DATA PROCESSING ADDENDUM

(A) The Parties have entered into the End User Agreement (including any amendments thereto).

(B) This DPA shall apply to the extent of processing of certain data on behalf of End User in relation to the services provided by Zenwork to the End User (“Services”).

(C) The purpose of this Agreement is to set out the data protection terms that will apply to any such Services to ensure that the data protection rights and freedoms of individuals remain protected in accordance with applicable privacy law.

(D) All references to the End User Agreement shall include this DPA.

(E) In the event of any conflict between certain provisions of this DPA and the provisions of the End User Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the End User Agreement solely with respect to the Processing of Customer Data. Capitalized terms not defined herein shall have the meanings assigned to such terms in the End User Agreement or in Data Protection Laws.

(F) Without limiting the generality of the foregoing, the subject matter, nature, and purpose of the processing under this DPA is the provision of the Services under the End User Agreement, and the categories of personal data and categories of data subjects are those necessary to provide the Services under the End User Agreement, as described more fully in the End User Agreement.

1.1 “Authorized Persons” means, with respect to each Party, any person authorized by that Party and otherwise permitted by the terms of this DPA to process Data (including such Party's staff, agents and subcontractors);

1.2 “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”) and “special categories of data” shall have the meanings given in Data Protection Laws, including any equivalent definitions under laws applicable outside of the European Union, as described in Appendix A, attached hereto and incorporated herein;

1.3 “Customer Data” means the “Personal Data” (as defined in by the applicable Data Protection Law) belonging to either a Customer or Customer’s consumer that is uploaded in Zenwork’s Service portal/API for availing Service.

1.4 “Data Protection Laws” shall mean the following, as applicable: (i) EU General Data Protection Regulation 2016/679 (“GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 (“FADP”), the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018 (together with the UK GDPR, “UK Data Protection Laws”), as well as any related or similar applicable privacy laws of any member state of the European Union or the European Economic Area (collectively, and as any of the same may be amended or replaced from time to time, the “European Data Protection Laws”) (ii) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of Personal Data and the protection of privacy in electronic communications sector (as amended or replaced from time to time) and applicable laws implementing that directive in European Union Member States; (iii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and the Virginia Consumer Data Protection Act (“VCDPA”) (together, the “US Data Protection Laws”); and (iv) any other data protection legislation or law that applies to and binds the Parties from time to time;

1.5 “Data Security Measures” means, as further detailed in Appendix B , administrative, technical and physical safeguards and other security measures that are designed to (i) ensure the security and confidentiality of Personal Data (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data (iii) protect against any actual or suspected unauthorized processing, loss, use, disclosure or acquisition of or access to any Customer Data.

1.6 “EEA” shall mean the European Economic Area;

2.1Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA.

2.2Each Party acknowledges and agrees that Customer has the sole and exclusive authority to determine the purposes for and means of Processing Customer Data under this Agreement, and that Zenwork is acting solely as a Service Provider with respect to this Customer Data. Zenwork has implemented and will maintain the technical and organizational measures as described in the Data Security Measures.

2.3Zenwork will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Zenwork a demand for Customer Data, Zenwork will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Zenwork may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Zenwork will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Zenwork is legally prohibited from doing so. Zenwork restricts its personnel from processing Customer Data without authorization by Zenwork as described in the Data Security Measures. Zenwork imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

2.4Zenwork will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Laws. Zenwork will (a) notify Customer of a security incident involving the loss of or unauthorized access to Customer Data without undue delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.

2.5Zenwork’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Zenwork of any fault or liability of Zenwork with respect to the Security Incident.

2.5Zenwork will implement and maintain a comprehensive written information security program that complies with applicable law, including the Data Security Measures, to protect Customer Data Processed under this Agreement from loss; theft; misuse; unauthorized access, disclosure, or acquisition; destruction or other compromise.

2.6Zenwork shall ensure that Zenwork’s sub-processor shall also comply with the obligations under the Data Protection Laws, taking into account the nature of the processing and the information available to the Sub-processor.

2.7Zenwork shall also ensure compliance in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Laws.

3.1Zenwork will ensure that all of its employees:

3.2Zenwork will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable domestic law on all of its employees with access to the Personal Data.

4.1Customer acknowledges and agrees that (a) Zenwork’s Affiliates may be retained as Subprocessors; and (b) Zenwork may engage third-party Subprocessors in connection with the provision of the Services, subject to Zenwork or a Zenwork Affiliate entering into a written agreement with each Subprocessor containing data protection obligations.

4.2All obligations imposed on Zenwork within this DPA shall equally apply to any Sub-processors processing customer sensitive data.

5.1Data Subject Request:To the extent required under the applicable Data Protection Law, Zenwork shall notify Customer or redirect data subject to Customer to exercise their rights, if Zenwork receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, Zenwork shall reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject request under applicable Data Protection Laws, rules, regulations, and orders of governmental authorities having jurisdiction. To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Zenwork shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Zenwork is required under all applicable Data Protection Laws, rules, regulations, and orders of governmental authorities having jurisdiction. To the extent legally permitted, Customer shall be responsible for any costs arising from Zenwork’s provision of any such assistance described in Section 5.1. For the avoidance of doubt, Zenwork shall not be required to delete any of the Personal Data to comply with Data Subject’s request directed by Customer if it is necessary to maintain such information in accordance with applicable Data Protection Laws, in which case Zenwork shall promptly inform Customer of the exceptions relied upon under the applicable Data Protection Laws and Zenwork shall not use the Personal Data retained for any other purpose than provided for by that exception.

5.2Privacy Impact Assessment and Prior Consultation: Taking into account the nature of the processing and the information available to Zenwork, Zenwork will assist Customer (to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Zenwork) in complying with Customer’s obligations in respect of data protection impact assessments related to Customer’s use of the Services and prior consultation, by providing the information Zenwork makes available under this Section.

11.1 Zenwork Audits. Zenwork Payments has been verified by its internal Risk & Compliance team to be compliant with its existing SOC 2 controls.

12.1 Amendments. Subject to the relevant provisions of End User Agreement, Zenwork may, in its sole discretion, modify, change or terminate this DPA, as reasonably determined by Zenwork is necessary to address the requirements of applicable Data Protection Laws.

12.2 Severability. If any individual provision of this DPA is determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement will not be affected.

12.3 Indemnity. The indemnities arising out of or related to this DPA are limited to those indemnities stated in the End User Agreement.

12.4 Limitation of Liability. Zenwork’s liability arising out of or related to this DPA is subject to the provisions on limitation of liability stated in the End User Agreement.

12.5 Order of Precedence. With regard to the subject matter of this DPA, in the event of inconsistencies conflicts between this DPA and the End User Agreement, the provisions of this DPA will control. All other provisions of the End User Agreement apply to this DPA.

3.1   Policies, including those related to data privacy, security and acceptable use, are assessed and approved by Zenwork’s senior management.

3.2   Policies are documented and published among all relevant personnel. Employees and contracted third parties are required to comply with Zenwork policies relevant to their scope of work.

3.3   New employees receive training on information security, compliance, data protection, anti corruption and anti-bribery.

3.4   Employees receive regular training updates, which cover Zenwork Information Security policies and expectations.

3.5   Where required, policies are supported by associated procedures, standards, and guidelines.

3.6   Information Security policies are updated, as needed, to reflect changes to business objectives or risk.

3.7   Senior management performs an annual review of all Information Security policies.

3.8   Information Security policies are stored, maintained, updated, and published in a centralized, online location.

3.9   Zenwork Information Security Management System contains appropriate sections including: password requirements, Internet usage, computer security, confidentiality, customer data protection, and Customer data protection.

4.1 The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

4.2 Confidentiality and nondisclosure agreements are required when sharing sensitive, proprietary personal, or otherwise confidential information between Zenwork and any third-party.

4.3 A formal process is in place to manage third parties with access to organizational data, information systems, or data centers. All such third parties commit contractually to maintaining confidentiality of all confidential information.

5.1 The Chief Executive Officer, the Senior Management Team and all employees are committed to establishing and operating an effective Information Security Management System in accordance with its strategic business objectives. Zenwork is committed to the Information Security Management System, and ensures that IT policies are communicated, understood, implemented and maintained at all levels of the organization and regularly reviewed for continual suitability.

5.2 Zenwork maintains an information assets classification policy and classifies such assets in terms of its value, legal requirements, sensitivity, and criticality to the organization.

5.3 Account sharing is prohibited unless approved by management.

5.4 Media Handling Policy is implemented for procedures relating to disposal of information assets / equipment.

6.1  Security roles and responsibilities for employees are defined and documented.

6.2  Zenwork performs background screening of new hires including job history, references, and criminal checks (subject to local laws).

6.3  Zenwork requires all new employees to sign employment agreements, which include comprehensive non-disclosure and confidentiality commitments.

6.4  Zenwork maintains an information security awareness and training program that includes new hire training.

6.5  Information Security awareness is enhanced through regular communications using company-wide emails, as necessary.

6.6  Access for all new employees is configured with minimum default access to company resources/applications required by an employee to perform the job duty. Only the IT team/CEO has access to change user profiles or give higher access.

7.1  Cloud Infrastructure is used for hosting Zenwork software applications. Our Cloud Service Provider provides SOC compliant data center services. Cloud Service Provider SOC reports cover controls objectives related to Security, Availability and Confidentiality . The types of controls that are necessary to meet the applicable trust services criteria, either alone or in combination with controls at Zenwork include:

7.1.1  The system is protected against unauthorized access (both physical and logical).

7.1.2  The system is available for operation and use and in the capacities as committed or agreed.

7.1.3  Policies and procedures exist related to security and availability and are implemented and followed.

8.1  The operation of systems and applications that support the Service is subject to documented operating procedures.

8.2  All systems are configured with appropriate antivirus protection

8.3  Organizational charts are in place to communicate key areas of authority, responsibility, and appropriate lines of reporting to personnel. These charts are communicated to employees and are updated as needed.

8.4  Zenwork has implemented a well-defined Change management process to ensure that all changes to the information processing facilities, including equipment, supporting facilities and utilities, networks, application software, systems software and security devices are managed and controlled.

8.5  When an incident is detected or reported, a defined incident response process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures.

9.1  Zenwork maintains “ “Access Control Policy” that outlines requirements for the use of user IDs and passwords for logical access controls.

9.2  The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies.

9.3  IT system access is reviewed on a monthly basis.

9.4  Access is granted on a least privileged basis as default and any additional access needs to be approved.

9.5  Zenwork has established hardening standards production infrastructure that include requirements for implementation of security groups, access control, configuration settings, and standardized policies.

9.6  Zenwork does not allow customers or external users to access its internal systems.

9.7  Cloud infrastructures are configured to use the Cloud Service Provider’s AWS's identity and access management system (IAM). Relevant groups have been added in IAM.

9.8  Direct access to cloud infrastructure is possible only through encrypted SSH access by the IT team.

9.9  For Cloud Infrastructure access, Multi Factor Authentication is enabled .

9.10  External users can only access the system remotely through secure sockets layer (SSL), or other encrypted communication system.

9.11  Upon notice of termination, all user access is removed. All critical system access is removed immediately upon notification.

10.1  All changes are recorded, approved, implemented, tested and versioned before moving to production environment.

10.2  Cloud Service Provider tools are used to prevent Denial of Service (DOS) Attacks

10.3  VPC has been setup and production servers can be accessed only by approved staff via Zero Trust Network Architecture

10.4  Access to production instances is only through Zero Trust Network Architecture. No direct access permitted.

10.5  Only the production group has access to production resources.

10.6  There is a formal release process for releasing builds. The testing team does the complete testing of the release. On receipt of sign off mail from the testing team the release is deployed on production servers.

10.7  Separate environments are used for development, testing, and production. Developers do not have the ability to make changes to software in testing or production.