NowSecure Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the agreement in place between Customer and NowSecure covering Customer’s use of NowSecure’s Services (the “Terms”). Unless otherwise defined in this DPA or in the Terms, all capitalized terms used in this DPA will have the meanings given to them in Section 9 of this DPA. 

1. 1. Scope and Term. 
      1.1 Roles of the Parties.
      (a) Customer Personal Data. NowSecure will Process Customer Personal Data as Customer’s Processor in accordance with Customer’s instructions as outlined in Section 2.1 (Customer Instructions).  
      (b) NowSecure Account Data. NowSecure will Process NowSecure Account Data as a Controller for the following purposes: 
      (i) to provide and improve the Services;
      (ii) to manage the Customer relationship (communicating with Customer and Users in accordance with their account preferences, responding to Customer inquiries and providing technical support, etc.);
      (iii) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and 
      (iv) to carry out core business functions such as accounting, billing, and filing taxes. 
      (c) NowSecure Usage Data. NowSecure will Process NowSecure Usage Data as a Controller for the following purposes: 
      (i) to provide, optimize, secure, and maintain NowSecure’s Services; 
      (ii) to optimize user experience; and 
      (iii) to inform NowSecure’s business strategy.  
      (d) Description of the Processing. Details regarding the Processing of Personal Data by NowSecure are stated in Schedule 1 (Description of Processing). 
      1.2 Term of the DPA. The term of this DPA coincides with the period of the Terms and terminates upon expiration or earlier termination of the Terms (or, if later, the date on which NowSecure ceases all Processing of Customer Personal Data). 
      1.3 Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence is: (1) the applicable terms stated in Schedule 2 (Region-Specific Terms including any transfer provisions); (2) the main body of this DPA; and (3) the Terms.
   2. Processing of Personal Data. 
      2.1 Customer Instructions. NowSecure must Process Customer Personal Data in accordance with the documented lawful instructions of Customer as stated in the Terms (including this DPA) and respective Orders, as necessary to:
      (a) enable the use of various features and functionalities in accordance with the Documentation (including as directed by Users through the Hosted Services), 
      (b) provide Deployment Services or 
      (c) comply with its legal obligations. NowSecure will notify Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate Applicable Data Protection Law.  
      2.2 Confidentiality. NowSecure must treat Customer Personal Data as Customer’s Confidential Information under the Terms. NowSecure must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.
   3. Security. 

      3.1 Security Measures. NowSecure has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against Security Incidents. Customer is responsible for configuring the Services and using features and functionalities made available by NowSecure to maintain appropriate security in light of the nature of Customer Data. NowSecure’s current technical and organizational measures are described in Schedule 3. Customer acknowledges that the Security Measures are subject to technical progress and development and that NowSecure may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Hosted Services during a Subscription term.
      3.2 Security Incidents. NowSecure must notify Customer without undue delay after becoming aware of a Security Incident. NowSecure must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within NowSecure’s reasonable control. Upon Customer’s request and taking into account the nature of the Processing and the information available to NowSecure, NowSecure must assist Customer by providing information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. NowSecure’s notification of a Security Incident is not an acknowledgment by NowSecure of its fault or liability. 

   4. Sub-processing.
      4.1 General Authorization. By entering into this DPA, Customer provides general authorization for NowSecure to engage Sub-processors to Process Customer Personal Data. NowSecure must:
      

      (a) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this DPA; and 
      (b) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Terms.
      4.2 Sub-processors List. A list of the Sub-processors used by NowSecure is available at https://www.nowsecure.com/legal/subprocessor-information. Customer authorizes NowSecure to engage new Sub-processors not included in the list at the date of the execution of this DPA, whether as a replacement for an existing or as additional Sub-processors. NowSecure will inform Customer of the engagement of any new Sub-processor by updating the list of Sub-processors. If Customer reasonably believes that any new Sub-processor presents an unreasonable risk to Customer or prevents Customer from complying with Data Protection Laws, Customer may, within thirty (30) days of receiving such notice from NowSecure, object to the engagement of the new Sub-processor. If Customer reasonably object to the engagement of a new Sub-processor, the parties will come together in good faith to discuss a resolution. NowSecure may choose to:
      (a) not engage the new Sub-processor or 
      (b) take corrective steps as may be reasonably requested by Customer in your objection and use the new Sub-processor. If none of these options are reasonably possible and Customer continue to object for a legitimate reason, Customer may terminate the Terms and this DPA by written notice in accordance with this DPA in relation to those Services that involve the processing of Personal Data by the proposed new Sub-processor. 

(i) Each party shall be deemed to have signed the UK Addendum. 
(ii) For Table 1 of the UK Addendum, the parties’ key contact information is located in the Terms and/or relevant Orders. 
(iii) For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.2 (European Transfers) of this Schedule. 
For Table 3 of the UK Addendum:
– The information required for Annex 1A is located in the Terms and/or relevant Orders. 
– The Information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA. 
– The information required for Annex II is located in Schedule 3; and 
– The information required for Annex III is located in Section 4 (Sub-processing) of this DPA. 
(b) In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum. 
1.4 Data Privacy Framework. NowSecure adheres to the Data Privacy Framework. As required by the Data Privacy Framework, NowSecure:

(a) provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles;
(b) will notify Customer if NowSecure makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and 
(c) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data. 

United States of America. The following terms apply where NowSecure Processes Personal Data subject to the US State Privacy Laws: 

2.1 To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that NowSecure Processes as a Service Provider or Processor, on behalf of Customer, NowSecure will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer’s written instructions, as necessary for the limited and specified purposes identified in Section 1.1(a) (Customer Personal Data) and Schedule 1 (Description of Processing) of this DPA. NowSecure will not:
(a) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Terms, and/or any related Order, or as otherwise permitted under US State Privacy Laws;
(b) “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and
(c) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws. 

2.2 NowSecure must inform Customer if it determines that it can no longer meet its obligations under US State Privacy Laws within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of such Customer Personal Data.
2.3 To the extent Customer discloses or otherwise makes available Deidentified Data to NowSecure or to the extent NowSecure creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Service Provider, NowSecure will:
(a) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;  
(b) publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that NowSecure may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and  
(c) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.3 (including imposing this requirement on any further Recipients). 

South Korea.
3.1 Customer agrees that it has provided notice and obtained all consents and rights necessary under Applicable Data Protection Law for NowSecure to Process NowSecure Account Data and NowSecure Usage Data pursuant to the Terms (including this DPA). 
3.2 To the extent Customer discloses or otherwise makes available Deidentified Data to NowSecure, NowSecure will:

(a) maintain and use such Deidentified Data in a de-identified form and not attempt to re-identify the Deidentified Data; and 
(b) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 3.2 (including imposing this requirement on any further Recipients). 

Definitions.  

4.1 Where Personal Data is subject to the laws of one the following regions, the definition of “Applicable Data Protection Law” includes:
(a) Australia: the Australian Privacy Act; 
(b) Brazil: the Brazilian Lei Geral de Proteção de Dados (General Personal Data Protection Act); 
(c) Canada: the Canadian Personal Information Protection and Electronic Documents Act; 
(d) Europe: (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time (“EU Data Protection Law”); 
(e) Japan: the Japanese Act on the Protection of Personal Information; 
(f) Singapore: the Singapore Personal Data Protection Act; 
(g) South Korea: the South Korean Personal Information Protection Act (“PIPA”) and the Enforcement Decrees of PIPA; 
(h) Switzerland: the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time (“Swiss FADP”); 
(i) The United Kingdom: the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time (“UK Data Protection Law”); and 
(j) The United States: all state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act (“US State Privacy Laws”).
4.2 “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
4.3 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.  
4.4 “Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.  
4.5 “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.  
4.6 “Service Provider” has the same meaning as given in the CCPA. 
4.7 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time. 

Schedule 3

Technical & Organizational Measures

NowSecure has implemented the following administrative, physical, technical and organizational security measures, at a minimum, to protect all Personal Data Processed under this DPA:

Subject Matter	Measures
Organization of information Security	NowSecure will maintain the following (or materially equivalent) organizational security controls:  a. Information security awareness training is provided to all employees. The training includes an acknowledgement of and commitment to the NowSecure Information Security Policy. Additional security training (e.g., secure development practices) is also required for certain job roles. b. Employees with access to confidential data are hired under organizational procedures, including a detailed application form, background verification (where allowed by law), and agreement to confidentiality terms. c. All company employees are required to comply with the NowSecure Code of Business Conduct. d. Regular internal and external independent assessments are conducted to identify potential areas of improvement.
Security Program	a. Security Program. NowSecure maintains a security program that establishes processes and safeguards designed to maintain security at an appropriate level. b. Industry Standards. NowSecure’s security program is designed based on relevant industry standards, presently including but not limited to ISO 27001 and NIST recommended practices.c. Information Security Policy. NowSecure maintains a written, enterprise-wide Information Security Policy designed to protect the confidentiality, integrity, and availability of customer data. The Information Security Policy establishes written standards and guidelines regarding information security in NowSecure’s operations and the conduct of its personnel, including those relating to acceptable use, access control, authentication, device security, security monitoring, supplier security management, and incident management, among others.
Physical Security Controls	Physical access to NowSecure facilities is controlled by the use of a card access or other equivalent system that provides reasonable assurance that access is limited to authorized individuals. Visitor access is restricted, and physical security measures are regularly assessed.
Business Continuity Planning	NowSecure maintains a master Business Continuity and Disaster Recovery (BC/DR) plan and corresponding recovery and restoration procedures designed to maintain availability in accordance with our customer SLA commitments, and restore service promptly in case of interruption. NowSecure provides availability and health information at NowSecure’s status dashboard.
Authentication	NowSecure maintains policies and standards for accounts and passwords to protect user information. Industry-standard cryptographically strong hashing algorithms are implemented prior to storing user passwords or credentials.
Encryption	NowSecure maintains a Cryptographic Controls Policy and enforces industry standard encryption algorithms to secure data in transit and data at rest, using encryption keys from trusted enterprise providers.

Unless otherwise defined in this DPA or in the Terms, all capitalized terms used in this Schedule will have the meanings given to them in Section 4 of this Schedule.

1. Europe, United Kingdom and Switzerland.
   1.1 Customer Instructions. In addition to Section 2.1 (Customer Instructions) of the DPA above, NowSecure will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of such Customer Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Law to which NowSecure is subject; in such a case, NowSecure shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. NowSecure will promptly inform Customer if it becomes aware that Customer’s Processing instructions infringe Applicable Data Protection Law. 
   1.2 European Transfers. Where Personal Data protected by the EU Data Protection Law is transferred, either directly or via onward transfer, to a country outside of Europe that is not subject to an adequacy decision, the following applies: 
   (a) The EU SCCs are hereby incorporated into this DPA by reference as follows: 
   (i) Customer is the “data exporter” and NowSecure is the “data importer”. 
   (ii) Module One (Controller to Controller) applies where NowSecure is Processing NowSecure Account Data or NowSecure Usage Data. 
   (iii) Module Two (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and NowSecure is Processing Customer Personal Data as a Processor. 
   (iv) Module Three (Processor to Processor) applies where Customer is a Processor of Customer and NowSecure is Processing Customer Personal Data as another Processor. 
   (v) By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Terms. 
   (b) For each Module, where applicable: 
   (i) In Clause 7, the optional docking clause does not apply. 
   (ii) In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes is stated in Section 4 (Sub-processing) of this DPA. 
   (iii) In Clause 11, the optional language does not apply. 
   (iv) In Clause 17, Option 1 applies, and the EU SCCs are governed by Irish law. 
   (v) In Clause 18(b), disputes will be resolved before the courts of Ireland. 
   (vi) The Appendix of EU SCCs is populated as follows:
      – The information required for Annex I(A) is located in the Terms and/or relevant Orders. 
      – The information required for Annex I(B) is located in Schedule 1 (Description of Processing) of this DPA.  
      – The competent supervisory authority in Annex I(C) will be determined in accordance with the Applicable Data Protection Law; and 
      – The information required for Annex II is located in Schedule 3.
   1.2 Swiss Transfers. Where Personal Data protected by the Swiss FADP is transferred, either directly or via onward transfer, to any other country that is not subject to an adequacy decision, the EU SCCs apply as stated in in Section 1.2 (European Transfers) above with the following modifications:
   (a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP. 
   (b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner. 
   (c) In Clause 17, the EU SCCs are governed by the laws of Switzerland. 
   (d) In Clause 18(b), disputes will be resolved before the courts of Switzerland. 
   (e) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). 
   1.3 United Kingdom Transfers. Where Personal Data protected by the UK Data Protection Law is transferred, either directly or via onward transfer, to a country outside of the United Kingdom that is not subject to an adequacy decision, the following applies:
   (a) The EU SCCs apply as set forth in Section 1.2 (European Transfers) above with the following modifications:
   

   (i) Each party shall be deemed to have signed the UK Addendum. 
   (ii) For Table 1 of the UK Addendum, the parties’ key contact information is located in the Terms and/or relevant Orders. 
   (iii) For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.2 (European Transfers) of this Schedule. 
   For Table 3 of the UK Addendum:
   – The information required for Annex 1A is located in the Terms and/or relevant Orders. 
   – The Information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA. 
   – The information required for Annex II is located in Schedule 3; and 
   – The information required for Annex III is located in Section 4 (Sub-processing) of this DPA. 
   (b) In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum. 
   1.4 Data Privacy Framework. NowSecure adheres to the Data Privacy Framework. As required by the Data Privacy Framework, NowSecure:

   (a) provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles;
   (b) will notify Customer if NowSecure makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and 
   (c) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data. 

2. United States of America. The following terms apply where NowSecure Processes Personal Data subject to the US State Privacy Laws: 
   

   2.1 To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that NowSecure Processes as a Service Provider or Processor, on behalf of Customer, NowSecure will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer’s written instructions, as necessary for the limited and specified purposes identified in Section 1.1(a) (Customer Personal Data) and Schedule 1 (Description of Processing) of this DPA. NowSecure will not:
   (a) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Terms, and/or any related Order, or as otherwise permitted under US State Privacy Laws;
   (b) “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and
   (c) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws. 
   

   2.2 NowSecure must inform Customer if it determines that it can no longer meet its obligations under US State Privacy Laws within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of such Customer Personal Data.
   2.3 To the extent Customer discloses or otherwise makes available Deidentified Data to NowSecure or to the extent NowSecure creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Service Provider, NowSecure will:
   (a) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;  
   (b) publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that NowSecure may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and  
   (c) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.3 (including imposing this requirement on any further Recipients). 
3. South Korea.
   3.1 Customer agrees that it has provided notice and obtained all consents and rights necessary under Applicable Data Protection Law for NowSecure to Process NowSecure Account Data and NowSecure Usage Data pursuant to the Terms (including this DPA). 
   3.2 To the extent Customer discloses or otherwise makes available Deidentified Data to NowSecure, NowSecure will:

   (a) maintain and use such Deidentified Data in a de-identified form and not attempt to re-identify the Deidentified Data; and 
   (b) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 3.2 (including imposing this requirement on any further Recipients). 

4. Definitions.  

   4.1 Where Personal Data is subject to the laws of one the following regions, the definition of “Applicable Data Protection Law” includes:
   (a) Australia: the Australian Privacy Act; 
   (b) Brazil: the Brazilian Lei Geral de Proteção de Dados (General Personal Data Protection Act); 
   (c) Canada: the Canadian Personal Information Protection and Electronic Documents Act; 
   (d) Europe: (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time (“EU Data Protection Law”); 
   (e) Japan: the Japanese Act on the Protection of Personal Information; 
   (f) Singapore: the Singapore Personal Data Protection Act; 
   (g) South Korea: the South Korean Personal Information Protection Act (“PIPA”) and the Enforcement Decrees of PIPA; 
   (h) Switzerland: the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time (“Swiss FADP”); 
   (i) The United Kingdom: the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time (“UK Data Protection Law”); and 
   (j) The United States: all state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act (“US State Privacy Laws”).
   4.2 “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
   4.3 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.  
   4.4 “Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.  
   4.5 “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.  
   4.6 “Service Provider” has the same meaning as given in the CCPA. 
   4.7 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time. 

Schedule 3

Technical & Organizational Measures

NowSecure has implemented the following administrative, physical, technical and organizational security measures, at a minimum, to protect all Personal Data Processed under this DPA:

Subject Matter	Measures
Organization of information Security	NowSecure will maintain the following (or materially equivalent) organizational security controls:  a. Information security awareness training is provided to all employees. The training includes an acknowledgement of and commitment to the NowSecure Information Security Policy. Additional security training (e.g., secure development practices) is also required for certain job roles. b. Employees with access to confidential data are hired under organizational procedures, including a detailed application form, background verification (where allowed by law), and agreement to confidentiality terms. c. All company employees are required to comply with the NowSecure Code of Business Conduct. d. Regular internal and external independent assessments are conducted to identify potential areas of improvement.
Security Program	a. Security Program. NowSecure maintains a security program that establishes processes and safeguards designed to maintain security at an appropriate level. b. Industry Standards. NowSecure’s security program is designed based on relevant industry standards, presently including but not limited to ISO 27001 and NIST recommended practices.c. Information Security Policy. NowSecure maintains a written, enterprise-wide Information Security Policy designed to protect the confidentiality, integrity, and availability of customer data. The Information Security Policy establishes written standards and guidelines regarding information security in NowSecure’s operations and the conduct of its personnel, including those relating to acceptable use, access control, authentication, device security, security monitoring, supplier security management, and incident management, among others.
Physical Security Controls	Physical access to NowSecure facilities is controlled by the use of a card access or other equivalent system that provides reasonable assurance that access is limited to authorized individuals. Visitor access is restricted, and physical security measures are regularly assessed.
Business Continuity Planning	NowSecure maintains a master Business Continuity and Disaster Recovery (BC/DR) plan and corresponding recovery and restoration procedures designed to maintain availability in accordance with our customer SLA commitments, and restore service promptly in case of interruption. NowSecure provides availability and health information at NowSecure’s status dashboard.
Authentication	NowSecure maintains policies and standards for accounts and passwords to protect user information. Industry-standard cryptographically strong hashing algorithms are implemented prior to storing user passwords or credentials.
Encryption	NowSecure maintains a Cryptographic Controls Policy and enforces industry standard encryption algorithms to secure data in transit and data at rest, using encryption keys from trusted enterprise providers.

5. 5. Assistance and Cooperation Obligations.
      5.1 Data Subject Rights. Taking into account the nature of the Processing, NowSecure must provide reasonable and timely assistance to Customer to enable Customer to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Customer personal data. 
      5.2 Cooperation Obligations. Upon Customer’s reasonable request, and taking into account the nature of the applicable Processing, NowSecure will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that Customer cannot reasonably fulfill such obligations independently with help of available Documentation. 
      5.3 Third Party Requests. Unless prohibited by Law, NowSecure will promptly notify Customer of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling NowSecure to disclose Customer Personal Data. In the event that NowSecure receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, NowSecure will redirect such inquiries to Customer, and will not provide any information unless required to do so under applicable Law.
   6. Deletion and Return of Customer Personal Data.
      6.1 During Subscription Term. During the Subscription term, Customer and its Users may, through the features of the Hosted Services, access, retrieve or delete Customer Personal Data. 
      6.2 Post Termination. Following expiration or termination of the Terms, NowSecure must, in accordance with the Documentation, delete all Customer Personal Data. Notwithstanding the foregoing, NowSecure may retain Customer Personal Data:

      (a) as required by Applicable Data Protection Law or 
      (b) in accordance with its standard backup or record retention policies, provided that, in either case, NowSecure will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Personal Data and not further Process it except as required by Applicable Data Protection Law.

   7. Audit. 

      7.1 Audit Reports. NowSecure is regularly audited by independent third-party auditors and/or internal auditors. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with NowSecure, NowSecure will supply a summary copy of relevant audit report(s) (“Report”) to Customer, so Customer can verify NowSecure’s compliance with the audit standards against which it has been assessed, and this DPA. If Customer cannot reasonably verify NowSecure’s compliance with the terms of this DPA, NowSecure will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, provided that such right may only be exercised no more than once every twelve (12) months.
      7.2 On-site Audits. Only to the extent Customer cannot reasonably satisfy NowSecure’s compliance with this DPA through the exercise of its rights under Section 7.1 above, or where required by Applicable Data Protection Law or a regulatory authority, Customer, or its authorized representatives, may, at Customer’s expense, conduct audits (including inspections) during the term of the Terms to assess NowSecure’s compliance with the terms of this DPA. Any audit must:
      (a) be conducted during NowSecure’s regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or a regulatory authority requires a shorter notice period); 
      (b) be subject to reasonable confidentiality controls obligating Customer (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential; 
      (c) occur no more than once every twelve (12) months; and 
      (d) restrict its findings to only information relevant to Customer.

   8. International Provisions. To the extent NowSecure Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of Personal Data (directly or via onward transfer).
   9. Definitions.
      “Applicable Data Protection Law” means all Laws applicable to the Processing of Personal Data under the Terms.
      “NowSecure Account Data” means Personal Data relating to Customer’s relationship with NowSecure, including: 
      (a) Users’ account information (e.g. name, email address, or NowSecure’s account ID); 
      (b) billing and contact information of individual(s) associated with Customer’s NowSecure account (e.g. billing address, email address, or name); 
      (c) Users’ device and connection information (e.g. IP address); and 
      (d) content/description of technical support requests (excluding attachments).
      “NowSecure Usage Data” means Personal Data relating to or obtained in connection with the use, performance, operation, support or use of the Services. NowSecure Usage Data may include event name (i.e. what action Users performed), event timestamps, browser information, and diagnostic data. For clarity, NowSecure Usage Data does not include Customer Personal Data.
      “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
      “Customer Personal Data” means Personal Data contained in Customer Data and/or Customer materials that NowSecure Processes under the Terms solely on behalf of Customer. For clarity, Customer Personal Data includes any Personal Data included in the attachments provided by Customer or its Users in any technical support requests. 
      “Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.
      “Processing” (and “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
      “Processor” means the entity which Processes Personal Data on behalf of the Controller.
      “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by NowSecure and/or its Sub-processors. 
      “Sub-processor” means any third party (including NowSecure Affiliates) engaged by NowSecure to Process Customer Personal Data. 

5.  

5.  

5.  

Schedule 1 

Description of Processing 

1. 1. Categories of data subjects whose Personal Data is Processed: Customer and its Users. 
   2. Categories of Personal Data Processed: NowSecure Account Data, NowSecure Usage Data, and Customer Personal Data. 
   3. Sensitive data transferred: NowSecure Account Data and Customer Usage Data do not contain data:
      (a) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, 
      (b) genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, or 
      (c) relating to criminal convictions and offences (altogether “Sensitive Data”).   
   4. The frequency of the transfer: Continuous. 
   5. Nature of the Processing: NowSecure will Process Personal Data in order to provide the Services and related Support and Advisory Services in accordance with the Terms, including this DPA. Additional information regarding the nature of the Processing (including transfer) is described in respective Orders for relevant Services and Documentation referring to technical capabilities and features, including but not limited to collection, structuring, storage, transmission, or otherwise making available of Personal Data by automated means. 
   6. Purpose(s) of the Processing:
      6.1 Customer Personal Data: NowSecure will Process Customer Personal Data as Processor in accordance with Customer’s instructions as set out in Section 2.1 (Customer Instructions). 
      6.2 NowSecure Account Data and NowSecure Usage Data: NowSecure will Process NowSecure Account Data and NowSecure Usage Data for the limited and specified purposes outlined in Section 1.1 (Roles of the Parties). 
   7. Duration of Processing: 
      7.1 Customer Personal Data: NowSecure will Process Customer Personal Data for the term of the Terms as outlined in Section 6 (Deletion and Return of Customer Personal Data). 
      7.2 NowSecure Account Data and NowSecure Usage Data: NowSecure will Process NowSecure Account Data and NowSecure Usage Data only as long as required: 
      (a) to provide Services and related Support and Advisory Services to Customer in accordance with the Terms; 
      (b) for NowSecure’s legitimate business purposes outlined in Section 1.1 (Roles of the Parties); or 
      (c) by applicable Law(s). 
   8. Transfers to (Sub-)processors: NowSecure will transfer Customer Personal Data to Sub-processors as permitted in Section 4 (Sub-processing). 

1.  

1.  

Schedule 2 

Region-Specific Terms 

Unless otherwise defined in this DPA or in the Terms, all capitalized terms used in this Schedule will have the meanings given to them in Section 4 of this Schedule.

1. Europe, United Kingdom and Switzerland.
   1.1 Customer Instructions. In addition to Section 2.1 (Customer Instructions) of the DPA above, NowSecure will Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of such Customer Personal Data to a third country or an international organisation, unless required to do so by Applicable Data Protection Law to which NowSecure is subject; in such a case, NowSecure shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. NowSecure will promptly inform Customer if it becomes aware that Customer’s Processing instructions infringe Applicable Data Protection Law. 
   1.2 European Transfers. Where Personal Data protected by the EU Data Protection Law is transferred, either directly or via onward transfer, to a country outside of Europe that is not subject to an adequacy decision, the following applies: 
   (a) The EU SCCs are hereby incorporated into this DPA by reference as follows: 
   (i) Customer is the “data exporter” and NowSecure is the “data importer”. 
   (ii) Module One (Controller to Controller) applies where NowSecure is Processing NowSecure Account Data or NowSecure Usage Data. 
   (iii) Module Two (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and NowSecure is Processing Customer Personal Data as a Processor. 
   (iv) Module Three (Processor to Processor) applies where Customer is a Processor of Customer and NowSecure is Processing Customer Personal Data as another Processor. 
   (v) By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Terms. 
   (b) For each Module, where applicable: 
   (i) In Clause 7, the optional docking clause does not apply. 
   (ii) In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes is stated in Section 4 (Sub-processing) of this DPA. 
   (iii) In Clause 11, the optional language does not apply. 
   (iv) In Clause 17, Option 1 applies, and the EU SCCs are governed by Irish law. 
   (v) In Clause 18(b), disputes will be resolved before the courts of Ireland. 
   (vi) The Appendix of EU SCCs is populated as follows:
      – The information required for Annex I(A) is located in the Terms and/or relevant Orders. 
      – The information required for Annex I(B) is located in Schedule 1 (Description of Processing) of this DPA.  
      – The competent supervisory authority in Annex I(C) will be determined in accordance with the Applicable Data Protection Law; and 
      – The information required for Annex II is located in Schedule 3.
   1.2 Swiss Transfers. Where Personal Data protected by the Swiss FADP is transferred, either directly or via onward transfer, to any other country that is not subject to an adequacy decision, the EU SCCs apply as stated in in Section 1.2 (European Transfers) above with the following modifications:
   (a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP. 
   (b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner. 
   (c) In Clause 17, the EU SCCs are governed by the laws of Switzerland. 
   (d) In Clause 18(b), disputes will be resolved before the courts of Switzerland. 
   (e) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). 
   1.3 United Kingdom Transfers. Where Personal Data protected by the UK Data Protection Law is transferred, either directly or via onward transfer, to a country outside of the United Kingdom that is not subject to an adequacy decision, the following applies:
   (a) The EU SCCs apply as set forth in Section 1.2 (European Transfers) above with the following modifications:
   

   (i) Each party shall be deemed to have signed the UK Addendum. 
   (ii) For Table 1 of the UK Addendum, the parties’ key contact information is located in the Terms and/or relevant Orders. 
   (iii) For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.2 (European Transfers) of this Schedule. 
   For Table 3 of the UK Addendum:
   – The information required for Annex 1A is located in the Terms and/or relevant Orders. 
   – The Information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA. 
   – The information required for Annex II is located in Schedule 3; and 
   – The information required for Annex III is located in Section 4 (Sub-processing) of this DPA. 
   (b) In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum. 
   1.4 Data Privacy Framework. NowSecure adheres to the Data Privacy Framework. As required by the Data Privacy Framework, NowSecure:

   (a) provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles;
   (b) will notify Customer if NowSecure makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and 
   (c) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data. 

2. United States of America. The following terms apply where NowSecure Processes Personal Data subject to the US State Privacy Laws: 
   

   2.1 To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that NowSecure Processes as a Service Provider or Processor, on behalf of Customer, NowSecure will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer’s written instructions, as necessary for the limited and specified purposes identified in Section 1.1(a) (Customer Personal Data) and Schedule 1 (Description of Processing) of this DPA. NowSecure will not:
   (a) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Terms, and/or any related Order, or as otherwise permitted under US State Privacy Laws;
   (b) “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and
   (c) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws. 
   

   2.2 NowSecure must inform Customer if it determines that it can no longer meet its obligations under US State Privacy Laws within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of such Customer Personal Data.
   2.3 To the extent Customer discloses or otherwise makes available Deidentified Data to NowSecure or to the extent NowSecure creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Service Provider, NowSecure will:
   (a) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;  
   (b) publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that NowSecure may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and  
   (c) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.3 (including imposing this requirement on any further Recipients). 
3. South Korea.
   3.1 Customer agrees that it has provided notice and obtained all consents and rights necessary under Applicable Data Protection Law for NowSecure to Process NowSecure Account Data and NowSecure Usage Data pursuant to the Terms (including this DPA). 
   3.2 To the extent Customer discloses or otherwise makes available Deidentified Data to NowSecure, NowSecure will:

   (a) maintain and use such Deidentified Data in a de-identified form and not attempt to re-identify the Deidentified Data; and 
   (b) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 3.2 (including imposing this requirement on any further Recipients). 

4. Definitions.  

   4.1 Where Personal Data is subject to the laws of one the following regions, the definition of “Applicable Data Protection Law” includes:
   (a) Australia: the Australian Privacy Act; 
   (b) Brazil: the Brazilian Lei Geral de Proteção de Dados (General Personal Data Protection Act); 
   (c) Canada: the Canadian Personal Information Protection and Electronic Documents Act; 
   (d) Europe: (i) the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or GDPR) and (ii) the EU e-Privacy Directive (Directive 2002/58/EC) as amended, superseded or replaced from time to time (“EU Data Protection Law”); 
   (e) Japan: the Japanese Act on the Protection of Personal Information; 
   (f) Singapore: the Singapore Personal Data Protection Act; 
   (g) South Korea: the South Korean Personal Information Protection Act (“PIPA”) and the Enforcement Decrees of PIPA; 
   (h) Switzerland: the Swiss Federal Act on Data Protection and its implementing regulations as amended, superseded, or replaced from time to time (“Swiss FADP”); 
   (i) The United Kingdom: the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 as amended, superseded or replaced from time to time (“UK Data Protection Law”); and 
   (j) The United States: all state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act (“US State Privacy Laws”).
   4.2 “Deidentified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, a data subject.
   4.3 “Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification program operated by the US Department of Commerce.  
   4.4 “Europe” includes, for the purposes of this DPA, the Member States of the European Union and European Economic Area.  
   4.5 “EU SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, superseded, or replaced from time to time.  
   4.6 “Service Provider” has the same meaning as given in the CCPA. 
   4.7 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, as amended, superseded or replaced from time to time. 

Schedule 3

Technical & Organizational Measures

NowSecure has implemented the following administrative, physical, technical and organizational security measures, at a minimum, to protect all Personal Data Processed under this DPA:

Subject Matter	Measures
Organization of information Security	NowSecure will maintain the following (or materially equivalent) organizational security controls:  a. Information security awareness training is provided to all employees. The training includes an acknowledgement of and commitment to the NowSecure Information Security Policy. Additional security training (e.g., secure development practices) is also required for certain job roles. b. Employees with access to confidential data are hired under organizational procedures, including a detailed application form, background verification (where allowed by law), and agreement to confidentiality terms. c. All company employees are required to comply with the NowSecure Code of Business Conduct. d. Regular internal and external independent assessments are conducted to identify potential areas of improvement.
Security Program	a. Security Program. NowSecure maintains a security program that establishes processes and safeguards designed to maintain security at an appropriate level. b. Industry Standards. NowSecure’s security program is designed based on relevant industry standards, presently including but not limited to ISO 27001 and NIST recommended practices.c. Information Security Policy. NowSecure maintains a written, enterprise-wide Information Security Policy designed to protect the confidentiality, integrity, and availability of customer data. The Information Security Policy establishes written standards and guidelines regarding information security in NowSecure’s operations and the conduct of its personnel, including those relating to acceptable use, access control, authentication, device security, security monitoring, supplier security management, and incident management, among others.
Physical Security Controls	Physical access to NowSecure facilities is controlled by the use of a card access or other equivalent system that provides reasonable assurance that access is limited to authorized individuals. Visitor access is restricted, and physical security measures are regularly assessed.
Business Continuity Planning	NowSecure maintains a master Business Continuity and Disaster Recovery (BC/DR) plan and corresponding recovery and restoration procedures designed to maintain availability in accordance with our customer SLA commitments, and restore service promptly in case of interruption. NowSecure provides availability and health information at NowSecure’s status dashboard.
Authentication	NowSecure maintains policies and standards for accounts and passwords to protect user information. Industry-standard cryptographically strong hashing algorithms are implemented prior to storing user passwords or credentials.
Encryption	NowSecure maintains a Cryptographic Controls Policy and enforces industry standard encryption algorithms to secure data in transit and data at rest, using encryption keys from trusted enterprise providers.