Data Processing Addendum (DPA)

Effective Date: August 30, 2024

This Data Processing Addendum (“DPA”) governs Dot Corp’s processing of Customer Data provided by Customer to Dot Corp through Dot Corp’s SuperSense service (“Services”). This DPA is incorporated into the terms of the Dot Corp Business Terms, Enterprise Agreement, or other agreement between Customer and Dot Corp governing Customer’s use of the Services (the “Agreement”). If there is a conflict between the DPA and the Agreement, the DPA will control. Capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

1. Processing Requirements

As a Data Processor, Dot Corp agrees to:

a. Process Customer Data only:

• On Customer’s behalf for the purpose of providing and supporting Dot Corp’s Services.

• In compliance with the written instructions received from Customer.

• In a manner that provides no less than the level of privacy protection required by applicable Data Protection Laws.

b. Promptly inform Customer if Dot Corp cannot comply with the requirements of this DPA.

c. Not provide Customer with remuneration in exchange for Customer Data. The parties acknowledge and agree that Customer has not “sold” (as defined by U.S. Privacy Laws) Customer Data to Dot Corp.

d. Not "sell" or "share" Personal Data as those terms are defined by U.S. Privacy Laws.

e. Inform Customer if, in Dot Corp’s opinion, an instruction from Customer violates applicable Data Protection Laws.

f. Ensure that persons engaged to perform on Dot Corp’s behalf are subject to a duty of confidentiality with respect to the Customer Data and comply with the data protection obligations applicable to Dot Corp under the Agreement and this DPA.

g. Engage subprocessors listed in subprocessors section of our terms and policies to process Customer Data, subject to the terms of this DPA. Customer consents to the use of subprocessors listed by Dot Corp. Dot Corp will notify Customer of any changes to the subprocessor list at least 15 days before the changes take effect. If Customer objects to a new subprocessor, Customer may terminate the relevant services with a refund for any prepaid fees covering periods following the termination date.

h. Provide Customer with Dot Corp’s privacy and security policies upon reasonable request and demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws.

i. Cooperate with assessments and audits performed by or on behalf of Customer to confirm that Dot Corp is processing Customer Data in a manner consistent with this DPA.

j. De-identify or anonymize data upon request by the Customer, and ensure that such data cannot be re-identified, except for the purpose of determining compliance with Data Protection Laws.

k. Not retain, use, or disclose Customer Data outside the scope of this DPA, except as required by law.

l. Notify Customer of any legal requirements compelling Dot Corp to process Customer Data outside the terms of this DPA, unless legally prohibited.

2. Subprocessing

Dot Corp uses subprocessors, listed in subprocessors section of our terms and policies, to provide the Services. The following terms apply to the use of subprocessors:

a. Authorized Subprocessors: Customer agrees to Dot Corp’s use of subprocessors, for the processing of Customer Data. Dot Corp has entered into a Data Processing Addendum with the subprocessors, which governs the subprocessor's processing of Customer Data. This ensures that the subprocessors are bound by the same or equivalent data protection obligations as set out in this DPA.

b. Subprocessor Obligations: Dot Corp ensures that all subprocessors, are bound by the equivalent data protection obligations as those set out in this DPA. The DPA between Dot Corp and our subprocessors includes provisions for data protection, security measures, and compliance with applicable data protection laws.

c. Customer Objections: If Customer objects to a new subprocessor, Dot Corp will provide options such as terminating the service or discontinuing the use of the subprocessor for Customer Data. In the case of objections related to the subprocessors, Dot Corp will work with the Customer to address concerns, leveraging the terms of the DPA in place with the subprocessors.

3. Data Subject Rights

Dot Corp will:

a. Assist Customer in responding to requests from data subjects exercising their rights under applicable data protection laws, such as access, rectification, or deletion of Customer Data.

b. Notify Customer of any request received directly from a data subject without responding to such request unless authorized by Customer.

c. Assist in Data Protection Impact Assessments (DPIAs) if required, including consultations with supervisory authorities.

4. Security

Dot Corp will:

a. Maintain appropriate technical and organizational measures to protect Customer Data against unauthorized access, loss, alteration, or destruction. Dot Corp’s subprocessors are required to adhere to these standards as outlined in the DPA between Dot Corp and our subprocessors.

b. Ensure that personnel with access to Customer Data are subject to confidentiality obligations and have received appropriate data protection training. This includes subprocessors, which are bound by equivalent security and confidentiality requirements under their DPA with Dot Corp.

c. Notify Customer of any data breaches involving Customer Data without undue delay. If a data breach occurs at a subprocessor level, Dot Corp will coordinate with the subprocessor to ensure timely notification and compliance with applicable laws.

5. International Data Transfers

Dot Corp may transfer Customer Data outside of the country where it was originally collected, including to subprocessors. Dot Corp will:

a. Ensure that such transfers are subject to appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other legally valid mechanisms.

b. Provide details of the safeguards used upon Customer’s request.

6. Termination and Data Deletion

a. Retention Period: Dot Corp will retain Customer Data for the duration of the Agreement or as otherwise agreed in writing. Subprocessors, are required to delete or return Customer Data as specified in their DPA with Dot Corp.

b. Deletion or Return of Data: Upon termination of the Agreement, Dot Corp will delete or return all Customer Data within 30 days unless retention is required by law. Dot Corp will ensure that the subprocessors follows the same data deletion protocols as outlined in their DPA.

c. Subprocessor Data Deletion: Dot Corp will ensure that subprocessors delete Customer Data within 30 days of termination, unless prohibited by law. This aligns with the terms agreed upon in the DPA with them.

7. Audit Rights

Customer has the right to:

a. Audit Dot Corp’s compliance with this DPA, including the processing activities of subprocessors.

b. Review third-party audit reports or certifications provided by Dot Corp as evidence of compliance.

8. Liability and Indemnification

a. Limitation of Liability: Dot Corp’s liability for breaches of this DPA is subject to the limitations set forth in the Agreement.

b. Indemnification: Customer agrees to indemnify and hold harmless Dot Corp against claims arising from the Customer’s instructions regarding Customer Data.

9. Amendments

Dot Corp reserves the right to update this DPA to comply with changes in data protection laws or introduce new subprocessors. Dot Corp will notify the Customer of such updates, and the Customer may object or terminate the relevant services.