This Data Processing Agreement (“DPA”) is entered into between Applied Gratitude, Inc. (“AGI”), a Delaware corporation, with its principal office at 231 Public Square, Suite 200, Franklin, TN, 37064 (“Company”) and you, a vendor of AGI (“Vendor”).

1. RECITALS

1.1 Company operates, markets and maintains a platform for sending, monitoring, tracking and reporting on gestures of appreciation (the “Platform”) and Vendor wishes to offer its products and/or services (“Vendor Goods”) to users of the Platform (“Users”) pursuant to that certain Vendor Agreement (the “Main Agreement”) between Company and Vendor dated the date hereof. In connection with offering of the Vendor Goods on the Platform, the parties anticipate that Vendor may from time-to-time process certain Personal Data in respect of which Company’s clients may be a controller of that data under the Applicable Privacy Laws, thus making Company a processor and Vendor a Sub-Processor of such data.

1.2 Company and Vendor have agreed to enter into this DPA in order to ensure that the Processing of Personal Data for Company client(s) complies with Applicable Privacy Laws and with Company’s contractual obligation to its clients.

2. DEFINITIONS

The following definitions are used in this DPA:

2.1 “Adequate Country” means a country or territory that is recognized under EU Data Protection Laws from time to time as providing adequate protection for personal data.

2.2 “Affiliate” means any entity that is directly or indirectly controlled by, controlling or under common control with an entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

2.3 “Applicable Privacy Law(s)” means all United States and worldwide data protection and privacy laws and regulations applicable to the Personal Data applicable to this DPA, including, where applicable, the California Consumer Privacy Act, as amended, and the EU Data Protection Laws.

2.4 “Company Group” means Company and any Affiliate.

2.5 “Data Subject” means an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as name, an identification number, location data, an online identifier, or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity.

2.6 “Data Subject Request” means a request from or on behalf of a Data Subject pursuant to Applicable Privacy laws, including, but not limited to, such requests relating to access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a Data Subject to the processing of its Personal Data.

2.7 “EEA Personal Data” means Personal Data protected by EU Data Protection Law or the data protection laws of Switzerland and/or the United Kingdom.

2.8 “EU Data Protection Laws” means all privacy laws applicable to any Personal Data processed under or in connection with this agreement, including, without limitation, the Data Protection Directive 95/46/EC (as the same may be superseded by the General Data Protection Regulation 2016/679 (the “GDPR”)), the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications (“ePrivacy Regulation”)) and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable data protection authority, all as amended, re-enacted and/or replaced and in force from time to time.

2.9 “Model Clauses” means the model clauses for the transfer of personal data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission’s Decision 2021/914/EU of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, which forms a part of and is incorporated into this DPA.

2.10 “Personal Data” means information relating to a Data Subject, and shall include “Personal Information” as defined under Applicable Privacy Laws. For the avoidance of any doubt, Personal Data also includes any other information held in connection with a Data Subject’s Personal Data

2.11 “Sub-Processor” means any person or entity appointed by or on behalf of a person or entity to Process Personal Data on behalf of another person or entity.

2.12 The terms “controller”, “processor”, “processing”, “special categories of personal data”, “sensitive personal information” and “supervisory authority”, and all equivalents of such terms, shall have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions shall be governed by how such terms are defined by industry standard(s).

2.13 “Vendor Group” means Vendor and any Affiliate.

3. STATUS OF THE PARTIES

3.1 The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of Data Subjects, are as described below:

1. Subject Matter of the Processing – Vendor’s provision of Vendor Goods to be offered on the Platform as well as delivery to recipients of Vendor Goods (“Recipients”). This subject matter is hereafter referred to as the “Vendor Business Purpose.”
2. Nature and Purpose of the Processing – The offering and sale of Vendor Goods to Users for delivery to Recipients.
3. Duration of Processing – The Vendor will only process the Personal Data for the duration of the Main Agreement, or until the data upon which processing is no longer necessary for the purposes of either party performing its obligations under the Main Agreement (to the extent applicable) unless otherwise agreed between the parties in writing.
4. Types of Data – Data relating to individuals or Recipients provided or made available to Vendor via the Platform, by (or at the direction of) Company or one or more Users.

3.2 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that Company Clients will be Data Controllers and Vendor is a Sub-Processor and accordingly Vendor agrees that it shall process all Personal Data as properly instructed by Company or Company Client(s) forwarded to Vendor by Company or otherwise in accordance with its obligations pursuant to this DPA.

3.3 Each party shall notify the other of an individual within its organization authorized to respond from time to time to enquiries regarding the Personal Data and each of Vendor and Company shall deal with such enquiries promptly.

4. VENDOR OBLIGATIONS

With respect to the Personal Data, the Vendor represents and warrants that it shall:

4.1 Only process the Personal Data in order to facilitate the sale of Vendor Goods to Users for delivery to Recipients and shall act only in accordance with this DPA and Company’s written instructions as represented by the Main Agreement and this DPA.

4.2 As soon as reasonably practicable upon becoming aware, but in no event later than 48 hours, inform Company if, in Vendor’s opinion, any instructions provided by Company infringes Applicable Privacy Laws.

4.3 Comply, and require all staff, agents, and Sub-Processors to comply, with all Applicable Privacy Laws in relation to Personal Data.

4.4 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, provided that such safeguards shall provide no less protection than required by the Applicable Privacy Laws.

4.5 Take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality.

4.6 To the extent not prohibited by law or governmental order and as soon as reasonably practicable, but in no event less than 48 hours, upon becoming aware, notify Company of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (a “Security Breach”).

4.7 In the event of a Security Breach: (i) promptly provide Company with commercially reasonable cooperation and assistance in respect of the Security Breach and all information, any periodic updates thereafter, in Vendor’s possession concerning the Security Breach, including, but not limited to, the categories of Personal Data compromised and the number of Data Subjects impacted by the Security Breach, (ii) immediately investigate, mitigate, and remediate the Security Breach, and (iii) coordinate and cooperate with Company in investigating, mitigating, and remediating the Security breach, and take all such reasonably commercial steps as directed by Company or any affected Company Client(s) in responding to the Security Breach.

4.8 Not inform any third parties or make any announcement about a Security Breach (a “Breach Notice”) without:

1. the prior written consent from Company; and
2. prior written approval by Company of the content, media and timing of the Breach Notice unless required to make a disclosure or announcement by applicable law or governmental order.

4.9 Promptly notify Company if it receives a Data Subject Request, but in no event later than 48 hours to ensure Company can comply with all applicable legal or contractual requirements. To the extent Company does not have the ability to address or process a Data Subject Request, the Vendor shall upon Company’s request, provide commercially reasonable assistance to facilitate a Data Subject Request to the extent the Vendor is able to in accordance with applicable law.

4.10 As soon as reasonably practicable following termination or expiry of the Main Agreement Vendor will delete or return to Company (at Company’s direction) all Personal Data (including copies thereof) processed pursuant to this DPA. Within 10 days, Vendor shall provide written certification to Company that all such Personal Data has been deleted or returned pursuant to this DPA.

4.11 Provide such commercially reasonable assistance as Company requests (taking into account the nature of processing and the information available to Vendor), in relation to Company’s obligations under Applicable Privacy Laws with respect to:

1. data protection impact assessments (as such terms are defined in the Applicable Privacy Laws);
2. notifications to the supervisory authority under Applicable Privacy Laws and/or communications to Data Subjects by Company in response to any Security Breach; and
3. Company’s compliance with its obligations under the Applicable Privacy Laws with respect to the privacy or security of processing.

5. NO INFORMATION SELLING OR TARGETED ADVERTISING

Vendor acknowledges and confirms that it does not receive any Personal Data as consideration listing of Vendor Products on the Platform or other services that it provides to Company. Vendor shall not have or exercise any rights or benefits regarding Personal Data beyond any rights afforded under the Main Agreement and this DPA. Vendor will not transfer or “sell” or conduct any “targeted advertising” using any Personal Data, as such terms and their equivalents are defined in the Applicable Privacy Laws. In addition, except as may be required under applicable law or governmental order, Vendor will not collect, retain, use, share, or disclose any Personal Data for any purpose, including any commercial purpose, other than for the specific Vendor Business Purpose. Vendor agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Vendor to qualify as “selling personal information” or “targeted advertising” under the Applicable Privacy Laws.

6. SUB-PROCESSING

6.1 Vendor shall not: appoint any Sub-Processors to operate or Process Personal Data for or on Vendor’s behalf without the prior written approval of Company.

6.2 Vendor will maintain a list of Company approved Sub-Processors and will add the names of new and replacement Sub-Processors to the list prior to them starting sub-Processing of Personal Data. Vendor shall, following written request from Company and within 14 days of such written request, provide a copy of the list of Sub-Processors to Company.

6.3 Vendor will ensure that any Sub-Processor it engages to perform the Vendor Business Purpose on its behalf in connection with this Agreement does so only on the basis of a written contract which imposes on such Sub-Processor terms substantially no less protective of Personal Data than those imposed on Vendor in this DPA (the “Relevant Terms”). Vendor shall procure the performance by such Sub-Processor of the Relevant Terms and shall be liable to Company for any breach by such person of any of the Relevant Terms.

6.4 Audit and records. Vendor shall, in accordance with Applicable Privacy Laws, make available to Company such information in Vendor’s possession or control as Company may reasonably request and which Vendor is lawfully entitled to disclose with a view to demonstrating Vendor’s compliance with the obligations of data processors under Applicable Privacy Laws in relation to its processing of Personal Data. Upon reasonable notice to Vendor, Company may take reasonable and appropriate steps to stop and remediate Vendor’s unauthorized Processing of Personal Data.

6.5 Data transfers. The Parties agree that if and to the extent the Vendor processes or transfers (directly or via onward transfer) EEA Personal Data in or to any country or recipient not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in EU Data Protection Laws), Vendor agrees to abide by and process such data in accordance with Module 3 of the Model Clauses governing Processor-to-Processor transfers,. For the purposes of this section, the parties further agree:

1. The optional docking clause in Clause 7 does not apply;
2. Option 2 in Clause 9 is selected, and the time period is 30 days;
3. In Clause 11, the optional language does not apply;
4. All square brackets in Clause 13 are hereby removed;
5. In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
6. In Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
7. Appendix 1 to this Addendum contains the information required in Annex I and II of the Model Clauses;
8. By entering into this DPA, the parties are deemed to have signed the Model Clauses incorporated herein, including its Annexes.
9. the Model Clauses are incorporated by reference and form an integral part of this DPA;
10. Vendor shall be the “data importer” and Company is the “data exporter”; and,
11. Appendix 1 forms a part of and is incorporated into this DPA.

6.6 If, in the performance of this DPA and/or the Main Agreement, Vendor transfers any Personal Data to a Sub-Processor (which shall include without limitation any Vendor Group) where such Sub-Processor will process Personal Data outside the EEA or an Adequate Country, Vendor shall in advance of any such transfer ensure that a mechanism to achieve adequacy in respect of that processing is in place such as:

1. the requirement for Vendor to execute or procure that the third party execute the applicable Model Clauses; or
2. the existence of any other specifically approved safeguard for data transfers (as recognized under the EU Data Protection Laws) and/or a European Commission finding of adequacy.

7. GENERAL

7.1 If Company or Company Client determines, as each case may be, that a Personal Data Breach must be notified to any supervisory authority and/or Data Subjects and/or the public or portions of the public, Company will notify Vendor before the communication is made and supply Vendor with copies of any written documentation to be filed with the supervisory authority and of any notification Company or Company Client proposes to make (whether to any supervisory authority, Data Subjects the public or portions of the public) which references Vendor, its security measures and/or role in the Security Breach, whether or not by name, provided that Company or Company Client shall have final decision on the content of the communication as Data Controller. Subject to Company’s compliance with any mandatory notification deadlines under Applicable Privacy Laws, Company will consult with the Vendor in good faith and take account of any clarifications or corrections the Vendor reasonably requests to such notifications and which are consistent with Applicable Privacy Laws.

7.2 This DPA is without prejudice to the rights and obligations of the parties under the Main Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Main Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.

7.3 In addition to the indemnification obligations in the Main Agreement, each party (the “Indemnifying Party”) shall indemnify the other (the “Indemnified Party”) from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage (“Damage”) suffered or incurred by the Indemnified Party as a result of the Indemnifying Party’s breach of this DPA or by reason of any grossly negligent acts or intentional misconduct of Indemnifying Party or its agents, servants, or employees in connection with this DPA.

7.4 This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.

7.5 A person who is not a party to this DPA shall not have any rights to enforce this DPA.

7.6 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either:

1. amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible,
2. construed in a manner as if the invalid or unenforceable part had never been contained therein.

7.7 Without prejudice to the Model Clauses, this DPA shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Main Agreement and each of the parties agrees to submit to the jurisdiction stipulated in the Main Agreement in respect of any claim or matter arising under this DPA.

This Data Processing Agreement (“DPA”) is entered into between Applied Gratitude, Inc. (“AGI”), a Delaware corporation, with its principal office at 231 Public Square, Suite 200, Franklin, TN, 37064 (“Company”) and you, a vendor of AGI (“Vendor”).