Data Processing Addendum (DPA)

1. General

This Data Processing Addendum (the "Addendum") forms part of the Agreement, between IHQ and the Client which governs the use of the IHQ Services by the Client and becomes effective on the Effective Date.

2. Definitions

"Adequacy Decision" means any country or territory recognised by a relevant regulatory or supervisory authority as providing an adequate level of protection for personal data in accordance with data protection laws applicable.

"Data Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Data Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.

"Data Sub-Processor" means a third party engaged by Intent HQ to assist in the process of Personal Data in connection to the Agreement.

"Personal Data" means any information relating to the Data Subject.

3. Personal Data Processing

The Client and IHQ agree and acknowledge that, with regards to the processing of Personal Data, the Client is the Data Controller and IHQ is the Data Processor. This Addendum focuses on the processing of Personal Data by IHQ as a part of the provision of the Services.

The Personal Data will be processed by IHQ on behalf of the Client, following the Client's written instructions, in accordance with the Agreement and the data protection laws that apply to IHQ.

In its use of the Services, the Client shall comply with the requirements contained in the data protection laws that apply to it, including those contained in the UK GDPR, EU GDPR or, if applicable, CCPA.

4. Data Subject Access Requests

In the event that IHQ receives a request from a Data Subject seeking to exercise their data protection rights, IHQ will notify the Client without undue delay, and will provide, when possible and necessary, reasonable assistance to the Client to respond to the Data Subject's request. The Client will be solely responsible for responding to any Data Subject requests or communications involving Personal Data.

5. Disclosure of Personal Data

IHQ will not disclose Personal Data to any third party, unless: It is requested expressly and in writing by the Client; it is allowed under this Addendum; it is necessary to provide the Services; it is required by applicable laws.

In the case that IHQ receives any order from a governmental authority, or any administrative or executive agency, IHQ will promptly communicate in writing the Order to the Client.

6. International Transfers

In order for IHQ to provide the Services to the Client, the Client acknowledges and hereby consents that the personal data processed by IHQ on behalf of the Client may be transferred, stored and processed to locations outside of the United Kingdom and/or the European Economic Area.

For transfers of Personal Data of data subjects originating in the European Union, the European Economic Area and/or its member states, Switzerland, or the United Kingdom, such transfers will be conducted in accordance with the EU Standard Contractual Clauses set out in Annex I to this Addendum.

7. Security

IHQ has implemented appropriate technical and organisational measures against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data or other improper use.

IHQ has implemented such measures to ensure a level of security appropriate to the risk involved, including (i) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (ii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iii) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

8. Minimum Technical and Organisational Measures

IHQ has security certifications in place, including ISO/IEC 27001, ISO/IEC 27018 and SOC2 Type II. The list of security measures implemented by IHQ includes, but is not limited to: limiting access to information/systems to authorised users on a need-to-know basis; limiting physical access to IHQ's information systems and related equipment to authorised individuals; regular assessments of information security risks; training of IHQ's employees on information systems regarding the information security risks; imposition of formal sanctions for IHQ's employees failing to comply with information security policies and procedures.

9. Personal Data Breach Notifications

IHQ will notify the Client without undue delay in the event of becoming aware of an incident concerning a Personal Data Breach on the Personal Data that IHQ processes on behalf of the Client.

After becoming aware of a Personal Data Breach, IHQ will investigate it and, if possible, provide the Client with sufficient information about the Personal Data Breach for the Client to comply with the notification requirements contained in the data protection laws which are applicable to the Client.

10. Audits

The Client may conduct a maximum of one audit per calendar year, unless there is a request to the Client by a Supervisory Authority or any other data protection enforcement authority.

Any audit conducted under this Addendum shall be limited to the provision by IHQ of evidence of its current security certifications.

11. Personal Data Records

IHQ will keep records of the Processing of Personal Data carried out on behalf of the Client. These records will include: name and contact details of the Client; the categories of processing carried out on behalf of the Client; and international transfers and the basis on which the international transfers are in conformity with the applicable data protection regulations.

12. Sub-processors

Due to the complex and technical nature of the Services, IHQ may from time to time engage third party sub-processors to process Personal Data on its behalf. IHQ shall (1) maintain a list of its sub-processors in the IHQ Legal Resource Centre (www.intenthq.com/legal) and update such list no less than fourteen (14) days before changing any sub-processor, (2) impose data protection terms on such sub-processors which are no less onerous than those set out in this Addendum and (3) be liable for any acts or omissions of those sub-processors.

The Client may opt in to receive email notifications of any changes to the sub-processor list by submitting a request to subprocessornotifications@intenthq.com.

13. Data Protection Impact Assessment

IHQ will provide reasonable assistance to the Client, upon request, in ensuring compliance with the obligations deriving from carrying out a data protection impact assessment, when the Client reasonably considers that is obliged to perform it, and from prior consultation of the Supervisory Authority.

14. CCPA Provisions

IHQ is the "Service Provider" and the Client is the "Business", with IHQ considered to be acting at the direction of the Client. Under no circumstances will IHQ sell Client's personal data to third parties in return for money or other valuable consideration. IHQ will not retain, disclose or use the data disclosed to it by the Client for any purpose other than to provide the services as contained in the Agreement or as otherwise provided in the CCPA.

15. Termination

This Addendum will remain in full force and effect so long as: (i) the Agreement remains in effect; or (ii) IHQ retains any of the Personal Data related to the Agreement in its possession or control.

Within 30 days after the termination of the Agreement, IHQ will delete the Personal Data, unless required by law or to resolve disputes or enforce IHQ's legal agreements and policies, when permitted by law.

17. Miscellaneous

If there is a conflict between this Addendum and any provision of the Agreement, this Addendum shall prevail. The Addendum shall not restrict any applicable data protection laws. This Addendum replaces and supersedes all previous written and oral agreements related to the processing of data.