Data Processing Addendum

This Data Processing Addendum (this “Addendum”) forms part of the Appspace End User Agreement (the “Agreement”) between you (“you” or “End User”) and Appspace, Inc. a corporation formed under the laws of the state of Delaware, with offices located at 5005 LBJ Freeway, Suite 1100, Dallas, Texas 75244, USA (“Appspace”) for the provision of the Products. Capitalized terms not expressly defined in this Addendum will have the meanings given to them in the Agreement. Appspace may modify this Addendum from time to time, subject to the terms in Section 26 (Changes to this Agreement) of the Agreement. If and to the extent language in this Addendum or any of its Appendices conflicts with the Agreement, this Addendum shall take precedence. The term of this Addendum corresponds to the duration of the Agreement.

By clicking on the “I agree” (or similar button) that is presented to you at the time you receive your license key or access to Appspace Products, or by using or accessing Appspace Products or Services, you indicate your assent to be bound by this Addendum. If you do not agree to the terms of this Addendum, do not use any Appspace Products or Services

1. Definitions “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.  “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Data Protection Legislation” means all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable, the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”), as well as any guidance notes and codes of practice issued by the European Commission, European Data Protection Board and applicable national supervisory authorities including without limitation the UK Data Protection Act 2018, UK GDPR, GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector  (ePrivacy Directive), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), Swiss Data Protection Act 2020  and all local or national laws and regulations implementing the aforementioned, in each case as may be updated, amended, supplemented or replaced from time to time.

“Data Subject” means the identified or identifiable natural person to whom End User Personal Data relates.

“End User Personal Data” means the Personal Data within End User Data Processed by Appspace on End User’s behalf in the course of providing Products to End User.

“GDPR” means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.

“Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Legislation.

“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Personal Data Breach” means the actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to End User Personal Data.

Standard Contractual Clauses” means  (i) where the GDPR applies, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “EU/EEA SCCs”); (ii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”); and (iii) where UK Data Protection Law apply, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (the “UK SCCs”).

Subprocessor” means Appspace’s authorized Affiliates, vendors and third-party service providers that Process End User Personal Data in the course of providing the Products.

“UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018.

Data Controller”, “Data Processor”, “Business”, and “Service Provider”, shall be interpreted in accordance with applicable Data Protection Legislation.

2. Data Protection

2.1 Roles of the Parties. The provisions of this Section 2 shall apply to the Processing by Appspace of End User Personal Data in the course of providing End User the Products, as detailed in Appendix 1A of this Addendum. End User is the Data Controller and/or Business and Appspace is the Data Processor and/or Service Provider in relation to End User Personal Data.

2.2 Processing Instructions. Appspace will Process the End User Personal Data only in accordance with End User’s documented instructions as set forth in this Addendum and the Agreement or as directed and documented by End User through the Products, and in accordance with the requirements of Article 28(3) of GDPR.  If Data Protection Legislation requires Appspace to Process the End User Personal Data for any other purpose, Appspace will notify End User of this requirement before processing, unless such law(s) prohibit the giving of notice on important grounds of public interest. Appspace will notify End User promptly if, in Appspace’s opinion, an instruction for the Processing of End User Personal Data given by End User violates applicable Data Protection Legislation.

2.3 Where Appspace processes the End User Personal Data under or in connection with the performance of its obligations under the Agreement, Appspace shall:

2.3.1 implement appropriate technical and organizational measures necessary to meet the requirements of Article 32 of the GDPR;

2.3.2 taking into account the nature of the Processing and the information available to Appspace, reasonably assist End User to fulfil End User’s obligations under Data Protection Legislation:

(i) where possible, to respond to requests from End Users concerning Data Subjects exercising their rights in End User Personal Data under Data Protection Legislation (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to Appspace, Appspace will inform the requester to contact the End User which is responsible for their Personal Data and will not otherwise respond to the request. In the event Appspace is unable to delete End User Personal Data for reasons permitted under the Data Protection Legislation, Appspace shall (a) promptly inform End User of the reason(s) for its inability to fulfill the deletion request, (b) ensure the continued privacy, confidentiality and security of such End User Personal Data, and (c) delete the End User Personal Data promptly after the reason(s) for Appspace’

(ii) with respect to Articles 32 to 36 of the GDPR.

2.3.3 make available to End User all information reasonably requested by End User for the purpose of demonstrating that End User’s obligations relating to the appointment of Data Processors as set out in Article 28 of the GDPR have been met.

If changes in Data Protection Legislation result in new material obligations as it relates to Appspace’s assistance under this Section 2.3.2, the Parties will work together in good faith to agree upon an acceptable resolution. Each Party shall be responsible for its own costs incurred under this Section 2.3.2;  and

2.3.3 make available to End User all information reasonably requested by End User for the purpose of demonstrating that End User’s obligations relating to the appointment of Data Processors as set out in Article 28 of the GDPR have been met.

2.4 Information Security. In accordance with Appendix 1B, Appspace will implement and maintain commercially reasonable technical, administrative, and physical security measures designed to protect the End User Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage or theft of End User Personal Data and appropriate to the nature of the End User Personal Data which is to be protected. In an effort to improve Appspace’s overall security, Appspace may amend its security measures, provided that the new or replacement measures do not reduce the level of security provided by the existing measures. Notwithstanding the foregoing, such safeguards shall, at a minimum, be no less rigorous than accepted industry practices for information security or other applicable industry standards.

2.5 Personal Data Breach. Upon discovering or otherwise becoming aware of a Personal Data Breach, Appspace will notify End User without undue delay (but no more than seventy-two (72) hours). Such notification shall not be interpreted or construed as an admission of fault or liability by Appspace.

2.6 Appspace’s Subprocessors. Appspace shall not engage another Processor to process End User Personal Data without End User’s prior written authorization. End User specifically authorizes the engagement of Appspace’s Affiliates as Subprocessors, as listed in Appendix 1A. In addition, to the extent necessary to fulfill Appspace’s contractual obligations under the Agreement and subject to Appspace’s compliance with this Section 2.6, End User generally authorizes Appspace to engage other Subprocessors, such as Google, Inc., whose Processing activities shall occur in the State of Iowa.

2.6.1 When engaging any Subprocessor, Appspace ensures that:

(i) the Subprocessor only processes End User Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Addendum);

(ii) data protection obligations consistent with those described in this Addendum are imposed on the Subprocessor through a written agreement; and

(iii) Appspace remains fully liable to End User where the Subprocessor fails to fulfil its data protection obligations under the Agreement.

2.6.2 Prior to engaging any new Subprocessor, Appspace will, at least  ten (10) days before the new Subprocessor Processes any End User Personal Data, inform End User of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) in accordance with applicable Data Protection Legislation.

2.6.3 End User may object to Appspace’s use of a new Subprocessor by notifying Appspace within ten (10) days after notice has been given with End User’s grounds for its objection.  In the event End User objects to a new Subprocessor, as permitted in the preceding sentence, Appspace will use commercially reasonable efforts to make available to End User a change in the Products or recommend a commercially reasonable change to End User’s configuration or use of the Products to avoid Processing of End User Personal Data by the objected-to new Subprocessor without unreasonably burdening End User.  If Appspace is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate without penalty the applicable Order with respect only to those Products which cannot be provided by Appspace without the use of the objected-to new Subprocessor by providing written notice. Appspace will refund End User any prepaid, unused fees covering the remainder of the term of such applcable Order following the effective date of termination with respect to such terminated Products, without imposing a penalty on End User for such termination.

2.7 Confidentiality. Appspace will ensure that Appspace’s personnel with access to the End User Personal Data are subject to a binding duty of confidentiality with regard to such End User Personal Data. Except as set forth in Section 2.6 above or in accordance with documented instructions from End User (as set forth in this Addendum or the Agreement or as directed by End User through the Products), Appspace will ensure that none of Appspace’s personnel publish, disclose or divulge any End User Personal Data to any third party. 

2.8 Selling of End User Personal Data Prohibited. The End User Personal Data that End User discloses to Appspace is provided to Appspace for a Business Purpose, as defined under the CCPA, and nothing about the Agreement or the Services involves the “selling” or a “sale” of End User Personal Data under Cal. Civ. Code § 1798.140(t)(1).

2.9 Deletion or Return of End User Personal Data. Appspace shall retain End User Personal Data for the term of the Agreement provided that such retention does not conflict with a Data Subject request made pursuant to Section 2.3.1. Upon expiration or termination of the Agreement and upon End User’s written request, Appspace will securely destroy or return to End User in a format of Appspace’s choosing all End User Personal Data, and destroy existing copies. Notwithstanding the foregoing, Appspace may retain copies of the End User Personal Data disclosed hereunder that are contained in routine system backups or are necessary to fulfill its ongoing obligations or exercise its ongoing rights hereunder, subject to the ongoing obligation to maintain the confidentiality of such information in accordance with the terms the Agreement and this Addendum.

2.10 Audits. Appspace is regularly audited by independent third-party auditors and internal auditors to test and verify the security controls of Appspace and its people. Upon request and provided that the Parties have an applicable non-disclosure agreement in place, Appspace will allow End User and End User’s authorized representatives to access and review up-to-date attestations, reports (e.g. external auditors) or suitable certifications to ensure compliance with the terms of this Addendum. Notwithstanding the foregoing, any review of materials or audit must be conducted during Appspace’s regular business hours, with reasonable advance notice to Appspace and subject to reasonable confidentiality procedures. In addition, reviews and/or audits shall be limited to once per year, unless (a) Appspace has experienced a Personal Data Breach within the prior twelve (12) months; (b) an audit is carried out at the direction of a government entity; or (c) an audit reveals a material noncompliance. Appspace shall be entitled to charge End User a reasonable fee for any Appspace effort or costs in complying with this Section 2.10.

2.11 Data Protection Officer. The contact details for the team responsible for data protection at Appspace are: Sam.Baxter@appspace.com

2.12 European Economic Area Data Transfers. Upon separate, prior written approval from End User, Appspace and its Subprocessors will be authorized to transfer End User Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. If End User Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by End User to Appspace in a country that has not been found to provide an adequate level of protection under Data Protection Legislation, the Parties agree      to execute the EU/EEA SCCs and any necessary amendment to this DPA,      but to the extent that and for so long as the EU/EEA SCCs cannot be relied on for a lawful transfer in compliance with the UK Data Protection Law or the Swiss DPA, the Parties agree to execute the UK SCCs or Swiss SCCS      (or such applicable, superseding standard contractual clauses).

2.13 Compliance with Data Protection Legislation. Each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of End User Personal Data and the performance of the Agreement and this Addendum, including without limitation, compliance with Article 31 of GDPR. With respect to End User Personal Data, End User as the Data Controller, is responsible the administration and management of End User Personal Data, in addition to, obtaining, and demonstrating evidence that is has obtained all authorizations, lawful bases, and consents  necessary for Appspace to Process End User Personal Data in accordance with the Agreement and this Addendum.

2.14 Data Subject Requests. End User is responsible for communications and efforts to comply with requests made by Data Subjects under the Data Protection Legislation. If any such request requires Appspace assistance, End User shall notify Appspace of the Data Subject request in a reasonable amount of time and sent to privacy@appspace.com.

2.15 Limitation on Disclosure of End User Personal Data. To the extent legally permitted, Appspace shall: (i) promptly notify End User in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of End User Personal Data to any third party, including, but not limited to the United States government for surveillance and/or other purposes; and (ii) to the extent possible, provide at least seventy-two (72) hours’ notice prior to disclosing End User Personal Data to any third party without providing End User, so that End User may, at its own expense, exercise such rights as it may have under applicable laws to prevent or limit such disclosure.

3. End User Obligations

3.1 End User shall continue at all times to have in place recognised lawful legal bases under Data Protection Legislation and all necessary data privacy notices to ensure that all processing of personal data by the Processor and all Subprocessors that is contemplated by this Addendum will be lawful and shall not contravene the obligations of a data controller under Data Protection Legislation.

4. Miscellaneous

4.1 Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum.  Except as otherwise expressly provided herein, no supplement, modification, or amendment of this Addendum will be binding, unless executed in writing by a duly authorized representative of each Party to this Addendum.  If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the Parties.

Authorized Subprocessors

This summary sets out details of the processing of End User Personal Data under the Agreement by Appspace and any authorized Subprocessor (as listed below): 

The subject matter and

SYSTEMS: Appspace workplace experience hosted platform

duration of the Processing

SUBJECT MATTER: The subject-matter of the Processing is the provision of
the Products that involves the Processing of End User Personal Data.

DURATION OF PROCESSING: The Processing will be carried out until the
Agreement terminates.

The nature and purpose of the Processing
PURPOSES OF PROCESSING: In accordance GDPR Art. 6, the lawful processing of information will be conducted to meet the performance of the contract (EULA)

LEGAL BASIS FOR PROCESSING: EU and EEA organizations agree the legal basis for collecting, using and processing personal data as described below is in order for their users to experience the full benefits of the Appspace platform in accordance with Appspace’s EULA

NATURE OF PROCESSING: As part of our data minimization practices, the collection, storage and other Processing necessary to provide, maintain, and optimize the Products provided to End User in accordance with the Agreement.
The nature and purpose of the Processing

PERSONAL DATA:

  • ● Data Subject – Direct identifying information (e.g., first name, last
    name, and email address,).
  • ● Indirect identifying information (e.g., job title)
  • ● Device identification and traffic data (e.g., Geolocation, IP
    addresses, cookies,).

SPECIAL CATEGORIES OF PERSONAL DATA: Appspace does not
knowingly collect (and End User shall not submit or upload) any special
categories of data as defined under the Data Protection Legislation.

The categories of Data Subject
End User and Affiliates employees and/or users.
Approved Subprocessors of Personal Data are:

#

Name

Territory

Area of use

#

Google, LLC
Iowa, United States
Cloud Hosting Services

#

Google, LLC
St. Ghislain, Belgium
Cloud Hosting Services
Processor and Sub-Processor Internal Security Measures
Confidentiality (Article 32(1)(b) GDPR)

1. Access control to premises and facilities Measures must be taken to prevent unauthorized physical access to premises and facilities holding End User Personal Data. Measures shall include:

  • ● Access control system
  • ● ID reader, magnetic card, chip card
  • ● (Issue of) keys
  • ● Door locking (electric door openers etc.)
  • ● Surveillance facilities
  • ● Alarm system, video/CCTV monitor
  • ● Logging of facility exits/entries

2. Access control to premises and facilities 

Measures must be taken to prevent unauthorized access to IT systems. These must include the
following technical and organizational measures for user identification and authentication:

  • ● Password procedures (incl. special characters, minimum length, forced change of password)
  • ● Hashing, Encryption and Cryptography
    measures
  • ● No access for guest users or anonymous accounts
  • ● Central management of system access
  • ● Access to IT systems subject to approval from HR management and IT system administrators
  •  

3. Access control to data

Measures must be taken to prevent authorized users from accessing data beyond their authorized
access rights and prevent the unauthorized input, reading, copying, removal modification or
disclosure of data. These measures shall include:

  • ● Differentiated access rights
  • ● Access rights defined according to duties
  • ● Automated log of user access via IT systems
  • ● Measures to prevent the use of automated data-processing systems by unauthorized persons using
    data communication equipment
Integrity (Article 32(1)(b) GDPR)

Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

  • ● Compulsory use of encrypted private networks for all data transfers
  • ● Creating an audit trail of all data transfers

4. Disclosure control

Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

  • Compulsory use of encrypted private networks for all data transfers
  • Creating an audit trail of all data transfers

5. Input control

Measures must be put in place to ensure all data management and maintenance is logged, and an audit
trail of whether data have been entered, changed or removed (deleted) and by whom must be
maintained. Measures should include:

  • ● Logging user activities on IT systems
  • ● That it is possible to verify and establish to which bodies End User Personal Data have been
    or may be transmitted or made available using data communication equipment
  • ● That it is possible to verify and establish which End User Personal Data have been input into
    automated data-processing systems and when and by whom the data have been input;

6. Job control

Measures should be put in place to ensure that data is processed strictly in compliance with the data
importer’s instructions. These measures must include:

  • ● Unambiguous wording of contractual instructions
  • ● Monitoring of contract performance

Availability and Resilience (article 32(1)(b))

7. Availability control

Measures should be put in place designed to ensure that data are protected against accidental destruction or loss. These measures must include:

  • ● Installed systems may, in the case of interruption, be restored
  • ● Systems are functioning, and that faults are reported
  • ● Stored End User Personal Data cannot be corrupted by means of a malfunctioning of the system
  • ● Uninterruptible power supply (UPS)
  • ● Business Continuity procedures
  • ● Remote storage
  • ● Antivirus/firewall systems

8. Segregation control

Measures should be put in place to allow data collected for different purposes to be processed
separately. These measures should include:

  • ● Restriction of access to data stored for different purposes according to staff duties
  • ● Segregation of business IT systems
  • ● Segregation of IT testing and production environments
  •