Data Processing Addendum

This Data Processing Addendum, including the Standard Contractual Clauses where applicable (“DPA”), is entered into between Kaana, Inc. (“Kaana”) and the entity identified in the Agreement (“Customer”) (each referred to as a “Party” and collectively as the “Parties”). This DPA is incorporated by reference into the applicable subscription agreement governing use of the Service (the “Agreement”) between the Parties. All capitalized terms used in this DPA but not defined will have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between this DPA, any previously executed data processing agreement, and the remaining terms of the Agreement, this DPA will govern.

This DPA sets out the terms that apply when personal data is processed by Kaana under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with Applicable Law and respects the rights of individuals whose personal data are processed under the Agreement.

1. Definitions

“Applicable Law(s)” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, security, or the processing of personal data, including without limitation (i) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA” and subsequent California Privacy Rights Act of 2020 “CPRA”), (ii) the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), (iii) in respect of the United Kingdom, the Data Protection Act 2018 (“UK DPA 2018”) and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”), (iv) the Swiss Federal Data Protection Act (“Swiss DPA”), and (v) the Act on the Protection of Personal Information (“APPI”). For the avoidance of doubt, if Kaana's processing activities involving personal data are not within the scope of an Applicable Law, such law is not applicable for purposes of this DPA.

“Kaana” means Kaana, Inc., a company incorporated in Delaware, and its Affiliates.

“controller”, “business operator”, “personal data”, “process”, “processing”, “processor”, and “data subject” will have the same meanings as defined by Applicable Law. Other relevant terms such as “business”, “business purpose”, “consumer”, “personal information”, “sale” (including the terms “sell”, “selling”, “sold”, and other variations thereof), “service provider”, “share” or “sharing” for purposes of “cross-context behavioral advertising”, and “third party” have the meanings given to those terms under Applicable Law.

“Customer Personal Data” means personal data, personal information or personally identifiable information Customer uploads or otherwise inputs into the Service and which is processed in connection with the provision of the Service under the Agreement by Kaana on behalf of the Customer. Unless otherwise agreed to in writing, Customer Personal Data processed pursuant to the Agreement explicitly excludes Restricted Data.

“Data Privacy Principles” means the Data Privacy Framework principles (as supplemented by the Supplemental Principles).

“Data Privacy Frameworks” means the EU-U.S Data Privacy Framework (“EU-U.S. DPF”), the Swiss-U.S. Data Privacy Framework (“Swiss DPF”), and the UK Extension to the EU-U.S. DPF (“UK Extension”) as administered by the U.S. Department of Commerce.

“EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein.

“Restricted Data” means personal data that may be categorized as “special categories of data” under Applicable Laws including, but not limited to, social security numbers, financial account numbers, credit card information, or health information.

“Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the UK DPA 2018; and (iii) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.

“Security Incident” means any confirmed breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Kaana and/or its subprocessors in connection with the provision of the Service.

“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj), (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR including the standard data protection clauses issued by the commissioner under s119A(1) of the UK DPA 2018 as revised from time to time (“UK Addendum”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”), in each case as completed as described in Section 9 (Data Transfers) below.

2. Relationship of the Parties

2.1 Kaana as a Processor and Service Provider. The Parties acknowledge and agree that with regard to Customer Personal Data, Customer is a controller and business and Kaana is a processor and service provider, as defined by Applicable Law.

2.2 Kaana as a Subprocessor. In circumstances in which Customer may be a processor, Customer appoints Kaana as Customer’s subprocessor, which will not change the obligations of either Customer or Kaana under this DPA.

3. Customer’s Instructions to Kaana

3.1 Purpose Limitation. Kaana will process Customer Personal Data (a) in order to provide the Service in accordance with the Agreement; (b) with Customer’s lawful instructions as set forth under Section 3.3; (c) as necessary to comply with Applicable Law; and (d) as otherwise agreed in writing. Customer, as the controller, acknowledges that the Service as provided is not intended for the storage or use of Restricted Data. At its sole discretion, Customer determines all categories and types of Customer Personal Data it may submit and transfer to Kaana through the Service. Customer is responsible for secure and appropriate use of the Service to ensure a level of security appropriate to the risk in respect of the Customer Personal Data and agrees that compliance and security measures as set forth in the Agreement and this DPA are deemed sufficient safeguards for processing of any such Restricted Data that Customer provides to the Service.

3.2 No Sale of Personal Information/Sharing for Targeted Advertising. Kaana will not sell (as defined by Applicable Law) Customer Personal Data, share Customer Personal Data for purposes of cross-context behavioral advertising or otherwise process Customer Personal Data for any purpose other than as set forth in the Agreement, unless obligated to do so under Applicable Law. In such case, Kaana will inform Customer of that legal requirement before such processing unless legally prohibited from doing so. Kaana will not retain, use, or disclose Customer’s Personal Data for any commercial purposes (as defined by Applicable Law) other than to provide the Service. Kaana understands its obligations as set forth in this section and will comply with them. Further details regarding Kaana’s processing operations are set forth in Exhibit A.

3.3 Lawful Instructions. Customer appoints Kaana as a processor (or subprocessor) to process Customer Personal Data on behalf of, and in accordance with, Customer’s instructions. Customer will not instruct Kaana to process Customer Personal Data in violation of Applicable Law. Kaana will promptly inform Customer if, in Kaana's opinion, an instruction from Customer infringes Applicable Law. The Agreement, including this DPA, along with Customer’s configuration of the Service (as Customer may be able to modify from time to time), constitutes Customer’s complete and final instructions to Kaana regarding the processing of Customer Personal Data, unless otherwise agreed in writing.

4. Subprocessing

4.1 Subprocessors. Customer acknowledges and agrees that Kaana's Affiliates and certain third parties may be retained as subprocessors (“Subprocessors”) to process Customer Personal Data on Kaana’s behalf in order to provide the Service. Kaana’s Subprocessors are listed on Kaana’s Subprocessors page. Kaana will impose contractual obligations on any Subprocessor Kaana appoints requiring it to protect Customer Personal Data to standards which are no less protective than those set forth under this DPA. Kaana remains liable for its Subprocessors’ performance under this DPA to the same extent Kaana is liable for its own performance. If Customer subscribes to receive updates available on Kaana’s Subprocessors page, Customer will be automatically notified of new Subprocessors ten (10) business days before Kaana authorizes such Subprocessor to process Customer Personal Data (or in the case of an emergency, as soon as reasonably practicable). The subprocessor agreements to be provided under Clause 9 of the Standard Contractual Clauses may have all commercial information, or provisions unrelated to the Standard Contractual Clauses, redacted prior to sharing with Customer, and Customer agrees that such copies will be provided only upon Customer’s written request.

4.2 Right to Object. Customer may object to Kaana’s use of a new Subprocessor (based on reasonable grounds relating to data protection) by notifying Kaana promptly in writing at dpa@kaana.com within thirty (30) days after receipt of Kaana’s notice as described in Section 4.1. In the event Customer objects to a new Subprocessor, Kaana will use commercially reasonable efforts to make available to Customer a change in the Service or Customer’s configuration or use of the Service to avoid processing of Customer Personal Data by the objected-to new Subprocessor. If Kaana is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may upon written notice terminate without penalty the applicable Order Form(s) or the Agreement.

5. Assistance and Cooperation

5.1 Security. Kaana will use appropriate technical and organizational measures to protect Customer Personal Data that it processes. Such measures will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risk. Kaana will ensure that the persons Kaana authorizes to process Customer Personal Data are subject to written confidentiality agreements or a statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

5.2 Security Incident Notification and Response. To the extent required by Applicable Law and taking into account the nature of processing and the information available to Kaana, Kaana will assist Customer by notifying it of a Security Incident without undue delay or within the time period required under Applicable Law. To the extent available, this notification will include Kaana’s then-current assessment of the following:

• (a) the nature of the Security Incident, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• (b) the likely consequences of the Security Incident; and
• (c) measures taken or proposed to be taken by Kaana to address the Security Incident, including, where applicable, measures to mitigate its possible adverse effects.

Kaana will provide timely and periodic updates to Customer as additional information regarding the Security Incident becomes available. Customer acknowledges that any updates may be based on incomplete information. Kaana will not assess the contents of Customer Data for the purpose of determining if such Customer Data is subject to any requirements under Applicable Law. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Kaana to violate, or delay compliance with, any legal obligation it may have with respect to a Security Incident or other security incidents generally.

6. Responding to Individuals Exercising Their Rights Under Applicable Law

To the extent legally permitted, Kaana will refer the individual back to the Customer if Kaana receives any requests from an individual seeking to exercise any rights afforded to them under Applicable Law regarding their personal data, which may include: access, rectification, restriction of processing, erasure (“right to be forgotten”), data portability, objection to the processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). In the event Customer is unable to address a Data Subject Request in its use of the Service, Kaana will, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Kaana is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law. To the extent legally permitted, Customer will be responsible for any costs arising from Kaana’s provision of additional functionality that Customer has requested to assist with a Data Subject Request.

7. DPIAs and Consultation with Supervisory Authorities or other Regulatory Authorities

Taking into account the nature of the processing and the information available to Kaana, Kaana will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the processing or proposed processing of Customer Personal Data involving Kaana, and in consultation with supervisory authorities or other regulatory authorities as required, by providing Customer with any publicly available documentation for the Service or by complying with Section 10 (Audits) below. Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of Kaana’s involvement, and any other terms that the Parties deem appropriate.

8. Responding to Law Enforcement Requests

To the extent legally permitted, upon request for data or records from law enforcement or a governmental entity, Kaana will respond to such requests in accordance with the guidelines set forth in Kaana’s Law Enforcement Guidelines. Kaana responds only to law enforcement requests that adhere to established legal process and applicable laws.

9. Data Transfers

9.1 Customer authorizes Kaana and its Subprocessors to make international transfers of Customer Personal Data in accordance with this DPA and Applicable Law.

9.2 Customer acknowledges and agrees that, subject to compliance with Applicable Laws, Kaana may process Customer Personal Data where Kaana, its Affiliates or its subprocessors maintain data processing operations. The Parties agree that when the transfer of Customer Personal Data from Customer (as “data exporter”) to Kaana (as “data importer”) requires that certain appropriate safeguards (“Transfer Mechanism(s)”) are put in place, the Parties will be subject to the following frameworks and Transfer Mechanisms which will be deemed incorporated into and form a part of this DPA, as follows:

• (a) Order of precedence. In the event the Service is covered by more than one Transfer Mechanism, the transfer of personal data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (a) the Data Privacy Frameworks; (b) the Standard Contractual Clauses as set forth in Section 9.2(c)-(e); and, if neither of the preceding is applicable, then (c) other alternative data Transfer Mechanisms permitted under Applicable Laws will apply.
• (b) Data Privacy Frameworks. To the extent Kaana processes Customer Personal Data originating from the EEA, United Kingdom, or Switzerland, Kaana represents that Kaana is self-certified under the Data Privacy Frameworks and will adhere to the Data Privacy Principles.
• (c) EU Standard Contractual Clauses. The EU SCCs will apply to Restricted Transfers of Customer Personal Data protected by the GDPR and will be completed as follows:
  • (i) The clauses as set forth in Module Two (controller to processor) will apply only to the extent Customer is a controller and Kaana is a processor;
  • (ii) The clauses as set forth in Module Three (processor to processor) will only apply to the extent Customer is a processor and Kaana is a subprocessor;
  • (iii) The “data exporter” is the Customer, and the exporter’s contact information is set forth below;
  • (iv) The “data importer” is Kaana, and Kaana’s contact information is set forth below;
  • (v) In Clause 7, the optional docking clause will apply;
  • (vi) In Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Section 4.1 of this DPA;
  • (vii) In Clause 11, the optional language will not apply;
  • (viii) In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
  • (ix) In Clause 18(b), disputes will be resolved before the courts of Ireland; and
  • (x) Annexes I and II of the Appendix are set forth in Exhibit A below.
• (d) UK International Data Transfer Addendum. The UK Addendum will apply to Restricted Transfers of Customer Personal Data protected by the UK GDPR and will be completed as follows:
  • (i) Table 1 will be completed with the relevant information in Annex I set forth in Exhibit A;
  • (ii) Table 2 will be completed with the selected modules and clauses the EU SCCs as identified in Section 9.2(c) of this DPA;
  • (iii) Table 3 will be completed with the relevant information from Annexes I and II set forth in Exhibit A and Section 4.1 of this DPA; and
  • (iv) In Table 4, the Importer may end the UK Addendum in accordance with the terms of the UK Addendum.
• (e) Swiss Standard Contractual Clauses. In relation to Restricted Transfers of Customer Personal Data protected by the Swiss DPA, the EU SCCs will also apply to such transfers in accordance with paragraph (c) above, subject to the following:
  • (i) Any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA;
  • (ii)Any references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and
  • (iii) Any references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the relevant data protection authority and courts in Switzerland;

‍

unless the EU SCCs as implemented above cannot be used to lawfully transfer such Customer Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCs will instead be incorporated by reference and form an integral part of this DPA and will apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs will be populated using the information contained in Exhibit A of this DPA (as applicable).

9.3 It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses and, accordingly, if and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement (including this DPA) the Standard Contractual Clauses will prevail to the extent of such conflict.

9.4 By entering into this DPA, the Parties are deemed to be signing the applicable Standard Contractual Clauses and its applicable Appendices and Annexes.

10. Audits

10.1 Audit. Kaana will allow for and contribute to audits conducted by Customer (or a third party auditor mutually agreed by both parties (“Auditor”)) of documentation, data, certifications, reports, and records relating to Kaana's processing of Customer Personal Data (“Records”) for the sole purpose of determining Kaana's compliance with this DPA subject to the terms of this Section 10 provided the Agreement remains in effect and such audit is at Customer’s sole expense (an “Audit”).

10.2 Written Notice. Customer may request an Audit upon fourteen (14) days’ prior written notice to Kaana, no more than once annually, except, in the event of a Security Incident occurring on Kaana’s systems, in which case Customer may request an Audit within a reasonable period of time following such Security Incident.

10.3 Further Written Requests and Inspections. To the extent that the provision of Records does not provide sufficient information to allow Customer to determine Kaana’s compliance with the terms of this DPA, Customer may, as necessary: (i) request additional information from Kaana in writing, and Kaana will respond to such written requests in within a reasonable period of time (“Written Requests”); and (ii) only where Kaana's responses to such Written Requests do not provide the necessary level of information required by Customer, request access to Kaana's premises, systems and staff, upon twenty one (21) days prior written notice to Kaana (an “Inspection”) subject to the parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an Auditor to conduct the Inspection, (c) the Inspection being carried out only during Kaana's regular business hours, with minimal disruption to Kaana’s business operations, and (d) all costs associated with the Inspection being borne by Customer (including Kaana's time in connection with facilitating the Inspection, charged at Kaana's then-current rates). Inspections will be permitted no more than once annually, except in the event of a Security Incident.

10.4 Confidentiality. In connection with any Audit or Inspection conducted in accordance with this Section 10, the Auditor must be bound by obligations of confidentiality no less protective than those contained in the Agreement. Auditors will not be entitled to receive any data or information pertaining to other clients of Kaana or any other Confidential Information of Kaana that is not directly relevant for the authorized purposes of the Audit or Inspection.

10.5 Corrective Action. If any material non-compliance is identified by an Audit or Inspection, Kaana will take prompt action to correct such non-compliance.

11. Return or Destruction of Customer Personal Data

Upon termination of the Agreement and written verified request from Customer’s authorized representative (which for purposes of this section is either a billing owner or an Administrator of the Service or a Customer personnel who has confirmed in writing that they are authorized to make decisions on behalf of the Customer), Kaana will delete Customer Personal Data, unless prohibited by Applicable Law. If no such request is received by Kaana following termination, Kaana may delete Customer Personal Data in line with its obligations under Applicable Law.

‍

EXHIBIT A

Annex I to the Standard Contractual Clauses

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

‍

Data exporter(s): Details/Descriptions

Name: Customer, a user of the Service

Address: Address as listed in the Agreement

Contact person’s name, position and contact details: Contact information as listed in the Agreement

Activities relevant to the data transferred under these Clauses: Activities relevant are described in Section B below

Signature and date: See Section 9.4 of DPA

Role (controller/processor): Controller and/or processor

‍

Data importer(s): Details/Descriptions

Name: Kaana, Inc., provider of the Service

Address: 1309 Coffeen Ave, Suite 15736, Sheridan, WY 96814

Contact person’s name, position and contact details: privacy@kaana.com or dpo@kaana.com

Activities relevant to the data transferred under these Clauses: Activities relevant are described in Section B below

Signature and date: See Section 9.4 of DPA

Role (controller/processor): Processor

‍

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred

The categories of data subjects whose personal data is transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of data subject might include (but are not limited to): the data exporter’s personnel, customers, service providers, business partners, affiliates and other End Users.

‍

Categories of personal data transferred

The categories of personal data transferred are determined solely by the data exporter. In the normal course of the data importer's Service, the categories of personal data transferred might include (but are not limited to): name, email address, telephone, title, free text projects, and task lists entered by the data exporter or its End Users.

‍

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

‍

At its sole discretion, Customer determines all categories and types of Customer Personal Data it may submit and transfer to Kaana through the Service. Customer is responsible for the secure and appropriate use of the Service to ensure a level of security appropriate to the risk in respect to Customer Personal Data and agrees that compliance and security measures as set forth in the Agreement and this DPA are deemed sufficient safeguards for processing of any such data that Customer provides to the Service.

‍

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous with use of the Service.

‍

Nature of the processing

The provision of the Service to Customer in accordance with the Agreement.

‍

Purpose(s) of the data transfer and further processing

To provide the Service to Customer as described in the Agreement.

‍

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

For as long as necessary to provide the Service as described in the Agreement, as legally or contractually required, or upon receipt of Customer’s written request for deletion.

‍

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing are specified above and in the Agreement.

‍

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Identify the competent supervisory authority/ies in accordance with Clause 13

Customer agrees the competent supervisory authority will be the Data Protection Commission (DPC) of Ireland.

‍

Annex II to the Standard Contractual Clauses

‍

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

‍

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Kaana emphasizes the following principles in the design and implementation of its security program and practices: (a) physical and environmental security to protect the Service against unauthorized access, use, or modification; (b) maintaining availability for operation and use of the Service; (c) confidentiality to protect customer data; and (d) integrity to maintain the accuracy and consistency of data over its life cycle.

Description of Kaana’s current technical and organizational security measures can be found in Kaana’s Data Security Standards.

‍

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

‍

As described in the DPA, Kaana has measures in place to provide assistance to controllers as needed. Such measures include, but are not limited to, the ability to delete all Customer Personal Data associated with a domain and making available APIs to allow controllers to better manage and control their data. With regard to Data Subject Requests, in the event the controller is unable to address a Data Subject Request in its use of the Service, Kaana will, upon request, provide commercially reasonable efforts to assist the controller in responding to such Data Subject Request, to the extent Kaana is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law. Data subjects may also exercise their rights by contacting Kaana at any time.

‍