Data Processing Agreement

1. Nature of the Data and Role of the Parties. The rights and obligations in this DPA apply solely to the Processing of Personal Data by the My Tech Passport Services on behalf of Customer, but does not apply to Beta Releases. For the purposes of this DPA, references to Customer Data shall mean any Personal Data incorporated in the Customer Data.
2. Data Processing.
   1. Instructions. The Agreement and this DPA constitute Customer’s instructions to My Tech Passport to Process Customer Data. My Tech Passport will use and Process Customer Data as Customer instructs in order to deliver My Tech Passport Services and to fulfill My Tech Passport’s obligations under the Agreement and this DPA. My Tech Passport will inform Customer of any legal requirement which prevents it from complying with Customer’s instructions, unless prohibited from doing so by applicable law or on important grounds of public interest.
   2. Processing Activities. My Tech Passport, My Tech Passport personnel, and Sub-processors will only Process Customer Data to provide the My Tech Passport Services and to fulfill My Tech Passport's obligations in this Agreement. The categories of Personal Data to be processed by My Tech Passport and the Processing activities to be performed under this Agreement are set out in Exhibit A.
   3. Personnel. Any My Tech Passport personnel who have access to Customer Data will be bound by appropriate confidentiality obligations.
3. Security.
   • Security Measures. My Tech Passport will implement the technical and organizational measures set forth in the Agreement for the applicable My Tech Passport Services.
   • Security Incidents. My Tech Passport will promptly, and without undue delay, notify Customer in writing at the email address associated with the account if a Security Incident occurs, so long as applicable law allows this notice. Without limiting the foregoing, My Tech Passport will use commercially reasonable efforts to provide this notice within 72 hours of confirming the existence of a Security Incident. My Tech Passport may limit the scope of, or refrain from delivering, any disclosures to the extent reasonably necessary to avoid compromising the integrity of My Tech Passport's security, an ongoing investigation, or any My Tech Passport customer’s or end user’s data.
   • Notification. My Tech Passport will assist the Customer in ensuring compliance with its obligations pursuant to EU Data Protection Laws by providing relevant information which may include: (a) the nature of the Security Incident, including, where possible, the categories and approximate number of personal data records concerned; (b) the likely consequences of the Security Incident; (c) the measures taken or to be taken to address the Security Incident, including, where appropriate, the measures to mitigate its possible adverse effects; (d) the name and contact details of the Data Protection Officer or other contact from whom more information may be obtained; and (e) justifications for any delay in notification;. Should it not be feasible for My Tech Passport to provide all of the relevant information in its initial notification to the Customer, My Tech Passport will provide further relevant details without undue delay.
4. Sub-processors.
   1. My Tech Passport Use of Sub-Processors. Customer consents to My Tech Passport’s appointment of Subcontractors, including Sub-processors, to perform the My Tech Passport Services. Where a Sub-processor will process Personal Data, My Tech Passport will ensure that the Sub-processor is subject to substantially similar data protection obligations as those set forth in this DPA regarding Personal Data and which satisfy the requirements of EU Data Protection Laws. My Tech Passport will remain liable for all acts or omissions of its Subcontractors or Sub-processors, and for any subcontracted obligations.
   2. Customer Objections. My Tech Passport may add or remove Sub-processors from time to time. My Tech Passport will inform Customer in advance of new Sub-processors for the applicable My Tech Passport Services as described in the list of Sub-processors. If Customer objects to a change, it will provide My Tech Passport with notice of its objection to support@mytechpassport.com including reasonable detail supporting Customer’s concerns within sixty days of receiving notice of a change from My Tech Passport or, if Customer has not subscribed to receive this notice, within sixty days of My Tech Passport publishing the change. My Tech Passport will then use commercially reasonable efforts to review and respond to Customer’s objection within thirty days of receipt of Customer’s objection. My Tech Passport’s response to Customer’s objection will include, at a minimum, reasonable accommodations, if any, that Customer or My Tech Passport can take to limit or prevent a new Sub-processor from acting as a processor of Customer Data when Customer makes use of the My Tech Passport Services. If My Tech Passport does not respond to a Customer objection as described above, or cannot reasonably accommodate Customer’s objection, Customer may terminate the Agreement by providing written notice to My Tech Passport: (a) within thirty days of receipt of a My Tech Passport response that does not comply with this Section 4.2; or (b) if My Tech Passport fails to respond, within thirty days of the date My Tech Passport’s response was due.
5. Data Subject Rights. Customer is responsible for responding to any request by a data subject to exercise their rights under applicable privacy laws. If My Tech Passport receives any such request in relation to the Customer Data, My Tech Passport will direct the applicable data subject to Customer to exercise his or her rights without undue delay after verifying the request pertains to Customer Data. My Tech Passport will provide Customer with information or tools that are reasonably designed to enable Customer to fulfill its obligations to respond to these requests through the functionality of the My Tech Passport Services, taking into account the nature of the Processing and insofar as this is possible.
6. Compliance Assistance. To assist Customer with its compliance obligations under applicable privacy laws related to security, data protection impact assessments, and prior consultation with supervisory authorities, My Tech Passport will make the following available during the Term: (a) the Audit Reports; (b) the information contained in Exhibit A; and (c) any applicable Security Measures and Security Resources set forth in the Agreement. If, after reviewing the aforementioned materials, Customer reasonably believes it needs further information in order to meet its compliance obligations, My Tech Passport will use commercially reasonable efforts to respond to written questions by Customer regarding the materials. Without limiting the foregoing, My Tech Passport will comply with valid requests from relevant supervisory authorities to the extent required by applicable EU Data Protection Law.
7. Deletion. Upon Termination of the Agreement and this DPA, My Tech Passport will delete Customer Data in Customer’s account in a commercially reasonable period of time following receipt of Customer’s request to do so prior to such termination. Notwithstanding the foregoing, Customer acknowledges and agrees that My Tech Passport may be a controller with respect to certain account data, and may retain this data in accordance with applicable privacy laws, provided that My Tech Passport is solely responsible for its compliance with these laws in connection with its own Processing.
8. Inspections.
   1. Audit Reports. My Tech Passport has completed audits for the My Tech Passport Services as set forth in the Agreement and will provide Customer with a copy of the Audit Reports as set forth therein.
   2. Customer Review of Audit Reports. If Customer reasonably believes it needs further information in order to confirm My Tech Passport’s compliance with the provisions of the Agreement relating to Personal Data, My Tech Passport will use commercially reasonable efforts to respond to written questions by Customer regarding the Audit Reports.
   3. Customer Inspection. If Customer is not satisfied with My Tech Passport’s responses to questions provided pursuant to Section 8.2, My Tech Passport will permit Customer, or an agreed upon Customer representative, subject to appropriate confidentiality obligations, to visit My Tech Passport’s premises and discuss My Tech Passport’s responses with My Tech Passport personnel.
   4. Process for Inspections. My Tech Passport reserves the right to: (a) charge a separate fee for its reasonable costs associated with performing any of its obligations in Section 8.2 or 8.3, provided that My Tech Passport will provide an estimate of these fees to Customer prior to incurring the costs; or (b) object to any Customer representative participating in an inspection on the basis that they are not qualified, are not bound by an adequate requirement to protect confidential My Tech Passport information, or are a competitor of My Tech Passport. For Customer inspections pursuant to Section 8.3, the Parties will first mutually agree on the scope, timing, and duration of the inspection. My Tech Passport reserves the right to limit the scope and duration of an inspection to the extent reasonably necessary to avoid compromising the integrity of My Tech Passport’s security or any My Tech Passport customer’s or end user’s data.
9. European Data. Customer agrees that My Tech Passport and its Sub-processors may transfer, store, and Process Customer Data in locations other than Customer’s country. To the extent European Data is Processed outside of the EEA, United Kingdom, or Switzerland, this Section 9 applies.
   1. Instructions. Customer hereby instructs My Tech Passport International to process European Data in accordance with this DPA in order to deliver the My Tech Passport Services. Customer acknowledges that all communication with My Tech Passport US in connection with the processing of European Data will be coordinated and directed through My Tech Passport International.
   2. Transfers. Customer acknowledges and agrees that, to provide the My Tech Passport Services, My Tech Passport International may transfer European Data to My Tech Passport US and this transfer will be made pursuant to the Processor to Processor Standard Contractual Clauses between My Tech Passport and My Tech Passport International, or an alternative transfer means recognized by EU Data Protection Laws, UK GDPR, or Swiss Federal Act on Data Protection, as applicable.
10. Insurance. My Tech Passport maintains reasonable coverage for Technology Errors and Omissions insurance, which may include coverage for privacy and network security liability, losses or damages due to the unauthorized use/access of a computer system or database, and defense of any regulatory action involving a breach of privacy, as well as other coverage areas. Upon Customer's reasonable written request, and no more than once per year, My Tech Passport will provide a certificate of insurance evidencing its coverages.
11. Effect of DPA. If a provision in this DPA conflicts with a provision in the Agreement, then this DPA will control with respect to the processing of Personal Data. The Agreement will remain in full force and effect and will be unchanged except as modified by this DPA. This DPA will terminate automatically upon expiration or termination of the Agreement.
12. Definitions.

    “Audit Reports” means the Service Organization Control 2 (SOC 2) Type II audit reports. “My Tech Passport International” means My Tech Passport International Unlimited Company.

    “My Tech Passport US” means My Tech Passport, Inc.

    “EU Data Protection Laws” means, to the extent in force and applicable from time to time, those laws implementing the EU General Data Protection Regulation (2016/679) and any implementing laws in each EU member state.

    “European Data” means Personal Data that is subject to EU Data Protection Laws, the UK GDPR, or the Swiss Federal Act on Data Protection.

    “Personal Data,” “Process,” and “Processing” have the meaning given to those terms in the EU Data Protection Laws, UK GDPR, or the Swiss Federal Act on Data Protection.

    “Security Incident” means any actual unauthorized disclosure of or access to Customer Data, or compromise of My Tech Passport’s systems that My Tech Passport determines is reasonably likely to result in such disclosure or access, caused by failure of My Tech Passport's Security Measures and excluding any unauthorized disclosure or access that is caused by Customer or its end users, including Customer or its end users' failure to adequately secure equipment or accounts.

    “Security Measures” means the technical and organizational security measures implemented for My Tech Passport Services Services, as may be further described in the Agreement.

    “Subcontractor” means an entity to whom My Tech Passport subcontracts any of its obligations under the Agreement.

    “Sub-processor” means an entity who agrees to Process Customer Data on My Tech Passport’s behalf, or on behalf of another My Tech Passport sub-processor, in order to deliver the My Tech Passport Services.

Exhibit A