Data Processing Addendum

3.1 Compliance with Applicable Law

Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.

3.2 Authority to process Customer Data

Each Party acknowledges and agrees that Customer has the sole and exclusive authority to determine the purposes for and means of Processing Customer Data under this Agreement, and that Zenwork is acting solely as a Service Provider with respect to this Customer Data. Zenwork has implemented and will maintain the technical and organizational measures as described in the Data Security Measures. Detailed controls can be reviewed in the current Zenwork SOC 2 Type 2 Audit report or ISO- Statement of Applicability.

3.3 Disclosure of and Access to Personal Data; No Sales of Customer Data

Zenwork will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Zenwork a demand for Customer Data, Zenwork will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Zenwork may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Zenwork will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Zenwork is legally prohibited from doing so. Zenwork restricts its personnel from processing Customer Data without authorization by Zenwork as described in the Data Security Measures. Zenwork imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

3.4   Information Security and Incident Response

3.4.1   Zenwork will implement and maintain a comprehensive written information security program that complies with applicable law, including the Data Security Measures, to protect Customer Data Processed under this Agreement from loss; theft; misuse; unauthorized access, disclosure, or acquisition; destruction or other compromise.

3.4.2   Zenwork will (a) notify Customer of a security incident involving the loss of or unauthorized access to Customer Data (“Security Incident”) without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.

3.4.3   Zenwork’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Zenwork of any fault or liability of Zenwork with respect to the Security Incident.

3.5 Zenwork Audits and Penetration Testing .

3.5.3   Zenwork Audits. Zenwork uses external auditors to verify the adequacy of its security measures. Since our applications and Customer Data is hosted on AWS infrastructure, we review independent audit reports of AWS at least annually and include all AWS security controls relevant to Zenwork in our SOC audit reports for informational purposes. Zenwork SOC Audits and web application penetration tests are performed at least annually by a group of independent and qualified professionals.

3.5.4   Audit Reports. In addition to the information contained in this DPA, upon Customer’s written request, Zenwork will make available the following documents and information: (i) SOC 1 Type 2 Report (ii) SOC 2 Type 2 Report (iii) Third Party penetration testing report (iv) ISO 27001/ 27701 Certificates.

4.1   Data Subject Request:

To the extent required under the applicable Data Protection Law, Zenwork shall notify Customer or redirect data subject to Customer to exercise their rights, if Zenwork receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, Zenwork shall reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject request under applicable Data Protection Laws, rules, regulations, and orders of governmental authorities having jurisdiction. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Zenwork shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Zenwork is required under all applicable Data Protection Laws, rules, regulations, and orders of governmental authorities having jurisdiction. To the extent legally permitted, Customer shall be responsible for any costs arising from Zenwork’s provision of any such assistance described in Section 4.1. For the avoidance of doubt, Zenwork shall not be required to delete any of the Personal Data to comply with Data Subject’s request directed by Customer if it is necessary to maintain such information in accordance with applicable Data Protection Laws, in which case Zenwork shall promptly inform Customer of the exceptions relied upon under the applicable Data Protection Laws and Zenwork shall not use the Personal Data retained for any other purpose than provided for by that exception.

4.   Privacy Impact Assessment and Prior Consultation.

Taking into account the nature of the processing and the information available to Zenwork, Zenwork will assist Customer (to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Zenwork) in complying with Customer’s obligations in respect of data protection impact assessments related to Customer’s use of the Services and prior consultation, by providing the information Zenwork makes available under this Section.

5.1   Appointment of Subprocessors.

Customer acknowledges and agrees that (a) Zenwork’s Affiliates may be retained as Subprocessors; and (b) Zenwork may engage third-party Subprocessors in connection with the provision of the Services, subject to Zenwork or a Zenwork Affiliate entering into a written agreement with each Subprocessor containing data protection obligations.

5.2   List of Current Subprocessors and Notification of New Subprocessors.

Zenwork shall make available current list of sub processors to Customer at request. Zenwork shall provide a mechanism to subscribe to notifications of new Subprocessors for each applicable Service, to which Customer may subscribe. Zenwork shall provide a notification to such subscribers of a new Subprocessor within 14 days before authorizing any new Subprocessor to Process Customer Data in connection with the provision of the Services.

5.3   Objection Right for New Subprocessors

To the extent Customer reasonably believes the new Subprocessor’s Processing of Customer Data may violate Data Protection Laws or weaken the security of the Customer Data, Customer may object to Zenwork’s use of a new Subprocessor by notifying Zenwork promptly in writing within ten (10) business days after receipt of Zenwork’s notice in accordance with the mechanism set out in Section 5.2 above. In the event Customer objects to a new Subprocessor, Zenwork will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. Any such written objection shall include Customer’s specific reasons for its objection and proposed options to mitigate alleged risk, if any. In the absence of timely and valid objection by Customer within ten (10) business days, Customer shall be deemed to have accepted such new Subprocessor and such Subprocessors may be commissioned to process Customer Data. If Zenwork is unable to make available such change within a reasonable period of time Customer may terminate the applicable quote with respect only to those Services which cannot be provided by Zenwork without the use of the objected-to new Subprocessor by providing written notice to Zenwork.If Zenwork is unable to make available such change within a reasonable period of time Customer may terminate the applicable quote with respect only to those Services which cannot be provided by Zenwork without the use of the objected-to new Subprocessor by providing written notice to Zenwork.

5.4   Liability

Zenwork shall be liable for the acts and omissions of its Subprocessors to the same extent Zenwork would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth herein or in the Agreement or applicable Ordering Documents.

Zenwork may be required to store Personal Data as required to satisfy any legal, regulatory, tax, accounting or reporting requirements, Zenwork’s Data Retention Policy found in Zenwork’s privacy policy outlines the specific data retention for each product, in which case Zenwork: (i) will continue to ensure the privacy, security and confidentiality of the Personal Data; (ii) will not Process the Personal Data further except to maintain it for the applicable time period and ; (iii) will continue to comply with its obligations under this Agreement.

Upon Customer’s written request, Zenwork (i) will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, and (ii) complete a written information security questionnaire provided by Customer or a third party on Customer’s behalf regarding Zenwork’s business practices and information technology environment in relation to all Personal Data being handled and/or services being provided by Zenwork to Customer pursuant to the Agreement. Zenwork will fully cooperate with such inquiries, including such follow-up questions as Customer may have in relation to Zenwork’s responses. Customer shall treat the information provided by Zenwork in the security questionnaire as Zenwork’s Confidential Information.

Any claims against Zenwork shall only be brought by the Customer entity that is a party to the Terms. In no event shall this DPA or any party restrict or limit the rights of any data subject or of any competent supervisory authority.

Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Zenwork, whether in contract or tort under any other theory of liability, is subject to the ‘Limitation of Liability’ section (or functional equivalent) of the SAAS Terms, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the SAAS Terms and all DPAs together. For the avoidance of doubt, Zenwork’s and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the MSA and all DPAs shall apply in the aggregate for all claims under both the MSA and all DPAs, including by Zenwork and all Authorized Affiliates, and shall not be understood to apply individually and severally to Customer and/or any Authorized Affiliate that is a contractual party to any such DPA.

Where the provision of the Services involves the transfer of Personal Data that (1) is subject to European Data Protection and (2) where such Personal Data is transferred either directly or via onward transfer to countries that do not ensure an adequate level of protection within the meaning of such Data Protection Laws, the Parties agree to comply with Section 10 of this DPA and the terms of the EU Standard Contractual Clauses without modification (other than as agreed under this Section 10).

Where a transfer of Personal Data is subject to the GDPR and the FADP, the following additional provisions to the EU SCCs shall also apply in order for the EU SCCs to be suitable for ensuring an adequate level of protection for such transfer in accordance with Article 6 paragraph 2 letter a FADP:

(a) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(b) “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023.

(c) The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

(d) The EU SCCs also protect the data of legal entities until the entry into force of the Revised FADP.

(e) The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

11.1 United Kingdom.

Where a transfer of Personal Data is subject to UK Data Protection Laws, the Parties shall rely on the EU Standard Contractual Clauses as amended by the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner’s Office under s.119A(1) of the UK Data Protection Act 2018.

11.2 Incorporation of SCCs.

The Standard Contractual Clauses shall be incorporated into this Agreement by reference and be considered duly executed between the Parties upon entering into force of this Agreement, and the parties agree to observe the terms of the Standard Contractual Clauses without modification. The information required to complete the Standard Contractual Clauses is recorded in Attachment A (“Data Processing Description”) which shall be incorporated into the Standard Contractual Clauses as Annex I.B to such Standard Contractual Clauses, and Zenwork agrees to comply with

Attachment B (“TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA”) of this Agreement, which shall be incorporated into the Standard Contractual Clauses as Annex II.

11.3 Changes to transfer mechanisms.

If, at any time:

(a) the laws or regulatory procedures of any jurisdiction require any further steps to be taken in order to permit the transfer of Personal Data as envisaged under this Addendum (including, without limitation, executing or re-executing the EU Standard Contractual Clauses as separate document setting out the proposed transfers of Personal Data, and entering into additional cross-border transfer clauses); and/or

(b) the transfer mechanisms in this Section 11.3 are (i) amended, replaced or repealed under Data Protection Laws, (ii) declared invalid by a court of competence, or (iii) otherwise terminated, annulled, replaced or repealed under Data Protection Laws, then the Parties shall work together to take all steps reasonably required and negotiate in good faith any other solution to enable a transfer in compliance with Data Protection Laws.

4.1  The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

4.2  Confidentiality and nondisclosure agreements are required when sharing sensitive, proprietary personal, or otherwise confidential information between Zenwork and any third-party.

4.3  A formal process is in place to manage third parties with access to organizational data, information systems, or data centers. All such third parties commit contractually to maintaining confidentiality of all confidential information.

5.1  The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

5.2   Zenwork maintains an information assets classification policy and classifies such assets in terms of its value, legal requirements, sensitivity, and criticality to the organization.

5.3   Account sharing is prohibited unless approved by management.

5.4  Media Handling Policy is implemented for procedures relating to disposal of information assets / equipment.

6.1  Security roles and responsibilities for employees are defined and documented.

6.2  Zenwork performs background screening of new hires including job history, references, and criminal checks (subject to local laws).

6.3  Zenwork requires all new employees to sign employment agreements, which include comprehensive non-disclosure and confidentiality commitments.

6.4  Zenwork maintains an information security awareness and training program that includes new hire training.

6.5  Information Security awareness is enhanced through regular communications using company-wide emails, as necessary.

6.6  Access for all new employees is configured with minimum default access to company resources/applications required by an employee to perform the job duty. Only the IT team/CEO has access to change user profiles or give higher access.

7.1  Cloud Infrastructure is used for hosting Zenwork software applications. Our Cloud Service Provider provides SOC compliant data center services. Cloud Service Provider SOC reports cover controls objectives related to Security, Availability and Confidentiality . The types of controls that are necessary to meet the applicable trust services criteria, either alone or in combination with controls at Zenwork include:

7.1.1  The system is protected against unauthorized access (both physical and logical).

7.1.2  The system is available for operation and use and in the capacities as committed or agreed.

7.1.3  Policies and procedures exist related to security and availability and are implemented and followed.

8.1  The operation of systems and applications that support the Service is subject to documented operating procedures.

8.2  All systems are configured with appropriate antivirus protection

8.3  Organizational charts are in place to communicate key areas of authority, responsibility, and appropriate lines of reporting to personnel. These charts are communicated to employees and are updated as needed.

8.4  Zenwork has implemented a well-defined Change management process to ensure that all changes to the information processing facilities, including equipment, supporting facilities and utilities, networks, application software, systems software and security devices are managed and controlled.

8.5  When an incident is detected or reported, a defined incident response process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures.

9.1  Zenwork maintains “ “Access Control Policy” that outlines requirements for the use of user IDs and passwords for logical access controls.

9.2  The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies.

9.3  IT system access is reviewed on a monthly basis.

9.4  Access is granted on a least privileged basis as default and any additional access needs to be approved.

9.5  Zenwork has established hardening standards production infrastructure that include requirements for implementation of security groups, access control, configuration settings, and standardized policies.

9.6  Zenwork does not allow customers or external users to access its internal systems.

9.7  Cloud infrastructures are configured to use the Cloud Service Provider’s AWS's identity and access management system (IAM). Relevant groups have been added in IAM.

9.8  Direct access to cloud infrastructure is possible only through encrypted SSH access by the IT team.

9.9  For Cloud Infrastructure access, Multi Factor Authentication is enabled .

9.10  External users can only access the system remotely through secure sockets layer (SSL), or other encrypted communication system.

9.11  Upon notice of termination, all user access is removed. All critical system access is removed immediately upon notification

10.1  All changes are recorded, approved, implemented, tested and versioned before moving to production environment.

10.2  Cloud Service Provider tools are used to prevent Denial of Service (DOS) Attacks

10.3  VPC has been setup and all production servers are within the private subnet

10.4  Direct access to production instances is only through 2048-bit SSH keys.

10.5  Only the production group has access to production resources.

10.6  There is a formal release process for releasing builds. The testing team does the complete testing of the release. On receipt of sign off mail from the testing team the release is deployed on production servers.

10.7  Separate environments are used for development, testing, and production. Developers do not have the ability to make changes to software in testing or production.

Zenwork maintains an incident response plan. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow