Data Processing Agreement

Effective Date: August 12, 2024.

This Data Processing Agreement (“Agreement”) is made between Jatheon Technologies Inc. (“Data Processor”) and the Customer (“Data Controller”), collectively referred to as the “Parties.”

1. Definitions

• 1.1 Data Controller: The entity that determines the purposes and means of processing Personal Data.
• 1.2 Data Processor: The entity that processes Personal Data on behalf of the Data Controller.
• 1.3 Personal Data: Any information relating to an identified or identifiable individual.
• 1.4 Processing: Any operation performed on Personal Data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.

2. Use of Sub-Processors

• 2.1 The Data Processor may engage sub-processors to assist in providing services. A list of current sub-processors is included in Exhibit A.

3. Data Processing Responsibilities

• 3.1 Legal Compliance: The Data Processor will ensure that all Personal Data is processed in accordance with applicable data protection laws, regulations, and industry standards.
• 3.2 Confidentiality: The Data Processor will ensure that any person authorized to process Personal Data is bound by a duty of confidentiality.
• 3.3 Security: The Data Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data from unauthorized access, loss, disclosure, alteration, or destruction.
• 3.4 Sub-Processing: The Data Processor will maintain an updated list of all sub-processors involved in processing Personal Data and ensure that each sub-processor is bound by a written agreement to fulfill data protection obligations.
• 3.5 Data Subject Rights: The Data Processor will assist the Data Controller in responding to requests from data subjects to access, correct, delete, or restrict the processing of their Personal Data.
• 3.6 Data Breach Notification: In the event of a Personal Data breach, the Data Processor will promptly notify the Data Controller and provide all necessary information to assist in meeting legal obligations.

4. Data Controller Obligations

• 4.1 Lawful Basis: The Data Controller confirms that it has a lawful basis for processing Personal Data and that any necessary permissions or authorizations have been obtained.
• 4.2 Instructions: The Data Controller will provide the Data Processor with written instructions regarding the processing of Personal Data. The Data Processor will only process Personal Data according to these instructions.
• 4.3 Data Subject Rights: The Data Controller is responsible for managing and addressing data subject requests in accordance with applicable data protection laws.

5. Data Transfers

• 5.1 Any transfer of Personal Data to third countries or international organizations will require prior written consent from the Data Controller and must comply with applicable data protection laws.

6. Duration and Termination

• 6.1 This Agreement will remain effective for the duration of the data processing activities or until terminated as specified in this Agreement or in the Terms of Service.
• 6.2 If you have any questions, please contact our Data Protection Officer at dpo@jatheon.com.

———

Exhibit A: Sub-Processors

The Data Processor currently engages the following sub-processors for the processing of Personal Data:

• Amazon Web Services, Inc.
• Atlassian Trello
• Basecamp, LLC
• Breezy HR, Inc.
• GovSpend
• Google Workspace, Google LLC
• HubSpot, Inc.
• LinkedIn, Inc.
• Meta Platforms, Inc.
• PandaDoc
• PeopleForce LTD.
• RingCentral
• Riversys Technologies Private LTD.
• Scrut Automation
• Slack Technologies, Inc.
• Stripe Inc.
• Xero Limited (Xero)
• YouTube, Google LLC
• Zendesk
• Zoom Video Communications, Inc.