Data Processing Addendum

Definitions

1. Applicable Data Protection Law means all laws and regulations applicable to and binding on the processing of Customer Data by a party.
2. Californian Data Protection Law means the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations ("CCPA").
3. Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
4. Customer Personal Data means any Personal Data that Customer transmits, transfers or otherwise shares with Culture Amp for the purpose of providing the Service.
5. EU Data Protection Law includes, as applicable, (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time.
6. EU SCCs means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.
7. Europe includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.
8. Personal Data means information about an identified or identifiable natural person, or which otherwise constitutes "personal data", "personal information", "personally identifiable information" or similar terms as defined in Applicable Data Protection Law.
9. Processing (and "Process" and "Processed") means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
10. Processor means the entity which Processes Personal Data on behalf of the Controller and includes any substantially analogous role as defined under Applicable Data Protection Laws (such as "Service Provider" under the CCPA).
11. Security Incident means a confirmed breach of security of the Service or Culture Amp's systems used to process Customer Personal Data leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Culture Amp. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
12. Subprocessor means any third-party, including Culture Amp affiliates, engaged by Culture Amp to Process Customer Personal Data.
13. UK Data Protection Law means the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time.
14. UK IDTA means the contractual clauses issued by the UK Information Commissioner under section 119A (1) of the Data Protection Act 2018 (DPA 2018) and is in force from 21 March 2022, as amended, superseded or replaced from time to time.
15. Capitalized terms used but not otherwise defined in this DPA have the meanings given to them in the General Terms.

Processing of Customer Personal Data

1. Roles of the Parties. For the purposes of the Agreement, the parties agree that the Customer is the Controller of the Customer Personal Data and Culture Amp is a Processor of the Customer Personal Data.
2. Customer's Documented Instructions. The parties agree that this DPA, together with the Agreement and the Customer's use of the Services (including any relevant configurations and settings), constitute the entirety of the Customer's documented instructions to Culture Amp regarding the Processing of Customer Personal Data ("Documented Instructions"). Further details about the Data Processing are found in Schedule B.
3. Instructions for Processing. Culture Amp will Process Customer Personal Data solely in accordance with the Customer's Documented Instructions except where Processing is necessary to comply with applicable laws or a binding governmental order. In such cases, Culture Amp will inform the Customer of the legal requirement before Processing, unless that law or order prohibits disclosure on important grounds of public interest.
4. Compliance with Laws. The Customer must ensure that all Documented Instructions it issues to Culture Amp comply with all Applicable Data Protection Laws. Culture Amp is not responsible for monitoring Customer's compliance with Applicable Data Protection Laws. However, to the extent required by law, Culture Amp shall inform the Controller if it becomes aware that Customer's Documented Instructions breach the Data Protection Law applicable to the customer.
5. Confidentiality Obligations. Culture Amp must treat Customer Personal Data in line with the confidentiality provisions set out in the Agreement, including the Privacy Policy. Culture Amp must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.

Assistance with Data Subject Requests and Cooperation Obligations

1. Assistance with Data Subject Requests. Culture Amp will, in a manner consistent with the functionality of the Service and its role as Processor, provide commercially reasonable support to the Customer to enable the Customer to respond to Data Subject requests to exercise their rights under Applicable Data Protection Laws ("Data Subject Requests").
2. Cooperation Obligations. Upon the Customer's reasonable request, and to the extent required by law taking into account the nature of the Processing, Culture Amp will provide reasonable assistance to the Customer in fulfilling its obligations under Applicable Data Protection Laws. Such assistance will only be provided to the extent the Customer cannot reasonably fulfil these obligations independently using the documentation and resources that Culture Amp makes available through its website, Platform, or Customer Trust Center.
3. Third Party Requests. Unless prohibited by Law, Culture Amp will notify Customer of any legal process or governmental request compelling Culture Amp to disclose Customer Personal Data, and will not respond to such requests unless legally obligated to do so. In the event that Culture Amp receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, Culture Amp will redirect such inquiries to Customer, and will not provide any information unless required to do so under Law.

Security

1. Security Measures. Culture Amp has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity, and availability of Customer Personal Data and to prevent Security Incidents. The Customer is responsible for configuring the Services and using the security features and functionalities made available by Culture Amp to maintain appropriate protection in light of the nature of the Customer Personal Data. Culture Amp's current technical and organizational measures are described here. The Customer acknowledges that these Security Measures are subject to technical progress and development and that Culture Amp may update or modify them from time to time, provided that such updates and modifications do not materially reduce the overall level of security of the Services during the applicable Subscription Term.
2. Security Incidents. Culture Amp will notify the Customer without undue delay, and where feasible, no later than forty-eight (48) hours after becoming aware of a Security Incident. Culture Amp must make reasonable efforts to identify the cause of the Security Incident, mitigate its effects, and remediate the underlying cause to the extent within Culture Amp's reasonable control. Upon the Customer's request, and taking into account the nature of the Processing and the information available to Culture Amp, Culture Amp must provide reasonable assistance by supplying information necessary for the Customer to meet its notification obligations under Applicable Data Protection Laws. Culture Amp's notification of a Security Incident does not constitute an admission of fault or liability.

Audits

1. Audit Reports: Culture Amp is regularly audited by independent third-party auditors and/or internal auditors. Upon the Customer's request, and provided the Customer has entered into an applicable non-disclosure agreement with Culture Amp, Culture Amp will provide a summary copy of the relevant audit results so the Customer can verify Culture Amp's compliance with the applicable audit standards and this DPA. If the Customer cannot reasonably verify Culture Amp's compliance with the terms of this DPA based on this summary, Culture Amp will provide written responses (on a confidential basis) to reasonable requests for information made by the Customer relating to Culture Amp's Processing of Customer Personal Data. This right may be exercised no more than once in a contract term.
2. Customer Audit Right. To the extent Culture Amp is legally required to participate in independent audits initiated by a Customer under Applicable Data Protection Laws, and only where the Customer cannot reasonably verify Culture Amp's compliance with this DPA through the rights described in Section 4.1, the Customer may, at its own expense, conduct an audit during the term of the Agreement to assess Culture Amp's compliance with this DPA. Any such audit must: (i) be conducted during Culture Amp's normal business hours and with at least thirty (30) calendar days' prior written notice (unless a shorter notice period is required by Applicable Data Protection Law or a regulatory authority); (ii) be subject to reasonable confidentiality obligations requiring the Customer (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be treated as confidential; (iii) occur no more than once per contract term; and (iv) be limited in scope to information relevant to the Customer's data and Culture Amp's processing activities under this DPA.

Subprocessing

1. General Authorisation. By entering into this DPA, Customer provides general authorization for Culture Amp to engage Subprocessors to process Customer Personal Data. Culture Amp must: (i) enter into a written agreement with each Subprocessor that imposes data protection obligations requiring the Subprocessor to a substantially similar level to those extended in this DPA; and (ii) remain liable to Customer for the Subprocessor's performance of its data protection obligations with respect to the relevant processing activities under the Agreement.
2. Notice of New Subprocessors. Culture Amp will make available a list of Subprocessors that Culture Amp currently engages, which is currently available here, and will provide Customer with a mechanism to obtain notice of any updates to the Subprocessor List. Before Culture Amp engages a Subprocessor, Culture Amp will provide sufficient written notice to the Customer (which may be via email, notification on our website, or other reasonable means).
3. Objection to New Subprocessors. If Customer does not consent to the use of a new Subprocessor that was not included on the list of subprocessors most recently provided or made available to the Customer (whether at the time that the Agreement was entered into of following an update), Customer may notify Culture Amp in writing at privacy@cultureamp.com within 14 days of receiving notice of the Subprocessor update. Upon receiving such notice, the parties will discuss Customer's concerns in good faith. If the parties are unable to reach a mutually acceptable resolution, Customer's sole and exclusive remedy will be to terminate the order for the affected Service for convenience. In such a case, Culture Amp will refund any prepaid, unused fees covering the terminated portion of the applicable subscription term for the affected Service.

Deletion or Return of Customer Personal Data

1. Return of Customer Personal Data. During the term of the Agreement, or following its termination, the Customer may request the export of Customer Personal Data. Culture Amp must facilitate such export without undue delay, to the extent the Customer Personal Data is within Culture Amp's immediate possession or control, except where the request (i) conflicts with the Confidentiality Protections selected by the Customer, or (ii) the Customer Personal Data has already been automatically deleted in accordance with the data retention period set out in the Agreement.
2. Deletion of Customer Personal Data. During the term of the Agreement, or following its termination, the Customer may request the deletion of Customer Personal Data. Upon such a request, Culture Amp will make commercially reasonable efforts to delete or destroy any Customer Personal Data remaining in its possession, to the extent required by the Agreement and applicable law. Culture Amp will not delete Customer Personal Data where either, (i) retention is required by applicable laws, (ii) is subject to a binding court order, or (iii) for Disaster Recovery or Security purposes outlined in the Terms.

International Provisions and Transfers

1. International Data Transfer. Customer Personal Data will be stored in the data center specified in the applicable Service Order, or as otherwise set out in the Agreement. Customer acknowledges and agrees that Culture Amp may transfer and process Customer Data internationally, including in jurisdictions where Culture Amp, its affiliates, and its Subprocessors operate. Culture Amp will comply with Applicable Data Protection Law with respect to any such transfers or Processing.
2. Compliance with Region Specific Data Transfer Provisions. To the extent Culture Amp processes Customer Personal Data protected by Applicable Data Protection Laws in any of the regions listed in Schedule A, the terms specified for the applicable region will also apply, including the provisions relevant to international transfers of Personal Data (whether directly or via onward transfer).

General

1. Term. The term of this DPA will run concurrently with the term of the Agreement and will terminate upon the expiration or earlier termination of the Agreement (or, if later, the date Culture Amp ceases all Processing of Customer Personal Data).
2. Modification. Notwithstanding anything to the contrary in the Agreement, Culture Amp may update or modify this DPA from time to time as necessary to comply with Applicable Data Protection Laws. As reasonably practical, Culture Amp will discuss these updates with you.
3. Entire Agreement; Conflict. This DPA incorporates the Standard Contractual Clauses by reference. Except as amended by this DPA, the Agreement remains in full force and effect. In the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will prevail, except that the General Terms will prevail over this DPA to the extent of any conflict.

1. Applicability. The terms in Section 10 only apply to the extent Customer's Personal Data is protected by EU Data Protection Law, and Culture Amp has not adopted an alternative lawful mechanism for the transfer of data (with lawfulness being defined by the relevant regulator).
2. Data Transfer. If Personal Data that is protected by the EU Data Protection Law is transferred, either directly or via onward transfer to a country outside of Europe to a country that is not subject to an adequacy decision from the European Commission, the EU SCCs are incorporated by reference into this DPA as follows:
   1. Module Two (Controller to Processor) applies, and all other Modules will be deleted.
   2. For Module Two, the parties agree that: (i) Clause 7, the optional docking clause will apply; (ii) Clause 9, Option 2 applies and Culture Amp will give Customer 14 days advance notice; (iii) In Clause 11, the optional language will not apply; (iv) In Clause 17, Option 1 shall apply and the law of Ireland shall apply; (vi) In Clause 18(b), disputes shall be resolved before the Courts of Ireland; (vii) Annex I (A) through Annex I (C) shall be deemed completed with the information set out in Schedule B of this DPA; and (viii) Annex II shall be deemed completed with the information set out at this link.

1. Applicability. The terms in Section 11 only apply to the extent Customer's Personal Data is protected by UK Data Protection Law, and Culture Amp has not adopted an alternative lawful mechanism for the transfer of data (with lawfulness being defined by the relevant regulator).
2. Data Transfer. If Personal Data that is protected by the UK Data Protection Law is transferred, either directly or via onward transfer to a country outside of the UK to a country that is not subject to an adequacy decision from the Information Commissioner's Office, the parties agree that:
   1. The parties agree that such transfer shall be governed by the EU SSCs as set out in Section 10 above, as modified and interpreted by the UK IDTA, which shall be incorporated by reference into this Addendum.
   2. The parties adopt the UK IDTA as follows: (i) Table 1 and Table 3 in Part 1 shall be deemed completed with the information set out in Schedule B of this Addendum, with the Start Date effective as of the Effective Date of the Agreement; (ii) Table 2 in Part 1 shall be deemed completed as set out in Section 10 of this Addendum; (iii) Table 4 in Part 1 shall be deemed completed with the selection of "neither party;" and (iv) any conflict between the terms of the EU SSCs and the UK IDTA shall be resolved in accordance with Sections 9 through 11 of the UK IDTA.

1. Applicability. The terms in this Section 12 apply to the extent Customer's Personal Data is subject to Californian Data Protection Law.
2. Prohibitions. To the extent this Section 12 applies, Culture Amp is prohibited from: (a) selling or sharing Customer Personal Data; (b) processing Customer Personal Data for targeted and / or cross context behavioural advertising; (c) retaining, using, or disclosing Customer Personal Data for any purposes other than the specific purposes of performing the Service or as otherwise permitted under the Agreement; (d) retaining, using, or disclosing Customer Personal Data outside the direct business relationship between Culture Amp and Customer; and (e) combining Customer Data with any other data if doing so will be inconsistent with the Business Purpose or limitations on service providers under the CCPA.
3. Benchmarking. Notwithstanding the forgoing, and for the avoidance of any doubt, Customer acknowledges that Culture Amp shall have a right to process Customer Data for the purposes of creating anonymized, aggregate and/or de-identified information for its own legitimate business purposes, including compiling anonymized benchmarking reports and statistics.
4. Grant of Rights. Culture Amp will maintain mechanisms to assist Data Subjects in exercising their rights under the CCPA, and will follow the procedures outlined in Section 3 when facilitating the exercise of those rights.
5. Certification. Culture Amp hereby certifies that it understands the rules, requirements and definitions of the CCPA, and it will notify Customers if Culture Amp becomes unable to meet its obligations under the CCPA.

1. To the extent the Customer is subject to a Data Protection Law that is not explicitly identified in Schedule A, and such law requires the execution of Standard Contractual Clauses ("SCCs"), the parties agree to discuss the implementation of those SCCs on a case-by-case basis. Any mutually agreed SCCs shall be appended to the relevant Service Order.