to Customer.

Annex III: List of Subprocessors

Customer authorizes Company to engage the following Subprocessors: