This Dynamo Data Processing Agreement (“DPA”) supplements the Master Terms (available at https://www.dynamosoftware.com/legal/) and is a part of the Agreement between Customer (on behalf of itself and, for purposes of this DPA, as agent for its Affiliates) and Dynamo (on behalf of itself and, for purposes of this DPA, as agent for its Affiliates), and it governs the processing by Dynamo or its Affiliates of Customer Provided Data, including Personal Data that Customer provides in order to use the Services (“Processed Data“)

I. Definitions. All capitalized terms used, but not otherwise defined, in this DPA will have the meaning assigned to such term in Exhibit 1: Defined Terms of the Master Terms. In addition, the following capitalized terms will have the meaning assigned to them below:

1. “Privacy Laws” means applicable Laws, in any and all relevant jurisdictions worldwide, that relate to (a) the confidentiality, collection, access, sharing, export, use, handling, processing, protection, destruction, disposal, transfer or free movement of personal data, personally identifiable information, or customer information, (b) electronic data privacy, (c) trans-border data flow and/or (d) data protection.

2.Personal Data” means that portion of Customer Data that is subject to Privacy Laws.

 

II. Instruction. Customer instructs Dynamo to process and use Processed Data as specified in the Agreement and as necessary to perform the Services in accordance with applicable Technical Specifications. Dynamo must not use Processed Data for any other purposes. To the extent Processed Data contains Personal Data, the parties will comply with their respective obligations under the applicable Privacy Laws referenced in this DPA. Where Privacy Laws not listed in this DPA apply to Customer’s intended use of the Service, Customer will provide to Dynamo a list of the relevant additional jurisdiction-specific requirements and Dynamo will advise Customer on the feasibility of the measures needed to comply with such requirements.

III. Audits. Dynamo submits to reasonable data security and privacy compliance audits in accordance with Dynamo’s Customer Audit Program and shares audit report results with Customer on request.

IV. Incident Notifications. Dynamo will notify Customer of security breaches as required by applicable Laws.

V. EU SCC 2021.

A. For Personal Data that is subject to the EU General Data Protection Regulation (GDPR) and the Service involves transfers of such data outside of the EEA the Standard Contractual Clauses (EU) 2016/679 (available at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf ) (the “Clauses”) will be incorporated into this DPA and shall apply as follows.

1. Module 2 (Controller to Processor) shall apply;

2. Clause 7 (Docking Clause) shall apply;

3. The parties choose Option 2 of Clause 9;

4. The option in Clause 11(a) (Redress) does not apply;

5. The Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland;

6. per Clause 18(b) of the Clauses, disputes arising under the Clauses shall be resolved in the courts of the same country;

7. Annex I to this DPA shall serve as Annex I to the Clauses, and Annex II to this DPA shall serve as Annex II to the Clauses, and Annex III to this Agreement shall serve as Annex III to the Clauses. These annexes are available at: https://www.dynamosoftware.com/SCC-annexes/

 

B. For Personal Data that is subject to the GDPR and the Service does not involve transfers of such data outside of the EEA the Standard Contractual Clauses (EU) 2021/915 (available at https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors-eueea_en) (the “EEA Clauses”) will be incorporated into this DPA and shall apply as follows:

1. The parties choose Option 1 of Clause 1 (a);

2. Clause 5 (Docking Clause) shall apply;

3. The parties choose Option 2 of Clause 7.7 and the specified time shall be 7 days;

4. The applicable regulation is the GDPR and the parties choose the options referencing that regulation – Option 1 of Clause 8(c)(4); Clause 9.1 items (b) and (c); and Clause 9.2.;

5. Annex I, part A to the DPA shall serve as Annex I to the EEA Clauses and Annex I, part B to the DPA shall serve as Annex II to the EEA Clauses;

6. Annex II to the DPA shall serve as Annex III to the EEA Clauses, and Annex III to the DPA shall serve as Annex III to the EEA Clauses;

7. References to “Data exporter” in the Annexes to the DPA shall be interpreted as references to “Controller” and references to “Data exporter” shall be interpreted as references to “Processor” in the Annexes to the EEA Clauses.

 

VI. UK Addendum. Wherever Personal Data is transferred outside of the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available at https://ico.org.uk/media/for-organisations/documents/4019487/international-data-transfer-addendum.docx) will be incorporated into this DPA and shall apply in the same way as the Clauses, except for Sections 17 and 18 which shall not be modified and will refer to the laws and/or courts of England and Wales.

VII. Switzerland Addendum. For transfer of Personal Data that is subject to the Swiss Federal Act on Data Protection (“FADP”), the Clauses shall be deemed to be amended to the extent necessary to operate to provide appropriate safeguards for such transfers in accordance with the FADP, including without limitation the following:

1. Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner;

2. the term “Member State” cannot be interpreted to exclude data subjects in Switzerland from exercising their rights under FADP;

3. the term “personal data” shall be deemed to include the data of legal entities to the extent such data is protected under the FADP; and

4. any amendments required from time to time by the Federal Data Protection and Information Commissioner in order to comply with the FADP.

 

VIII. US Privacy Laws. The parties acknowledge and agree that the Services are intended for business-to-business (B2B) relationship purposes and nothing in the normal use of the Services requires the processing of Personal Data beyond business contact details. To the extent relevant to certain US Privacy Laws, Dynamo acts as a service provider and will not (1) sell or share Personal Data; (2) retain, use or disclose Personal Data for any purpose other than for the limited and specific business purpose of providing Services pursuant to the Agreement; or (3) combine Personal Data with any personal information that is received from or on behalf of any third party or collected via Dynamo’s own interaction with an individual, unless permitted by the US Privacy Laws. For the purposes of this DPA, the term “US Privacy Laws” shall include all US federal and/or state Privacy Laws that are applicable to the processing of Personal Data under the Agreement. Such Privacy Laws may include, but are not limited to, the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, the Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, the Massachusetts data security regulations (201 C.M.R. 17.00) and all laws implementing, supplementing or amending the foregoing, including any regulations promulgated thereunder.

IX. Integration. This DPA is binding on Dynamo if and to the extent the Agreement remains in effect. Except to the extent expressly agreed in the Agreement, this DPA shall not create third party beneficiary rights. Dynamo does not accept or submit to additional requirements relating to Processed Data, except as specifically and expressly agreed in writing with explicit reference to the Master Terms and this DPA.

X. Security. Dynamo applies technical, administrative and organizational data security measures (“TOMs“) that meet or exceed the following commitments. Dynamo may update and modify its TOMs from time to time, provided that Dynamo must not reduce the level of security provided thereunder, except with Customer’s consent or with 60 days prior written notice.

1. Policies and Procedures

Dynamo maintains policies and procedures to ensure the confidentiality, integrity, and availability of Processed Data and protect it from accidental, unauthorized or improper disclosure, use, alteration or destruction.

2. Access Controls

Dynamo maintains policies, procedures, and operational processes that:

2.1. limit physical access to Processed Data and the facility or facilities in which it is stored to properly authorized persons;

2.2. ensure that all members of the Dynamo workforce (including contractors) who require access to Processed Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access;

2.3. authenticate and permit access only to authorized individuals and prevent members of Dynamo workforce from providing Processed Data or information relating thereto to unauthorized individuals;

2.4. restrict access to Processed Data to only those people with a “need-to-know” for a permitted purpose;

2.5. maintain a list of people and services with access to Processed Data in the Dynamo application, and remove accounts that no longer require access;

2.6. maintain and enforce “account lockout” by disabling accounts with access to Processed Data when an account exceeds a threshold number of consecutive incorrect password attempts;

2.7. regularly review access logs for signs of malicious behavior or unauthorized access.

3. Security Awareness and Training

Dynamo maintains an ongoing security awareness and training program for all members of Dynamo’s workforce (including contractors and management).

4. Security Incident Procedures

Dynamo maintains policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Processed Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. If Dynamo becomes aware of any security incident that leads to a data breach impacting Processed Data, Dynamo will:

4.1. notify Customer without undue delay;

4.2. reasonably cooperate with impacted Customers to investigate and remediate the breach and mitigate any further risk to Processed Data.

5. Contingency Planning

Dynamo maintains policies, procedures, and operational processes for responding to an emergency, or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages Processed Data or systems that contain Processed Data.

6. Device and Media Controls

Dynamo does not permit Processed Data to be downloaded, or otherwise stored on laptops or other portable devices, unless they are subject to all of the protections required herein. Such protective measures shall include, at a minimum, that all devices accessing Processed Data shall be encrypted and use up-to-date anti-malware detection prevention software.

7. Audit Controls

Dynamo maintains hardware, software, services, platforms and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith.

8. Storage and Transmission Security

Dynamo maintains technical security measures to guard against unauthorized access to Processed Data that is being transmitted over an electronic communications network. Dynamo will:

8.1. maintain a working network firewall to protect data accessible via the Internet and will keep all Dynamo Information protected by the firewall at all times;

8.2. use anti-malware software at all times and will keep the anti-malware software up to date;

8.3. maintain technical and security measures to encrypt Processed Data in transit and at rest;

8.4. regularly review access logs for signs of malicious behavior or unauthorized access;

8.5. keep Dynamo’s systems and software up-to-date with the latest applicable upgrades, updates, new versions and other modifications necessary to ensure security of Processed Data.

9. Assigned Security Responsibility

Dynamo has a designated security official responsible for the development, implementation, and maintenance of the Security Program.

10. Testing

Dynamo regularly tests key controls, systems and procedures of Dynamo’s Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified.

11. Third Party Dynamo Management

Dynamo may use third party vendors in support of Dynamo’s services to Customers. Dynamo performs a security and privacy risk-based assessment of prospective vendors before working with vendors to validate that they meet Dynamo’s privacy and security standards.

12. Disclosure by Law

In the event Dynamo is required by law, regulation, or legal process to disclose any Processed Data, Dynamo will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.

13. Updates

Dynamo continually monitors, evaluates, and adjusts, as appropriate, the Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Processed Data, and internal or external threats to Processed Data.