This Data Processing Addendum is entered into as of the Effective Date (as set forth in the order form) and is by and between BetterWorks Systems, Inc. (“Betterworks”) and the Customer specified in the Order Form (the “Customer”) (“Data Processing Addendum”). While Betterworks reserves the right to update or change its compliance efforts to meet regulatory requirements or industry standards, Betterworks will notify Customer of any material changes.  Capitalized terms used in this Data Processing Addendum and not defined herein shall have the meanings given to them in the applicable Order Form, including the Terms and Conditions incorporated therein, entered into by the Parties (including its Exhibits, “Agreement”). In the event of a conflict between the requirements (or defined terms) under this Data Processing Addendum and the Agreement, this Data Processing Addendum shall take precedence and prevail as it relates to the conflicting terms in respect of the subject matter of this Data Processing Addendum. As used herein, the words “include,” “includes,” and “including” are deemed to be followed by the words “without limitation”.

1. Customer is the Controller of all Customer Confidential Information. Customer wishes to appoint Betterworks to process Customer Confidential Information, as further described in Appendix A attached hereto.

2. Betterworks will act in relation to such Customer Personal Data and Customer Confidential Information as the Processor on behalf of Customer and will act only in accordance with the following:

3. It is further understood that as of the Effective Date of this Data Processing Addendum, Betterworks has the following certifications: SOC2 (Security, Privacy, Confidentiality, Availability), ISO27001 (Security, Confidentiality, Integrity, Availability), and is Privacy Shield Compliant with the EU-US and Swiss-US Privacy Shield Framework (Betterworks’ current status is found at https://www.privacyshield.gov/participant?id=a2zt00000000107AAA). For the duration of the then-current term of the Agreement, Betterworks agrees to maintain such standards associated with such certifications that are applicable to Security, Privacy, Confidentiality, Integrity and Availability.

4. This Data Processing Addendum shall survive until the date when any and all associated Order Form(s) expire or are earlier terminated by the written agreement between Parties.

 

Exhibit 1

Betterworks Customer Privacy & Security Agreement

 

1. Introduction 

This Betterworks-Customer Privacy and Security Exhibit (“Exhibit”) governs the manner in which Customer Confidential Information shall be Processed by Betterworks. In the event of a conflict between the Agreement, including its attachments and exhibits, and this Exhibit, the provision imposing the stricter data protection requirements of any conflicting provision shall control.  Capitalized terms have the meaning given to them in the Agreement, unless otherwise defined below. Notwithstanding anything contrary in the Agreement or Data Processing Addendum, the terms and obligations of this Exhibit shall main in effect until the termination of the Agreement.

2. Definitions

For the purposes of this Exhibit, the following terms and those defined within the body of this Exhibit apply.

I. “Affiliate Companies” means any companies controlling, being controlled by, or under common control with another company.

II. “Applicable Data Protection Law(s)” means the relevant data protection, data security, data retention and data privacy laws, rules and regulations to which the Personal Data and Confidential Information are subject. With respect to EU Personal Data, “Applicable Data Protections Law(s)” shall include the GDPR, and, if a party is Privacy Shield-certified, the Privacy Shield principles and requirements.

III. “Betterworks” means Betterworks Systems, Inc.

IV. “Confidential Information” shall have the same meaning as the term is given in the Agreement to which this Exhibit attaches.

V. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

VI. “Customer” means the entity that has entered into a signed Betterworks Order Form for access to and use of the Betterworks platform.

VII. “EU” or “European Union” means the European Union inclusive of the United Kingdom, whether or not the United Kingdom has officially withdrawn from the European Union.

VIII. “GDPR” shall mean the General Data Protection Regulation—the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC and comes into effect on May 25, 2018.

IX. “Information Security Program” has the meaning set forth in Section 5 below.

X. “Customer Confidential Information” means all Customer Personal Data and all Confidential Information pertaining to Customer.

XI. “Customer EU Personal Data” means Customer Personal Data about individuals who are located in the European Union.

XII. “Customer Personal Data” means Personal Data received or collected by Customer or Betterworks pertaining to Customer’s current, former, or potential customers and Personal Data pertaining to Customer’s current, former or potential employees, contractors, vendors or other agents.

XIII. “Customer Security POC” or “Customer’s SPOC” means the Customer point of contract for urgent security issues designated by Customer in this Exhibit.

XIV. “Instructions” shall mean the directions, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by Betterworks to Customer and directing Betterworks to Process or make changes to Personal Data.

XV. “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s) and shall include any and all data (regardless of format) that can be used to directly or indirectly identify, contact or locate a natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the financial, physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

XVI. “Privacy Shield” means the European Union (“EU”) – United States (“US”) Privacy Shield Framework established by the US Department of Commerce and the European Commission.

XVII. “Process”, “Processes”, “Processing”, “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

XVIII. “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data.

XIX. “Security Incident(s)” shall have the meaning assigned by Applicable Data Protection Law(s) to the terms “security incident,”  “security breach” or “personal data breach” but shall include any situation where Betterworks knows, discovers, or is notified that Customer Confidential Information has been or is likely to have been accessed, disclosed, acquired or used by unauthorized persons, in an unauthorized manner or in violation of the Agreement, this Exhibit, or Applicable Data Protection Law(s).

XX. “Third Party(ies)” means Betterworks’ authorized contractors, agents, vendors and service providers (i.e., sub-Processors) that Process Customer Confidential Information.

3. Data Handling and Access

a. General Compliance.  Both Parties shall at all times Process Personal Data in compliance with Applicable Data Protection Laws. Customer is solely responsible for (i) the accuracy, quality, and legality of (1) Customer Personal Data, (2) the means by which Customer acquired any Customer Personal Data, and (3) the Instructions it provides to Betterworks regarding the Processing of Customer Personal Data; and (ii) its compliance with the Applicable Data Protection Laws, including as Controller and Processor. Betterworks shall Process Customer Confidential Information in compliance with the terms of this Exhibit, Betterworks’ then-current Privacy Notice and, all Applicable Data Protection Law(s).

b. Betterworks and Third Party Compliance. Betterworks agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Confidential Information that imposes on such Third Parties data protection and security requirements for Customer Confidential Information that are compliant with Applicable Data Protection Law(s), that are consistent with and similar to the requirements under this Exhibit; (ii) enforce compliance with such written agreement on Betterworks’ Third Parties (e.g., by obtaining a written certification, entering into contractual language on the same, or reviewing its independent third-party audit reports that are made available and reviewed no less than once per year); (iii) enforce compliance with this Exhibit on Betterworks’ employees; and (iv) remain responsible to Customer for the actions or omissions of Betterworks’ employees and Betterworks’ Third Parties with respect to the Processing of Customer Confidential Information. For purposes of clarity, Third Parties referenced in this Section and throughout the Agreement include sub-contractors (third parties who are engaged to deliver the Betterworks service directly to Customer on behalf of Betterworks—e.g., a professional services consultant) and sub-processors (third parties utilized by Betterworks during the provision of its own Services to Customer—e.g., service providers who provide infrastructure support to Betterworks like hosting providers, email notification providers, etc.). Notwithstanding anything contrary in this DPA or the Agreement between Parties, both Parties acknowledge and agree that (i) Customer must provide written consent for Betterworks’ use of a sub-contractor, whereas (ii) Betterworks will provide notice to Customer of its use of sub-processors by keeping its list of sub-processors current at https://www.betterworks.com/sub-processors/. In the event Customer does not agree to Betterworks’ use of sub-processors, Customer may terminate the Agreement for convenience with written notice to Betterworks and Fees due on the then-current Term will not be absolved and Betterworks will not provide refunds.

c. Authorization to Use Third Parties. Customer hereby authorizes Betterworks to engage Third Parties in connection with its provision of the Services. Notwithstanding the foregoing, any transfer of Customer Personal Data shall comply with all Applicable Data Protection Law(s) including those related to the cross-border transfers of Customer EU Personal Data, if applicable. Betterworks agrees that its Third Parties are reviewed for its adherence to security, privacy and confidentiality practices related to data.  Upon written request from Customer, Betterworks shall make available to Customer the then-current list of Third Parties used to provide the Services. Subject to confidentiality obligations Betterworks may have, Betterworks will provide Customer, upon Customer’s request, any records that Processors are required to maintain and provide under Applicable Data Protection Law(s). Should Customer object to the use of a Third Party, Customer is to provide written notice to Betterworks of its reasonable grounds of objection for using said Third Party. Betterworks will use reasonable efforts to make available to Customer a change in Services to avoid Processing of Customer Personal Data by the objected-to Third Party without unreasonably burdening Customer. If Betterworks is unable to make available such change within a reasonable period of time (which shall not exceed thirty (30) days unless a longer period of time is agreed between Parties), Customer may terminate the applicable Order Form(s) with respect only to those Services which may not be provided by Betterworks without the use of the objected-to Third Party by providing thirty (30) days written notice to Betterworks. Both Parties acknowledge and agree that said termination without penalty or refund is Customer’s sole option and remedy for Customer’s objection to the use of a Third Party. If a Third Party is discovered not be in compliance with applicable Data Protection Law(s) or this Exhibit, Betterworks agrees to take the commercially reasonable corrective steps, and either cure the Third Party performance or cease using such Third Party.

d. Following Instructions. Betterworks shall Process Customer Confidential Data only in accordance with the Instructions of Customer or as specifically authorized by this Exhibit, the Agreement, or any applicable Order Form. If Betterworks reasonably believes that there is a conflict between Customer’s Instructions and applicable law or otherwise seeks to Process Customer Confidential Data in a manner that is inconsistent with Customer’s Instructions, Betterworks agrees to, unless legally prohibited from doing so, (i) promptly inform Customer; (ii) cooperate with Customer in good faith to resolve any conflict; and (iii) not Process Customer Confidential Data outside of Customer’s Instructions until Customer expressly authorizes Betterworks in writing to do so.

e. Any person authorized to Process Customer Confidential Information must expressly agree in writing to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality. Customer Confidential Information shall not be sold, rented or leased to any third party.  Customer Confidential Information shall not be disclosed to any third party without the prior written consent of Customer, except as may be otherwise expressly permitted in the Agreement.

f. Security of Processing.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Betterworks shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services with respect to Customer’s Personal Data; (iii) the ability to restore the availability and access to Customer’s Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer’s Personal Data.  If Betterworks engages a Third Party to Process Personal Data in connection with its provision of the Services, Betterworks agrees that data protection obligations equivalent to those set forth in this Exhibit shall be imposed on such Third Party by way of a contract or Applicable Data Protection Laws, including the obligation to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Data Protection Laws.

g. Personal Data Inquiries and Requests. Betterworks agrees to comply with all reasonable Instructions from Customer related to (i) any questions or complaints received from individuals regarding Customer Personal Data received or collected by Betterworks (“Privacy Inquiry”) and (ii) any requests from individuals exercising their rights in Customer Personal Data received or collected by Betterworks granted to them under Applicable Data Protection Law(s) or Betterworks’ then-current Privacy Notice (“Privacy Request”) and, upon Customer’s request, confirm its compliance with the foregoing to Customer within a reasonable time.  If Betterworks is directly contacted with a Privacy Inquiry or Privacy Request, Betterworks must forward such inquiry to Customer without undue delay within three (3) business days.  If Betterworks receives a Privacy Request and the period to provide an answer to it under Applicable Data Protection Law(s) is equal to or shorter than 72 hours, Betterworks must forward such Privacy Request to Customer within 48 hours. Unless otherwise required by Applicable Data Protection Law(s), Betterworks must take action regarding a Privacy Inquiry or a Privacy Request only as approved or directed by Customer. At Customer’s request and without undue delay, Betterworks agrees to assist Customer in answering to or complying with any Privacy Inquiry or Privacy Request. Additionally, Betterworks agrees to put in place commercially reasonable technical and organizational measures to assist Customer in complying with Privacy Requests if required by Applicable Data Protection Law(s).

h. Data Protection Impact Assessment and Prior Consultation.  Betterworks shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which is required of Customer under Applicable Data Protection Laws solely in relation to Betterworks’ Processing of Customer Personal Data.

4. EU – U.S. Compliance 

This Section applies where the Customer transfers Customer EU Personal Data outside of the European Union to Betterworks. Notwithstanding the foregoing, Customer agrees that any Customer EU Personal Data transferred outside of the European Union to Betterworks shall be transferred out of the European Union directly by Customer to Betterworks.

a. Customer Cross-Border Data Transfer Mechanism. Customer agrees to transfer Customer EU Personal Data to Betterworks in accordance with Applicable Data Protection Laws.

b. Betterworks Data Transfer Mechanism. Betterworks shall comply with the data transfer mechanism below to receive Customer EU Personal Data outside the European Union from Customer.

Privacy Shield Certification: Betterworks is Privacy Shield certified and represents and warrants that its Privacy Shield certification covers the Customer EU Personal Data that Betterworks Processes. Betterworks agrees to (i) maintain its Privacy Shield certification during the term of the Agreement or (ii) provide written notification to Customer at least ninety (90) days before it withdraws from or otherwise no longer maintains a current certification to the Privacy Shield, at which time Customer and Betterworks shall undertake to adopt alternative protections for the transfer of Customer EU Personal Data outside of the European Union in compliance with Applicable Data Protection Laws.  If the parties do not agree to such additional protections, Betterworks may terminate this Addendum and/or Agreement and cease its Processing of Customer EU Personal Data, without liability or penalty under the Agreement or otherwise.  Termination shall not relieve Customer of any fees owed to Betterworks under the Agreement.

c. Compliance. Betterworks agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide such records to Customer upon request. If Betterworks is collecting Customer EU Personal Data on Customer’s behalf, such records shall include but not be limited to (i) the legal basis for Processing and (ii) records of the verifiable consent under Applicable Data Protection Law(s).

d. Notice of Non-Compliance. Betterworks must promptly notify Customer’s Security POC (defined below, Section 11) if it can no longer meet its obligations under this Section 4.

5. Information Security Program

Betterworks agrees to maintain a comprehensive written information security program (“Information Security Program”) designed to implement technical and organizational measures to protect Customer Confidential Information as required by Applicable Data Protection Law(s), the Agreement and this Exhibit.  Betterworks agree to implement and train its employees on its Information Security Programs in a way that produces the same degree of care as is used with their own Personal Data and Confidential Information, but not less than a reasonable degree of care, to prevent the unauthorized collection, use, sharing, retention, destruction, and other inappropriate or prohibited use of Customer Confidential Information.  In particular, the Information Security Program shall coincide with the organizational controls intended to meet industry standards for ISO27001 and SOC2 standards, which include:

a. Conditions for Access. Access to systems containing stored Customer Confidential Information must not be granted to Betterworks’ employees, subcontractors, or other agents unless: (i) they have a need to view the information in order to perform authorized work; (ii) they are trained in the proper handling of Customer Confidential Information; (iii) they are subject to an obligation to handle Customer Confidential Information in ways at least as restrictive as those practices outlined in this Exhibit; (iv) their access can be uniquely identified (e.g., by a unique User ID), (v) they are required to use a password or other authorizing token configured to meet industry best practice standards, (vi) they are permitted access only as required to perform their job function, (vii) the date, time, requestor, and nature of the access (i.e. read-only or modify) has been recorded in a log file which is maintained and preserved according to Applicable Data Protection Law(s) and industry standards and (viii) access is only granted on least privilege/need-to-know basis.

b. Storage. Betterworks agrees to (i) store Customer Confidential Information behind firewalls with access to such data limited as described in 5(a) and (ii) encrypt all Customer Confidential Information stored on laptops and portable devices.

c. Procedures for Changing Roles. Procedures must be in place to modify or revoke access permissions to Customer Confidential Information when job responsibilities change and/or need for data access changes.

d. Encryption. Betterworks agrees to (i) adopt commercially reasonable industry practices with regard to encrypting Customer Confidential Information (at a minimum, industry-standard transparent encryption techniques—full disk or database transparent encryption—must be employed to safeguard Customer Confidential Information in Betterworks’ systems from retrieval by unauthorized persons), and (ii) transmit data over secure and encrypted connections using industry-standard encryption techniques.

e. Printed Material. With respect to printed material containing Customer Confidential Information, Betterworks agrees (i) to store such material in secured areas with access limited to individuals with business need to access, and (ii) that such material will be disposed of in a secure manner employing processes including onsite shredding prior to recycling or placement in secure bins with subsequent off-site shredding by a licensed contractor.

f. Backup. Customer Confidential Information must be backed up regularly and the backups must be encrypted and stored in secure, environmentally-controlled, limited-access facilities until such time that deletion or destruction is required under the Agreement, this Exhibit, or under Applicable Data Protection Law(s).

g. Network Scans. Betterworks must run internal and external network vulnerability scans at least monthly and after any change in the network configuration (such as new system component installations, changes in network topology, firewall rule modifications, or product upgrades).

h. Security Fixes. Betterworks agrees to promptly install any security-related fixes identified by their hardware or software vendors and related to Customer Confidential Information.

i. Security Threats and Associated Modifications. Customer may, from time to time, advise Betterworks of recent security threats that have come to its attention and recommend Betterworks to implement specific modifications of their software, policies, or procedures. To the extent such modifications are needed to comply with Betterworks’ obligations under Applicable Data Protection Law(s), the Agreement, this Exhibit, or any applicable Order Form, Betterworks agrees to (i) implement the recommended modifications or (ii) implement alternative modifications guaranteeing a level of protection equal to or superior to the level of protection granted by the modifications recommended by Customer.

j. Testing Key Controls, Systems and Procedures. Notwithstanding the minimum standards set forth in this Exhibit, Betterworks agrees to regularly test the key controls, systems and procedures of their Information Security Programs to ensure that they are properly implemented and effective in addressing the threats and risks identified, and incorporate reasonable, industry-standard, security safeguards. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the Information Security Program.

k. Publicly Accessible Networks. Except as restricted by Applicable Data Protection Law(s), Betterworks must not electronically transmit (via email or otherwise) Customer Confidential Information over publicly-accessible networks without using industry-standard encryption in transit, or another mechanism that has been mutually agreed upon in advance by Customer and Betterworks.

l. Encoding Data into a URL or Logs. Customer Confidential Information must not be passed in a URL (g., using a GET method) in a manner that could expose the information to third parties or cause such information to appear in log files. Notwithstanding the foregoing, Parties agree that Betterworks secures all web requests (including URL) using SSL which by nature might have some data written into Betterworks logs, but are encrypted.

m. Hardware and Electronic Media. Betterworks must deploy and follow policies and procedures to ensure (i) the safe receipt and removal of hardware and electronic media containing Customer Confidential Information into and out of a Betterworks’ facilities, (ii) the movement and storage of these items within Betterworks’ facilities, (iii) the disposition of the hardware or electronic media on which it is stored, and (iv) the removal of Customer Confidential Information from electronic media before re-use.

n. Storage Media. Betterworks must deploy and follow policies and procedures to ensure that all Customer Confidential Information is irreversibly and securely deleted from storage media prior to any such storage media (i) being assigned, allocated or reallocated to another individual, or (ii) being permanently removed from Betterworks’ facilities. Betterworks agrees to maintain an auditable program implementing the disposal and destruction requirements set forth under Applicable Data Protection Law(s) and this Exhibit for all storage media containing Customer Confidential Information.

6. Assessments, Audits and Remediation 

a. Assessments. Records to demonstrate compliance with this Exhibit and Applicable Data Protection Law(s) shall be maintained by Betterworks and provided to Customer upon request. Betterworks agrees to (i) provide access to reputable scan results and (ii) complete reasonably requested data protection questionnaires, if any, provided by Customer.

b. For the purpose of verifying Betterworks’ compliance with Applicable Data Protection Law(s) and this Exhibit, Betterworks agrees to provide independent third party audit reports to Customer upon written request by Customer.

c. Access for Audit. Betterworks shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Data Processing Addendum, and shall allow for audits by Customer or an auditor mandated by Customer only in relation to Betterworks’ Processing of Customer Personal Data.  Information and audit rights of Customer arise under the foregoing only to the extent that the Agreement does not otherwise give Customer information and audit rights meeting the relevant requirements of the Applicable Data Protection Law.

d. Remediation. Betterworks agrees to (i) promptly take commercially reasonable action to correct any material security issue affecting Customer Confidential Information, and (ii) inform Customer of such actions if it is related to a Security Incident affecting Customer Confidential Information. If such action is not promptly taken to Customer’s reasonable satisfaction, Customer may, without penalty or refund, terminate the Agreement at Customer’s discretion for cause after (i.) Betterworks is provided written notice by Customer, and (ii.) Betterworks is afforded the opportunity to remediate within the cure period in accordance with the Agreement, provided, however, that if a regulator or other data protection authority requires immediate termination of the Agreement, Customer may do so without penalty or refund notwithstanding any time to cure provision in the Agreement.

7. Secure Disposal 

Customer Confidential Information shall be securely disposed (i) during the duration of the Agreement upon Customer’s written request if such information is no longer reasonably required to perform the Services, (ii) within thirty (30) days of the termination of the provision of the Services. Betterworks may retain Customer Confidential Information to the extent that it is required to do so under Applicable Data Protection law(s). When disposing of Customer Confidential Information, Betterworks agrees to destroy and/or delete such data from any media (including back-up copies) such that the media contains no residual data.

8. Changes to Requirements 

The parties shall agree to amend or supplement this Exhibit from time to time to reflect requirements under Applicable Data Protection Law(s). If either party refuses to amend this Exhibit to meet requirements under Applicable Data Protection Law(s), in addition to any termination rights provided in the Agreement, the other party may terminate the Agreement upon thirty (30) days written notice to such party without liability, penalty or refund.

9. Security Incident 

a. Security Incident Procedure. Betterworks agrees to deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents pertaining to Customer Confidential Information including procedures to (i) monitor systems and detect successful and attempted attacks on or intrusions into Customer Confidential Information or information systems relating thereto, (ii) identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, in each case, as they pertain to Customer Confidential Information, and (iii) restore the availability or access to Customer Confidential Information in a timely manner. Customer agrees to notify Betterworks of any known or suspected Security Incident. The obligations described in this Section 9 shall not apply in the event that a Security Incident results from the actions or omissions of Customer. Betterworks’ obligation to report or respond to a Security Incident will not be construed as an acknowledgement by Betterworks of any fault or liability with respect to the Security Incident.

b. Notice.  Betterworks agrees to provide prompt written notice within the time frame required under Applicable Data Protection Law(s) to Customer’s Security POC (defined below, Section 11) if it knows that a Security Incident pertaining to Customer Confidential Information has taken place. Such notice will include all available and applicable details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. Betterworks shall provide regular updates to Customer on the status of the Security Incident, as available.

c. Remediation. Betterworks agrees to indemnify and reimburse Customer for any and all direct damages, losses, fees or costs incurred related to a third party claim as a result of such Security Incident pertaining to Customer Confidential Information if the Security Incident arises from (i) Betterworks’ grossly negligent or willful act or omission or (ii) Betterworks’ breach of the Agreement or this Exhibit. Additionally, to the extent that such a Security Incident pertaining to Customer Confidential Information that arises from (i) or (ii) in the foregoing sentence gives rise to a need to: (A) provide notification to public and/or regulatory authorities, individuals, or other persons, or (B) undertake other reasonable remedial measures (including notice and the establishment of a call center to respond to inquiries – collectively, “Remedial Action”), Betterworks agrees to undertake such Remedial Actions.  Notwithstanding anything contrary to the foregoing or elsewhere in the Agreement or this Exhibit, if any of the Remedial Actions or damages, settlements, losses, liabilities, penalties, fines, costs, or expenses are caused by the gross negligence, material omissions, willful misconduct or breach of this Exhibit by Customer or Customer’s personnel, Betterworks shall have no obligation to indemnify Customer for such occurrences nor have the responsibility to take on the Remedial Actions, including the cost or delivery thereof.

10. Termination Obligations

a. Termination.  Notwithstanding anything to the contrary in the Agreement or this Exhibit, either Party (“Non-Breaching Party”) may, without liability, penalty or refund, terminate the Agreement or any relevant portion thereof immediately upon written notice to the other party (“Non-Breaching Party”) in the event a data protection or other regulatory authority or other tribunal or court in any country finds there has been a breach of Applicable Data Protection Law(s) by the Breaching Party in connection with the Agreement.

b. Effect of Termination or Expiration.  If requested by Customer, Betterworks shall, after the termination or expiration of the Agreement, return or delete Customer Confidential Information in its possession or control unless Betterworks is required to retain such information under Applicable Data Protection law(s) or other applicable law, rule or regulation. Betterworks’ obligations to protect Customer Confidential Information will continue in respect of any Customer Confidential Information retained by Betterworks until all such information has been returned or deleted, including from any back-up.

11. Contact Information

a. Betterworks agrees to designate a point of contact as its Privacy and Security Coordinator.  This Privacy and Security Coordinator will: (i) maintain responsibility for applying the relevant protections to Customer Confidential Information, including the development, implementation, and maintenance of its Information Security Program, (ii) oversee application of Betterworks’ compliance with the requirements of this Exhibit, and (iii) serve as a point of contact for internal communications and communications with Customer pertaining to this Exhibit and compliance therewith or any breaches thereof.

b. Additionally, both Customer and the Betterworks agree to designate a point of contact for urgent security issues (a “Security POC”) and provide contact information for such Security POC. Both parties agree that either the Security POC or appointed alternate will be available 24 hours per day, 365 days per year, without limitation. The Security POC for both parties are:

Customer Security POC: [email address provided on the Customer Information Form]

Betterworks Security POC: security@betterworks.com

Appendix A

Subject Matter

The subject matter of the data processing under the Exhibit is Customer Personal Data.

Duration

The duration of the data processing under the Exhibit is the period (i.) during which Betterworks performs the Services for Customer under the Agreement, or (ii.) as otherwise required by law.

Purpose

The purpose of the data processing under the Exhibit is the provision of the Services to Customer under the Agreement (as may be amended from time to time).

Nature of Processing

The data processing will involve any such processing that is necessary for the purposes set out in the Agreement and the Exhibit.

Type of Personal Data

The types of Customer Personal Data processed are as described in the Agreement (as amended from time to time), the Exhibit, and below (as applicable). For purposes of clarity, Customer Personal Data that is reasonably in scope of the Services for purposes of the Agreement is personal information limited to: name, work email, title, profile picture, office location, office phone number, and any other information in the “My Profile” section of the application.

Categories of Data Subjects

In providing the Services to Customer, Betterworks processes the Personal Data of the data subjects referenced in the Agreement (as amended from time to time), the Exhibit, and below (as applicable). For purposes of clarity, “special categories” of Personal Data is not applicable to the Agreement. Customer Personal Data will be and should be void of sensitive personal information (e.g., Customer will not pass to Betterworks or store inside the Betterworks website or application sensitive personal information including, but not limited to, date of birth, Social Security number, driver’s license number, other government-issued identification number, financial account number, credit or debit card number, insurance ID or account number, health or medical information, consumer reports, background checks, biometric data, digital signatures, any code or password that could be used to gain access to financial resources, or any other unique identifier of a user or individual).