This DPA, is entered into by and between Feroot and Customer (as defined in the Order Form).

This DPA supplements and forms part of the Agreement entered into by Feroot and Customer for the provision of the Solution and related services. In the event of any conflict between the Agreement and this DPA, the terms and conditions of this DPA will control. Except to the extent expressly superseded or modified in this DPA, the terms and conditions of the Agreement will apply to this DPA and remain in full force and effect.

Defined terms not defined in this DPA will have the meaning set out in the Terms and Conditions that form a part of this Agreement.

1. Definitions

2. Data Processing and Security Responsibilities.

Customer and Feroot will each comply with all privacy laws that apply to it (including, where applicable, the EU GDPR) in relation to any Personal Data Processed in connection with this DPA, as set out in Annex A to this DPA.

3. Customer Obligations.

Customer agrees that it has

4. Feroot Obligations.

In the course of Processing Personal Data on behalf of Customer in connection with the Solution as set out in Annex A to this DPA, Feroot will:

5. Audit Rights.

Feroot will provide Customer (or its representatives) with access to the records, facilities and premises of Feroot during business hours and upon at least 30 days’ advance notice in writing, for the purposes of verifying Feroot’s compliance with this DPA.

6. Subcontracting.

Customer acknowledges and agrees that Feroot will use sub-processors (including Feroot affiliates) to provide the Solution. Feroot will enter into a written agreement with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Feroot under this DPA. Where such sub-processors fail to fulfil their data protection obligations, Feroot will remain fully liable to Customer for the performance of those sub-processor’s obligations. Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex C, Feroot will notify Customer of such sub-processors, whereupon Customer will have 30 days to object to such appointment by providing detailed reasons for such objection to Feroot.

7. Security Breach Notification.

8. Termination

Upon the termination of the Agreement or at such other times as instructed by Customer in writing, immediately return (or, upon the written instruction of Customer, securely dispose of) each and every original and copy in every media of all Personal Data in the possession or control of Feroot unless applicable laws of Canada, the EU or the law of an EU Member State to which Feroot is subject requires storage of the Personal Data.

ANNEX A

DATA PROCESSING DESCRIPTION

Subject-matter and duration of the Processing

Feroot’s Solution helps organizations manage data subject rights, including data subject access requests. The duration of the Processing lasts for as long as the Agreement is in force, and as long as any lawful purposes continue to exist.

Nature and purposes of the Processing

Personal Data are Processed for the following purposes

helping organizations manage data subject rights, including data subject access requests by identifying, storing, retrieving, displaying, erasing, rectifying, and otherwise facilitating the organization’s management of Personal Data across various cloud-based data storage platforms.

Data Categories

The following categories of Personal Data are involved

The Personal Data may include Personal Data about:

ANNEX B

SECURITY MEASURES

The following security measures have been implemented to help safeguard the Personal Data in Feroot’s custody:

ANNEX C

SUBCONTRACTORS

Below is the list of sub-processors