Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between WorkPerfect Co ("WorkPerfect") and the customer identified in the applicable Order Form or that has accepted the WorkPerfect Terms of Service ("Customer") (the "Agreement"). This DPA governs WorkPerfect's processing of Personal Data on behalf of Customer in connection with the WorkPerfect Service.

In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. The following terms have the meanings set out below:

"Applicable Data Protection Laws" means all data protection and privacy laws applicable to a party's processing of Personal Data under this DPA, including:

• (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("EU GDPR");
• (b) the United Kingdom General Data Protection Regulation as defined by the UK Data Protection Act 2018 ("UK GDPR"), together with the UK Data Protection Act 2018;
• (c) the Swiss Federal Act on Data Protection ("Swiss FADP");
• (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and
• (e) any other applicable U.S. state comprehensive privacy law, including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, and the Montana Consumer Data Privacy Act.

"Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," and "Special Categories of Personal Data" have the meanings given in the EU GDPR. "Sell," "Share," "Sensitive Personal Information," and "Service Provider" have the meanings given in the CCPA.

"Customer Personal Data" means Personal Data contained in Customer Data that WorkPerfect Processes on behalf of Customer in connection with the Service.

"EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914 of June 4, 2021, available at eur-lex.europa.eu.

"Sub-processor" means any third party engaged by WorkPerfect to Process Customer Personal Data on WorkPerfect's behalf in connection with the Service.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (Version B1.0, in force March 21, 2022).

2. Scope and Roles of the Parties

2.1 Subject Matter

This DPA applies to WorkPerfect's Processing of Customer Personal Data in connection with the Service.

2.2 Roles

For purposes of this DPA, with respect to Customer Personal Data:

• Customer is the Controller (or acts as a Processor on behalf of a third-party Controller, in which case Customer represents that it has all necessary authority to enter into this DPA on behalf of that Controller).
• WorkPerfect is the Processor.

For purposes of the CCPA, WorkPerfect acts as a Service Provider to Customer. WorkPerfect will not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than for the specific purpose of providing the Service, including retaining, using, or disclosing the Customer Personal Data for a commercial purpose other than providing the Service; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and WorkPerfect; or (d) combine Customer Personal Data with personal information that WorkPerfect receives from or on behalf of another person, except as permitted under the CCPA. WorkPerfect certifies that it understands these restrictions and will comply with them.

2.3 Customer Responsibilities

Customer is responsible for: (a) ensuring it has all necessary rights, consents, and lawful bases to provide Customer Personal Data to WorkPerfect for Processing under this DPA; (b) the accuracy, quality, and legality of Customer Personal Data; (c) determining the purposes and means of Processing; and (d) providing notices to and obtaining consents from Data Subjects as required by Applicable Data Protection Laws.

2.4 WorkPerfect's Processing

WorkPerfect will Process Customer Personal Data only:

• (a) on documented instructions from Customer, including as set out in the Agreement, this DPA, and Customer's configuration of the Service;
• (b) as required to provide and support the Service;
• (c) as required by applicable law (in which case WorkPerfect will, where legally permitted, inform Customer of the legal requirement before Processing); or
• (d) as otherwise authorized in writing by Customer.

WorkPerfect will inform Customer if, in its opinion, an instruction from Customer infringes Applicable Data Protection Laws.

3. Processing Details

The categories of Data Subjects, types of Personal Data, nature and purpose of Processing, and duration of Processing are set out in Annex 1 (Processing Details).

4. Confidentiality

WorkPerfect will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate written or statutory confidentiality obligations and have received appropriate training on data protection.

5. Security

5.1 Security Measures

WorkPerfect will implement and maintain the technical and organizational security measures set out in Annex 2 (Security Measures) designed to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure.

5.2 Updates to Security Measures

WorkPerfect may update the security measures from time to time, provided that any update will not materially decrease the overall protection of Customer Personal Data.

6. Personal Data Breach

6.1 Notification

WorkPerfect will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2 Information

WorkPerfect's notification will, to the extent then known, describe: (a) the nature of the breach, including the categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) the measures WorkPerfect has taken or proposes to take to address the breach and mitigate its effects; and (d) a contact point for further information.

6.3 Cooperation

WorkPerfect will cooperate with Customer and provide reasonable assistance in connection with the breach, including in Customer's notifications to supervisory authorities and Data Subjects to the extent required by Applicable Data Protection Laws.

6.4 Customer's Notification Obligations

Notification of a Personal Data Breach by WorkPerfect to Customer is not an acknowledgment by WorkPerfect of any fault or liability. Customer is responsible for any notifications it is required to make to supervisory authorities, Data Subjects, or others under Applicable Data Protection Laws.

7. Sub-processors

7.1 General Authorization

Customer grants WorkPerfect general authorization to engage Sub-processors to Process Customer Personal Data, subject to the requirements in this Section 7.

7.2 Current Sub-processors

WorkPerfect's current list of Sub-processors is published at work-perfect.com/sub-processors.

7.3 New Sub-processors

WorkPerfect will provide Customer with at least thirty (30) days' prior notice of the addition of, or any material change to, a Sub-processor (a "Sub-processor Change Notice"), by updating the published list and, for Customers subscribed to receive notifications, by email.

7.4 Right to Object

Customer may object to a new Sub-processor on reasonable, documented data protection grounds by giving WorkPerfect written notice within thirty (30) days of the Sub-processor Change Notice. The parties will work together in good faith to resolve the objection. If the parties cannot agree on a resolution, Customer may terminate the affected portion of the Service by giving WorkPerfect written notice, and WorkPerfect will refund any prepaid fees for the unused portion of the Subscription Term attributable to that portion of the Service.

7.5 Sub-processor Obligations

WorkPerfect will: (a) enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those in this DPA, to the extent applicable to the nature of the Sub-processor's services; and (b) remain liable to Customer for the acts and omissions of its Sub-processors as if they were WorkPerfect's own.

8. International Data Transfers

8.1 Transfer Mechanism

If WorkPerfect's Processing of Customer Personal Data involves a transfer subject to Chapter V of the EU GDPR, the UK GDPR, or the Swiss FADP, the transfer is governed by the EU SCCs (with the modifications and selections set out in Annex 3 (International Transfers)), the UK Addendum, and the Swiss adaptations described in Annex 3, as applicable.

8.2 Order of Precedence

In the event of any conflict between this DPA and the EU SCCs or UK Addendum with respect to a transfer subject to those instruments, the EU SCCs or UK Addendum (as applicable) control with respect to that transfer.

8.3 Data Privacy Framework

To the extent WorkPerfect is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework (collectively, the "DPF"), WorkPerfect commits to comply with the DPF Principles with respect to Customer Personal Data received in reliance on the DPF. WorkPerfect's then-current DPF certification status is published at dataprivacyframework.gov. WorkPerfect's reliance on the DPF as a transfer mechanism does not replace the EU SCCs or UK Addendum, which remain in effect as a separate transfer mechanism unless the parties agree otherwise in writing.

8.4 Government Access Requests

WorkPerfect will, where legally permitted: (a) promptly notify Customer of any legally binding request from a public authority for disclosure of Customer Personal Data; (b) challenge any request that appears unlawful or overbroad; and (c) provide only the minimum amount of Customer Personal Data necessary to comply with the request. WorkPerfect will produce an annual transparency report describing requests received and how they were handled, where permitted by law.

9. Data Subject Requests

9.1 Cooperation

WorkPerfect will provide Customer with reasonable assistance, by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

9.2 Direct Requests to WorkPerfect

If WorkPerfect receives a request directly from a Data Subject relating to Customer Personal Data, WorkPerfect will, except where prohibited by law, promptly forward the request to Customer and will not respond to the Data Subject directly other than to acknowledge receipt and direct the Data Subject to Customer.

9.3 Self-Service

To the extent the Service provides functionality enabling Customer to access, correct, delete, restrict, or export Customer Personal Data, Customer's use of that functionality satisfies WorkPerfect's obligation under this Section 9.

10. Data Protection Impact Assessments and Consultation

WorkPerfect will provide Customer with reasonable assistance in connection with: (a) data protection impact assessments under Article 35 of the EU GDPR or UK GDPR; and (b) prior consultations with supervisory authorities under Article 36 of the EU GDPR or UK GDPR, where required and to the extent the assistance relates to WorkPerfect's Processing of Customer Personal Data.

11. Audits

11.1 Audit Reports

WorkPerfect will, on Customer's reasonable written request and no more than once per twelve (12) month period, make available to Customer:

• (a) a copy of WorkPerfect's then-current SOC 2 attestation or equivalent third-party audit report (if any);
• (b) responses to a reasonable security questionnaire; and
• (c) a written summary of the security measures in Annex 2.

11.2 On-Site Audits

If the materials in Section 11.1 are insufficient to demonstrate compliance with this DPA, Customer (or a qualified independent auditor engaged by Customer that is not a competitor of WorkPerfect and is bound by appropriate confidentiality obligations) may, on at least sixty (60) days' prior written notice and no more than once per twelve (12) month period (except where required by a supervisory authority or following a Personal Data Breach), conduct an audit of WorkPerfect's compliance with this DPA, subject to the following:

• (a) the audit will take place during regular business hours, will be conducted in a manner that does not unreasonably interfere with WorkPerfect's operations, and will not access systems or data of other WorkPerfect customers;
• (b) the auditor will sign a non-disclosure agreement reasonably acceptable to WorkPerfect;
• (c) the audit will be at Customer's expense, except where the audit reveals a material breach of this DPA by WorkPerfect, in which case WorkPerfect will reimburse Customer's reasonable audit costs; and
• (d) Customer will provide WorkPerfect with a copy of the audit report, which will be treated as WorkPerfect's Confidential Information.

11.3 Supervisory Authority Audits

Nothing in this Section 11 limits the rights of any supervisory authority to audit WorkPerfect under Applicable Data Protection Laws.

12. Return and Deletion

12.1 Termination

Following termination or expiration of the Agreement, Customer may export Customer Personal Data using the export functionality of the Service for a period of thirty (30) days.

12.2 Deletion

Within ninety (90) days after termination or expiration of the Agreement, WorkPerfect will delete or anonymize Customer Personal Data from the production environment of the Service. Customer Personal Data may persist in routine encrypted backups for up to thirty-five (35) days from the date of the backup, after which it will be deleted in the ordinary course of backup rotation.

12.3 Legal Retention

WorkPerfect may retain Customer Personal Data to the extent required by applicable law, in which case WorkPerfect will continue to protect that data in accordance with this DPA for as long as it is retained.

12.4 Certification of Deletion

WorkPerfect will provide written confirmation of deletion on Customer's request.

13. Liability

The liability of each party under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement. For clarity, this DPA does not increase or expand a party's liability beyond the limits set in the Agreement.

For the avoidance of doubt, this Section does not limit either party's liability to a Data Subject under Clause 12 of the EU SCCs or under the UK Addendum, where those instruments apply.

14. Term

This DPA takes effect on the Effective Date and continues until termination or expiration of the Agreement. Provisions that by their nature are intended to survive termination will survive, including Sections 4, 12, and 13.

15. Conflicts and Order of Precedence

In the event of a conflict between documents governing the Processing of Customer Personal Data, the order of precedence is:

1. the EU SCCs and UK Addendum (with respect to transfers subject to those instruments);
2. this DPA;
3. the Agreement.

Annex 1 — Processing Details

A. Categories of Data Subjects

Customer Personal Data may relate to the following categories of Data Subjects, as determined by Customer:

• Customer's Authorized Users.
• Workers, contractors, vendors, candidates, suppliers, and other individuals about whom Customer maintains records in the Service in connection with its contingent workforce and vendor management activities.
• Customer's employees and other personnel to the extent their information is included in records maintained in the Service.

B. Categories of Personal Data

Customer Personal Data may include the following categories, as determined by Customer:

• Identifiers (name, business email address, business phone number, government-issued identifier where Customer chooses to upload it, account identifier, IP address).
• Professional and employment information (job title, department, employer, work history, skills, certifications, professional qualifications, work assignments, work hours, rate information).
• Commercial information (subscription history, transaction records, billing information).
• Internet or network activity (usage logs, session logs, audit logs of activity in the Service).
• Geolocation (approximate location derived from IP address).
• Communications submitted to or generated within the Service (messages, notes, documents uploaded by Customer).

C. Special Categories of Personal Data

WorkPerfect does not require, and the Service is not designed to receive, Special Categories of Personal Data. Customer should not submit Special Categories of Personal Data to the Service. If Customer submits such data, Customer represents that it has a lawful basis for doing so and has obtained any required explicit consents.

D. Frequency of Processing

Continuous, for the duration of the Agreement.

E. Nature and Purpose of Processing

WorkPerfect Processes Customer Personal Data to provide the Service, including:

• Hosting, storing, and transmitting Customer Personal Data within the Service.
• Authenticating Authorized Users and managing access.
• Operating the Service's features at Customer's direction (including vendor management, position management, candidate management, invoicing, reporting, notifications, and integrations).
• Providing support and resolving service or technical issues.
• Maintaining the security, integrity, and availability of the Service.
• Generating Aggregated and de-identified data as permitted by the Agreement.

F. Duration of Processing

For the duration of the Agreement, plus the retention periods described in Section 12 of this DPA.

G. Identity of Sub-processors

As listed at work-perfect.com/sub-processors and as in effect from time to time.

Annex 2 — Security Measures

WorkPerfect implements and maintains the following technical and organizational measures designed to protect Customer Personal Data. The specific implementations may evolve over time, provided that any update does not materially decrease the overall protection of Customer Personal Data.

A. Information Security Program

• A documented information security program that addresses the protection of Customer Personal Data.
• Periodic review of the program.
• Designated personnel responsible for information security.

B. Access Controls

• Role-based access controls applied to administrative access to the Service infrastructure.
• Multi-factor authentication required for administrative access to the Service infrastructure.
• The principle of least privilege applied to access provisioning.
• Periodic review of access rights.
• Prompt revocation of access on personnel changes.

C. Authentication and Identity

• Multi-factor authentication available to Authorized Users, including support for WebAuthn/passkey authentication.
• Strong password requirements and protection against credential-stuffing attacks.
• Session management controls, including session timeout and session validation.

D. Tenant Isolation

• Tenant data isolation enforced through PostgreSQL row-level security.
• Application-layer enforcement of tenant scope on all data access.

E. Encryption

• Encryption of Customer Personal Data in transit using TLS 1.2 or higher.
• Encryption of Customer Personal Data at rest using AWS Key Management Service.
• Encryption of database backups.

F. Network and Infrastructure Security

• Deployment in Amazon Web Services using managed services with AWS-maintained physical, environmental, and infrastructure security.
• Web Application Firewall and bot-control protection on public endpoints.
• Network segmentation between application, database, and management layers.
• Hardened operating system images for compute resources.

G. Logging and Monitoring

• Logging of access to production systems and administrative actions.
• Logging of authentication and security events.
• Centralized log storage with retention as described in the Privacy Policy.
• Monitoring and alerting on anomalous activity.

H. Vulnerability Management

• Use of automated dependency scanning and static analysis tooling on application code.
• Periodic review and patching of operating systems and runtime dependencies.
• A documented process for responding to disclosed vulnerabilities.

I. Backup and Recovery

• Routine encrypted backups of the production database.
• Off-region backup storage.
• Documented procedures for restoration.

J. Incident Response

• A documented Personal Data Breach response procedure, including notification to Customer in accordance with Section 6 of this DPA.

K. Personnel

• Background checks for personnel with access to production systems, where permitted by law.
• Confidentiality obligations imposed on personnel with access to Customer Personal Data.
• Periodic security and privacy training.

L. Change Management

• Documented change-management procedures for production deployments.
• Code review required for changes to production systems.
• Separation of development and production environments.

M. Vendor Management

• Due diligence on Sub-processors before engagement.
• Written agreements with Sub-processors imposing data protection obligations.

N. Compliance

• SOC 2 attestation. WorkPerfect makes the current attestation report available to Customer under Section 11 of this DPA.

Annex 3 — International Transfers

A. EU SCCs

Where the EU SCCs apply, the parties agree:

• Module: Module 2 (Controller-to-Processor) applies. If Customer acts as a Processor on behalf of a third-party Controller, Module 3 (Processor-to-Processor) applies.
• Clause 7 (Docking): Optional. Not adopted.
• Clause 9(a) (Sub-processors): Option 2 (general written authorization) applies. The notice period is thirty (30) days.
• Clause 11(a) (Independent dispute resolution): The optional language is not adopted.
• Clause 17 (Governing law): The laws of Ireland apply.
• Clause 18(b) (Choice of forum): The courts of Ireland have jurisdiction.
• Annex I.A (List of Parties): Customer is the data exporter (and Controller or Processor as applicable). WorkPerfect Co is the data importer (and Processor or Sub-processor as applicable). Contact details are as set out in the Agreement and at work-perfect.com/privacy.
• Annex I.B (Description of transfer): As set out in Annex 1 of this DPA.
• Annex I.C (Competent supervisory authority): Where Customer is established in an EU Member State, the supervisory authority of that Member State. Where Customer is not established in an EU Member State but has an EU representative or is otherwise subject to the EU GDPR, the supervisory authority of the Member State where the representative is established or where the data subjects are located.
• Annex II (Technical and organizational measures): As set out in Annex 2 of this DPA.
• Annex III (List of Sub-processors): As published at work-perfect.com/sub-processors.

B. UK Addendum

Where the UK Addendum applies, the parties agree:

• The EU SCCs as completed above apply with the modifications set out in the UK Addendum.
• Table 1 (Parties): As set out in Annex 1.A above; the start date is the Effective Date of this DPA.
• Table 2 (Approved EU SCCs): Module 2 (or Module 3, as applicable), as completed above.
• Table 3 (Appendix Information): As set out above.
• Table 4 (Ending the Addendum): Either party may end the Addendum as permitted by Section 19 of the Addendum.

C. Swiss Transfers

For transfers subject to the Swiss FADP, the EU SCCs apply with the following adaptations:

• References to the EU GDPR are read as references to the Swiss FADP, to the extent the FADP is the applicable law.
• The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
• The governing law for Clause 17 is Swiss law where the FADP exclusively applies.
• "Member State" is interpreted to allow Data Subjects in Switzerland to exercise their rights in their place of habitual residence.

D. Data Privacy Framework

If WorkPerfect is certified under the DPF, transfers covered by WorkPerfect's then-current DPF certification may, at WorkPerfect's election, rely on the DPF as a transfer mechanism in lieu of the EU SCCs and UK Addendum. WorkPerfect's reliance on the DPF will be reflected in its publicly posted Privacy Policy and at dataprivacyframework.gov.

E. Alternative Mechanism

If a transfer mechanism above is invalidated or is no longer adequate under Applicable Data Protection Laws, the parties will work together in good faith to implement an alternative lawful transfer mechanism within a reasonable time.

Signature

This DPA is incorporated into and forms part of the Agreement and does not require separate signature. By accepting the Agreement, Customer accepts this DPA. If Customer requires a counter-signed copy of this DPA, Customer may submit the request to legal@work-perfect.com.