Readyly Customer DPA

1. DATA PROCESSING AND PROTECTION

1.1. Limitations on Use. Readyly will Process Company Personal Data only: (a) in a manner consistent with Company’s documented instructions as specified under Section 1.2 (Instructions), including with regard to transfers of Company Personal Data to a third country; and (b) as required by applicable laws, provided that Readyly will inform Company (unless prohibited by law) of the applicable legal requirement before Processing pursuant to such law. Without limiting the instructions under Section 1.2, Readyly will not: (x) retain, use, or disclose the Company Personal Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Company Personal Data for a commercial purpose other than providing the Services; (y) sell or share (as defined by Data Protection Law) the Company Personal Data; or (z) combine Company Personal Data with Personal Data Readyly receives from individuals or other customers, except as permitted by Data Protection Law.

1.2. Instructions. Company instructs Readyly to Process Company Personal Data as necessary to provide the Services and as otherwise authorized or permitted under this DPA and the Agreement, including as specified in Attachment 2 (Scope of Processing). This DPA, the Agreement, and any instructions provided by Company through configuration tools made available by Readyly constitute Company’s documented instructions regarding Readyly’s Processing of Company Personal Data. Additional instructions provided by Company (if any) require prior written agreement by Company and Readyly, including agreement on any additional fees to carry out such instructions. Company will not instruct Readyly to perform any Processing of Company Personal Data that violates any Data Protection Law. Readyly may suspend Processing based upon any Company instructions that Readyly reasonably suspects violate Data Protection Law, provided Readyly will promptly inform Company if, in Readyly’s opinion, an instruction infringes Data Protection Law.

1.3. Compliance. Each party will comply with its obligations under Data Protection Law. Readyly shall notify the Company if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Company that Readyly has Processed Company Personal Data without authorization, Readyly will take reasonable and appropriate steps to stop and remediate such Processing.

1.4. Confidentiality. Readyly will ensure that persons authorized by Readyly to Process any Company Personal Data are subject to appropriate confidentiality obligations.

1.5. Security. Readyly will implement and maintain appropriate technical and organizational measures designed to protect Company Personal Data against Security Incidents and provide the level of protection required by Data Protection Law in accordance with Attachment 3 (Data Security Exhibit). Readyly may amend the technical and organizational measures, provided the amended measures do not reduce the level of security provided by Attachment 3 (Data Security Exhibit).

1.6. Disposal. At the choice of Company, Readyly will (or will enable Company via the Services to) delete (and will delete existing copies of) all Company Personal Data after the end of the provision of Services (unless Data Protection Law requires the storage of such Company Personal Data by Readyly, in which case Readyly will only further retain and Process such Company Personal Data for the limited duration and purposes required by such Data Protection Law). The certification of deletion contemplated by Section 8.5 of the SCCs shall be provided on Company’s written request.

2. DATA PROCESSING ASSISTANCE

2.1. Data Subject Rights Assistance. Company shall be responsible for responding to requests from Data Subjects to exercise rights under Data Protection Law relating to Company Personal Data (each a “Data Subject Request”). Readyly will, to the extent permitted by Data Protection Law, notify Company without undue delay if Readyly receives a Data Subject Request. To the extent Company, in its use of the Services, does not have the ability to address the Data Subject Request, Readyly will, upon Company’s request, provide commercially reasonable efforts to assist Company in responding to such Data Subject Request, to the extent the response to such Data Subject Request is required under Data Protection Law and Company has provided the information necessary for Readyly to assist with the request.

2.2. Security Assistance. Taking into account the nature of Processing and the information available to Readyly, Readyly will provide commercially reasonable efforts to assist Company in Company’s efforts to comply with Company’s obligations to secure Company Personal Data by providing the information and assistance described in Section 3 (Audits).

2.3. Security Incident Notice and Assistance. Readyly will notify Company without undue delay after becoming aware of a Security Incident. Readyly will further take commercially reasonable steps to mitigate the effects and minimize any impact from the Security Incident. Taking into account the nature of Processing and the information available to Readyly, Readyly will assist Company in ensuring compliance with Company’s notification obligations imposed under Data Protection Law in connection with any Security Incident.

2.4. Data Processing Impact Assessment (“DPIA”) and Prior Consultation Assistance. Taking into account the nature of Processing and the information available to Readyly, Readyly will provide commercially reasonable efforts to assist Company in ensuring compliance with the obligations related to DPIAs and consulting with regulatory authorities.

DATA PROCESSING ADDENDUM

3. AUDITS

3.1. General Assistance. Subject to Section 3.3 (Company Audits), Readyly will make available to Company information necessary to demonstrate compliance with its obligations in this DPA. Any such information or results of audits will be deemed the confidential information of Readyly under the Agreement.

3.2. Readyly Reports. Readyly may procure summaries of independent audits by third parties to assess Readyly’s adherence to the following standards or requirements: (a) SOC 2 Type II (or reports or other documentation describing the controls implemented by Readyly that replace or are substantially equivalent to SOC 2 Type II); (b) ISO 27001 (or certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to ISO 27001); and/or (c) certifications or other documentation evidencing compliance with alternative standards that are substantially equivalent to the foregoing (collectively, “Reports”). Subject to the confidentiality obligations set forth in the Agreement, Readyly will provide Company with a copy of Readyly’s then-current Reports as reasonably requested. If the Agreement does not include a provision protecting Readyly’s confidential information, then the Reports will be made available to Company subject to a mutually agreed upon non-disclosure agreement covering the Reports.

3.3. Company Audits. Company agrees to exercise its audit rights by first requesting the Reports as described in Section 3.2 (Readyly Reports). Company will only request additional information or an on-site audit of Readyly to the extent the information provided by Readyly is not reasonably sufficient to enable Company to evaluate Readyly’s compliance with this DPA and/or Data Protection Law. Except in the event of a Security Incident or regulatory investigation, Company will provide no less than 30 days' advance notice of its request for an on-site audit and will cooperate in good faith with Readyly to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Any such on-site audit must occur during Readyly’s normal business hours and be conducted by Company or a nationally recognized independent auditor. In connection with conducting the audit, Company and/or its auditor must: (a) comply with reasonable and applicable on-site policies and procedures provided by Readyly, (b) sign a standard confidentiality agreement with Readyly, and (c) not unreasonably interfere with Readyly’s business activities. Company will provide a written summary of any audit findings to Readyly, and the results of the audit will be the confidential information of Readyly.

4. SUBPROCESSORS

4.1. Appointment of Subprocessors. Company authorizes Readyly to use subcontractors to Process Company Personal Data in connection with providing the Services (each, a “Subprocessor”). Company specifically consents to Readyly’s appointment of the Subprocessors identified on Attachment 4 (the “Subprocessor List”).

4.2. Objection Right for New Subprocessors.

4.2.1 Readyly will notify Company of its intent to update the Subprocessor List at least 15 days prior to engaging a new Subprocessor. Company may object to Readyly’s use of a new Subprocessor within 10 days of receiving such notice by sending an e-mail to security@readyly.com clearly indicating its desire to object to any such change.

4.2.2.If Company objects to the change in Subprocessors, Readyly and Company will cooperate in good faith to resolve Company’s objection. If the parties are unable to resolve Company’s objection within 10 days, then either party may terminate the Agreement only with respect to those Services that Readyly indicates cannot be provided without the objected-to Subprocessor.

4.3. Liability. Readyly will impose data protection obligations upon any Subprocessor that are no less protective of Company Personal Data than those included in this DPA. Readyly will remain liable to Company for any breach of such obligations by its Subprocessors as it would for its own acts and omissions.

5. DATA TRANSFERS

5.1. Overview. The transfer of EEA, UK, and Swiss residents’ Company Personal Data to a country not subject to an adequacy decision (a “Data Transfer”) will be subject to the SCCs, which are incorporated by this reference. If an alternative transfer mechanism for legitimizing Data Transfers (an “Alternative Mechanism”) becomes available during the term of this DPA, and Readyly notifies Company that Data Transfers can be conducted in compliance with Data Protection Law pursuant to the Alternative Mechanism, the parties will rely on the Alternative Mechanism to legitimize Data Transfers instead of the provisions that follow.

5.2. SCCs. The parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs (which are deemed executed as of the effective date of this DPA) with Company as the “data exporter” and Readyly as the “data importer.”

5.3. Transfers Subject to Swiss Data Protection Law. If any Company Personal Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the SCCs will be understood as references to the FADP.

5.4. Transfers Subject to the UK GDPR. Any Company Personal Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated by this reference and deemed executed as of the effective date of this DPA. The information needed to complete the Tables to the UK IDTA is provided in the Attachments to this DPA.

6. LIMITATION OF LIABILITY

Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Agreement. Nothing in this Section 6 is intended to restrict the rights of data subjects under Data Protection Law.

7. MISCELLANEOUS

To the extent there is any conflict between the terms of this DPA, on the one hand, and the applicable SCCs or UK IDTA, on the other hand, the SCCs or UK IDTA, as appropriate, will control. Except as specifically amended and modified by this DPA, the terms and provisions of the Agreement remain unchanged and in full force and effect. Except as expressly stated in the SCCs and the UK IDTA, the governing law clause and forum selection clause of the Agreement will apply to any disputes arising out of this DPA. No supplement, modification, or amendment of this DPA will be binding unless executed in writing by each party to this DPA.

ATTACHMENT 3: DATA SECURITY EXHIBIT

Readyly will maintain the follow technical and organizational security measures:

Company Personal Data will be encrypted in transit and at rest
The Services are hosted in cloud environments that undergo annual SOC 2 Type 2 examinations
The Services are continuously monitored and tested for any security vulnerabilities or unexpected changes
The Services enable segregation of responsibilities and application functional access
Readyly grants personnel access to Company Personal Data on a need-to-know basis and all such access is audited
Readyly trains its personnel with access to Company Personal Data on proper data handling practices

ATTACHMENT 4: SUBPROCESSOR LIST

Subprocessor Name

Amazon Web Services, Inc.

Atlassian, Inc.

Google, LLC

Mongo DB, Inc.

Slack, Inc.

Services Performed

Web hosting

Productivity tools

Email

Data Storage

Chat

Countries where Subprocessor will Process Company Personal Data

United States

Cross-Border Data Transfer Mechanism

SCCs

ATTACHMENT 1: DEFINITIONS

For the purposes of this DPA, the following terms will have the meaning ascribed below:

“CCPA” means the California Consumer Privacy Act of 2018, including (a) as amended by the California Privacy Rights Act of 2020 or otherwise and (b) any regulations promulgated thereunder.

“Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.

“Company Personal Data” means Personal Data that Readyly Processes on behalf of Company in connection with providing the Services as described in Attachment 2.

“Data Protection Law” means the GDPR, the UK GDPR, the FADP, the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any other state, federal, or international data protection or privacy laws that apply to Readyly’s Processing of Company Personal Data.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.

“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.

“Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.

“SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs:

In Clause 7, the optional docking clause will apply.
The audits contemplated by Section 8.9 shall be conducted according to the audit provisions of this DPA.
In Clause 9, Option 2 will apply and the time period for notice of Subprocessor changes will be as set forth in this DPA.
In Clause 11 the optional language will not apply to the SCCs or the UK IDTA.
In Clause 17, the SCCs shall be governed by the laws of Ireland.
In Clause 18(b), the parties agree to resolve disputes arising from the SCCs in the courts of Ireland.
The information needed to complete Annex I of the SCCs is included in Attachment 2 to this DPA.
The information needed to complete Annex II of the SCCs is included in Attachment 3 to this DPA.
The information needed to complete Annex III of the SCCs is included in Attachment 4 to this DPA.

“Security Incident” means “personal data breach” and “security incident” (and analogous variations of such terms) under Data Protection Law.

“Services” means the services provided by Readyly pursuant to the Agreement.

“UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

Data Exporter

Company

Data Importer

Readyly

ATTACHMENT 2: SCOPE OF PROCESSING

Subject-Matter and Duration of Processing

Readyly Processes Company Personal Data if and when provided by Company in the course of providing the Services in accordance with the Agreement and until the Agreement terminates or expires.

Nature and Purpose of Processing

Processing of Company Personal Data in connection with and for the purpose of Readyly providing the Services to Company pursuant to the Agreement. Specifically, the Company Personal Data will, if and to the extent Company provides it, be subject to storage and analysis, among other Processing activities.

Types of Company Personal Data

Company may submit Company Personal Data to the Services, the extent of which is determined and controlled by Company in its sole discretion. This may include, but is not limited to the following categories of data:

Direct identifying information (e.g., name, email address, telephone)
Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs)
Support ticket information
Any other Personal Data supplied by users of the Services

Categories of Data Subjects

The data subjects will include Company’s employees, customers, and end-users.

Period of Data Retention

Readyly will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties.

Special Categories of Data (as applicable)

The Services are not designed for special categories of Personal Data. Readyly does not anticipate that Company will submit special categories to the Services. To the extent that such data is submitted to the Services, it is determined and controlled by Company in its sole discretion.

Frequency of Transfers

Readyly will import Company Personal Data on a continuous basis.