Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the written agreement between Workstream Analytics, Inc. (“Company”) and its customer (“Customer”) (collectively, the “Parties”) for the provision of services to Customer (the “Agreement”) and describes the Parties’ respective responsibilities with respect to Personal Data that Company Processes on behalf Customer in accordance with the Agreement. ‍

1. Definitions

1.1 In this DPA:
- a) All capitalized or other terms defined in the Agreement shall have the meanings ascribed to them in the Agreement; and
- b) Standard Contractual Clauses” means (i) with respect to Personal Data originating from the European Economic Area, Module 2 of the standard contractual clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (the “EU SCCs”); and (ii) with respect to Personal Data originating from the United Kingdom, the EU SCCs as supplemented by the International Data Transfer Addendum approved pursuant to S119A(1) Data Protection Act 2018 (the “UK SCCs”); each as amended, supplemented, updated or replaced from time to time.

2. Data Protection

2.1 The nature of the Personal Data that Company Processes, and the subject-matter and purposes of such processing, are described in Annex A to this DPA. Customer acknowledges that Company does not control the nature of the Personal Data input into the Company Platform.
2.2 With respect to such Personal Data, Company will:
- a) Process Personal Data only on documented instructions of Customer (including to perform the purposes described within the Agreement), except as otherwise required by applicable law, in which case, Company will inform Customer of such legal requirement before Processing, unless it is prohibited from providing notice under applicable law;
- b) Not sell, rent, lease or otherwise transfer Customer Personal Data to a third party for monetary or other valuable consideration or for the third party’s marketing purposes;
- c) Ensure that all employees or other personnel authorized to Process the Personal Data are subject to appropriate requirements to maintain the confidentiality of Personal Data;
- d) Implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing of Personal Data;
- e) Notify Customer without undue delay upon becoming aware of any breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, and provide information to Customer as reasonably required to enable Customer to comply with its obligations under applicable laws;
- f) Provide Customer with reasonable cooperation and assistance in responding to requests from individuals and regulators concerning the Personal Data;
- g) make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA, and, to the extent required by applicable law, assist Customer in preparing any required privacy assessments or consultations and allow for and contribute to reasonable audits, including inspections, conducted by a regulator or another auditor mandated by Customer; and
- h) upon termination of the Agreement, at Customer’s request, delete or return all Personal Data within ninety (90) days after confirmation of Customer’s choice.

3. Subprocessing

3.1 Customer hereby authorizes Customer to engage third parties to Process Personal Data on Company’s behalf (“Subprocessors”) to provide the services described in the Agreement, including the Subprocessors listed in Annex C to this DPA. Before permitting a Subprocessor to Process Personal Data, Company will put in place an agreement that requires the Subprocessor to comply with protections for Personal Data substantially similar to those described in this DPA. Company will inform Customer if it appoints any new Subprocessor; and Customer will be deemed to accept the appointment of such Subprocessor if it does not object within thirty (30) days. If any Subprocessor fails to fulfil its obligations under this DPA, Company will be fully liable to Customer for the performance of such obligations.

4. International Data Transfers

4.1 In the event that Customer is subject to the GDPR and the transfer of Personal Data to Company would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated herein with Customer as the “data exporter” and Company as the “data importer.”
4.2. The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 1 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 13, (a) paragraph 2 is implemented; Clause 17 option 1/ 2 is implemented and the governing law is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Annex A, B and C to this DPA respectively.

5. Miscellaneous

5.1 In the event of any conflict between this DPA and the Agreement, the DPA shall prevail to the extent of the conflict.
5.2 If any provision of this DPA is found to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
5.3 Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
5.4 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

ANNEX A

A. LIST OF PARTIES

To the extent there is a transfer of Personal Data, Customer is the data exporter and Company is the data importer.

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred:

Data subjects of the Personal Data Customers input into the Company Platform and Authorized Users.

Categories of Personal Data transferred:

Personal Data that Customers input into the Company Platform and information about Authorized Users’ use of the Company Platform.

Sensitive data transferred:

The Company Platform is not specifically designed to facilitate the processing of sensitive data; Customer represents and warrants that it shall have sole responsibility for determining whether it is appropriate to input sensitive data into the Company Platform.

Frequency of the transfer:

On a continuous basis as and when the services are accessed or provided.

Nature of the processing:

The data will be transferred for the provision of the services as set out in Agreement.

Purpose(s) of the data transfer and further processing:

To provide the services to Company.

The period for which the Personal Data will be retained:

Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The competent Supervisory Authority is the Irish Data Protection Commission.

ANNEX B

ANNEX C

List of Subprocessors

Company authorizes Customer to engage the following Subprocessors:

Subprocessor

Purpose

Location

Amazon Web Services, Inc.

Hosting

U.S.

Salesforce, Inc. (Heroku)

Platform as a Service

U.S.

Twilio Inc. (Sendgrid)

Email delivery

U.S.

Okta, Inc. (Auth0)

Authentication

U.S.

Talend, Inc. (Stich)

Data pipeline management

U.S.

dbt Labs, Inc. (dbt Cloud)

Workflow management

U.S.

Snowflake Inc.

Analytics solutions

U.S.

Segment.io, Inc.

Data analysis platform

U.S.

Tableau Software, LLC

Data visualization

U.S.

Pendo.io, Inc.

Product analytics

U.S.

Data Processing Addendum

1. Definitions

1.1 In this DPA:

2. Data Protection

2.1 The nature of the Personal Data that Company Processes, and the subject-matter and purposes of such processing, are described in Annex A to this DPA. Customer acknowledges that Company does not control the nature of the Personal Data input into the Company Platform.

2.2 With respect to such Personal Data, Company will:

3. Subprocessing

4. International Data Transfers

5. Miscellaneous

5.1 In the event of any conflict between this DPA and the Agreement, the DPA shall prevail to the extent of the conflict.

5.2 If any provision of this DPA is found to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

5.3 Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.

5.4 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

ANNEX A

A. LIST OF PARTIES

To the extent there is a transfer of Personal Data, Customer is the data exporter and Company is the data importer.

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

The competent Supervisory Authority is the Irish Data Protection Commission.

ANNEX B

Technical and Organizational Measures to Ensure the Security of the Data

ANNEX C

List of Subprocessors

Ready to supercharge your analytics workflow?