Data Processing Appendix

1. General

1.1 This Data Processing Appendix (“DPA”) forms an integral part of the Agreement between VividWorks and the Customer.

1.2 This DPA shall apply to all processing of personal data under the Agreement. Where applicable and when thisDPA does not explicitly state otherwise, the terms of the Agreement, such as governing law and dispute resolution, shall apply to this DPA. If the Agreement or any other arrangement between VividWorks and the Customer contains provisions that conflict with this DPA, this DPA shall have precedence.

1.3 The Customer shall be considered a controller under the EU regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”)and by providing the Services to the Customer, VividWorks processes personal data on behalf of the Customer as a processor for the purposes of theAgreement. If and to the extent the Customer acts as a processor in relation to other controllers, VividWorks acts as a sub processor. As used herein, personal data means such personal data that VividWorks processes on behalf of theCustomer as the Customer’s processor or sub processor.

1.4 The Customer is responsible for the lawful processing of personal data in compliance with the GDPR and other laws, regulations, and directives regarding the processing of personal data. VividWorks will not monitor the Customer’s processing of personal data in the Services.The Customer is responsible for having the required rights and necessary permissions to use and disclose personal data for the purposes of theAgreement. The Customer ensures it is entitled to transfer the relevant personal data to VividWorks so that VividWorks may lawfully process the data in accordance with the Agreement and this DPA.

1.5 The subject-matter, categories, and types of data as well as other details of the processing are specified inSchedule 1 of this DPA (Description of the Processing).

2. Processing of Personal Data

2.1 VividWorks shall only process personal data in accordance with this DPA, the Agreement and any other documented instructions consistent with the Agreement from the Customer unless required todo otherwise under applicable law. In such a case, VividWorks shall inform theCustomer of the requirement before processing, unless prohibited to do so.

2.2 In case the Customer’s instructions require additional measures or work to be performed by VividWorks, VividWorks has the right to charge an hourly fee from the Customer for complying with such instructions in accordance with the then-current fee for services of VividWorks, subject to the Customer’s prior approval of such additional costs.

2.3 Following the termination of theAgreement and this DPA, VividWorks shall within a reasonable time period return or delete any personal data processed under this DPA, unless required to retain the data due to applicable law.

3. Security of the Processing

3.1  VividWorks shall implement and maintain appropriate technical and organizational security measures to protect the personal data within its area of responsibility, in order to safeguard the data against unauthorized or unlawful processing or access and against accidental loss, destruction of personal data, taking into account the costs of implementation as well as the nature, scope, context and purposes of processing of personal data carried out by VividWorks as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, where appropriate and relevant: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and Services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

3.2 VividWorks ensures that the persons processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Assistance Obligations

4.1  Taking into account the nature of the processing, VividWorks shall assist the Customer with appropriate technical and organizational measures to fulfil the Customer’s obligation to respond to requests regarding the rights of the data subjects under Chapter III of theGDPR.

4.2 Taking into account the nature of the processing and the information available to VividWorks, VividWorks shall provide the Customer with assistance in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (including data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority).

4.3 In case such assistance requires measures from VividWorks, VividWorks has the right to charge an hourly fee, in accordance with the then-current fee for services of VividWorks, subject to theCustomer’s prior approval of such additional costs.

5. International transfers

5.1 The Customer acknowledges that due to the nature of the Services, VividWorks provides the Services utilizing a global cloud infrastructure to ensure availability and to minimize any network traffic latency between the end user and the Services. The Services are primarily provided from locations within the European Economic Area (“EEA”), but depending on the location of the end user of the Services, data may also be processed outside the EEA. In such cases, VividWorks shall take appropriate measures in accordance with Chapter V of the GDPR.

6. Audits

6.1 The Customer or an auditor appointed by the Customer shall with the assistance of VividWorks have the right to audit the processing activities of VividWorks under this DPA during ordinary business hours of VividWorks and with 30 days prior written notice. If the employees or other representatives of VividWorks participate in such audits at the request of the Customer, the Customer shall compensate VividWorks for reasonable expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit.

6.2 Where an audit may lead to the disclosure of confidential information of VividWorks, the Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to the benefit of VividWorks.

6.3 At the Customer’s request, VividWorks makes available information necessary to demonstrate compliance with the GDPR.In case the Customer’s request requires measures or work to be performed by VividWorks,VividWorks has the right to charge an hourly fee in accordance with its then-current pricing for services for handling such requests.

7. Subprocessors

7.1 The Customer gives its general authorization for VividWorks to engage subcontractors as sub processors to process personal data in connection with the Services.

7.2 VividWorks has the right to choose and change its sub processors. The sub processors in use at the time of the signing of this DPA are listed in Schedule 1 of this DPA. In case there is a later change in the sub processors, VividWorks shall notify the Customer of such change and allow the Customer the opportunity to object to such change. If VividWorks is not willing to change the sub processor the Customer has objected to, bothParties shall have the right to terminate the Agreement and this DPA.

Where VividWorks engages a sub processor for the processing of personal data on behalf of the Customer, substantively similar data protection obligations to those of this DPA shall apply to the sub processor. If a sub processor fails to fulfill its data protection obligations, VividWorks shall remain liable to the Customer for the sub processor’s performance as further stipulated in the Agreement

Schedule 1: Description of the processing

1. Subject-matter, nature and purpose of the processing

Personal data is processed to provide the Customer the Services under the Agreement. Personal data is used for the purposes of access control and ensuring the functionality and security of the Service

2. Duration of the Processing

Personal data is processed for the duration of the term of the Agreement.

3. Categories of Data Subjects

-       Users of the Service (such as theCustomer’s employees and end users)

-       Any others whose data the Customer uploads to the Service

4. Type of Personal Data

-       User account data (user name, password)

-       Contact details (email address)

-       Usage data of the Service

5. Subprocessors

-       Microsoft Ireland Operations Limited