Data Processing Addendum

Data Protection Addendum

Introduction

This Data Protection Addendum (“Addendum”) is entered into as of _______________ by and between Vocalo Inc., a Delaware corporation, dba BoostUp.ai (“BoostUp”), and Customer. This Addendum applies to BoostUp’s Processing of Personal Data under the agreement executed between BoostUp Customer for BoostUp’s provision of Services (the “Agreement”).

Customer enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Affiliates.

This Addendum has been pre-signed on behalf of BoostUp. To complete this Addendum, Customer must complete the information in the signature box and send the executed Addendum to BoostUp by email to amit@boostup.ai indicating, if applicable, Customer’s account number. Except as otherwise expressly provided in the Agreement, this Addendum shall become legally binding upon receipt by BoostUp of the validly completed Addendum at the above email address.

Definitions

Capitalized terms that are used but not defined in this Addendum have the meanings given in the Agreement.

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity.
“ApplicableData Protection Laws” means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data.
“Customer Data” has the same meaning as defined in the Agreement. This Addendum applies to BoostUp’s Processing of Customer Data to the extent that such Customer Data constitutes Personal Data.
“Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws.
“Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data being Processed by BoostUp. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
“Subprocessor” means any third party authorized by BoostUp to Process any Customer Data.
“Usage Data” means such aggregated technical and analytics information derived from use of the Platform and Service. This Addendum applies to Usage Data to the extent Usage Data constitutes Personal Data.
General; Termination
This Addendum forms part of the Agreement and except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will govern.
Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.
This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
This Addendum will automatically terminate upon expiration or termination of the Agreement.
Relationship of the Parties
BoostUp as Processor.The parties acknowledge and agree that with regard to the Processing of Customer Data, Customer may act as a controller or processor and BoostUp is a processor. BoostUp will process Customer Data in accordance with Customer’s instructions as outlined in Section 6 (Role and Scope of Processing).
BoostUp as Controller. To the extent that any Usage Data (as defined in the Agreement) is considered Personal Data, BoostUp is the controller with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at www.boostup.ai/privacy-policy.
Compliance with Law. Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Customer Data.
Role and Scope of the Processing
Customer Instructions. BoostUp will Process Customer Data only in accordance with Customer’s instructions. By entering into the Agreement, Customer instructs BoostUp to Process Customer Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing by BoostUp as constituting instructions for purposes of this Addendum. Customer acknowledges and agrees that such instruction authorizes BoostUp to Process Customer Data (a) to perform its obligations and exercise its rights under the Agreement; and (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement.
Subprocessing
Customer specifically authorizes BoostUp to use its Affiliates as Subprocessors, and generally authorizes BoostUp to engage Subprocessors to Process Customer Data. In such instances, BoostUp:

(i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum; and

(ii) remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause BoostUp to breach any of its obligations under this Addendum.

A list of BoostUp’s Subprocessors, including their functions and locations, as described in Schedule 1 or such other website as BoostUp may designate (“Subprocessor Page”), and may be updated by BoostUp from time to time in accordance with this Addendum.
When any new Subprocessor is engaged, BoostUp will notify Customer of the engagement, which notice may be given by email to Customer, by updating the Subprocessor Page and via a message through the Platform. BoostUp will give such notice at least ten (10) calendar days before the new Subprocessor Processes any Customer Data, except that if BoostUp reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Data or avoid material disruption to the Services, BoostUp will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies BoostUp in writing that Customer objects to BoostUp’s appointment of a new Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds and Customer will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering document.
Security
Security Measures. BoostUp will implement and maintain technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with BoostUp’s security standards referenced in the Agreement (“Security Measures”). BoostUp’s Information Security Policy can be found at www.boostup.ai/security.
Customer Responsibility.

(i) Customer is responsible for reviewing the information made available by BoostUp relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease BoostUp’s obligations as compared to those reflected in such terms as of the Effective Date).

(ii) Customer agrees that, without limitation of BoostUp’s obligations under this Section 8, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that it uses with the Services; and (d) maintaining its own backups of Customer Data.

Security Incident.Upon becoming aware of a confirmed Security Incident, BoostUp will notify Customer without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of BoostUp’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps BoostUp recommends Customer take to address the Security Incident. Without prejudice to BoostUp’s obligations under this Section 8.c., Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incidents. BoostUp’s notification of or response to a Security Incident under this Section 8.c. will not be construed as an acknowledgement by BoostUp of any fault or liability with respect to the Security Incident.
Audits and Reviews of Compliance. The parties acknowledge that Customer must be able to assess BoostUp’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as BoostUp is acting as a processor on behalf of Customer.
BoostUp’s Audit Program. BoostUp uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Data. compliant Such audits are performed at least once annually at BoostUp’s expense by independent third-party security professionals at BoostUp’s selection and result in the generation of a confidential audit report (“Audit Report”).
Customer Audit. Upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, BoostUp will make available to Customer a copy of BoostUp’s most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Laws will be satisfied by these Audit Reports. To the extent that BoostUp’s provision of an Audit Report does not provide sufficient information for Customer to verify BoostUp’s compliance with this Addendum or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with BoostUp that: (a) ensures the use of an independent third party; (b) provides notice to BoostUp in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at BoostUp’s then-current rates; (e) occurs no more than once annually; (f) restricts findings to only Customer Data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
Impact Assessments and Consultations. BoostUp will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer’s expense only if such reasonable cooperation will require BoostUp to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Laws.
Data Subject Requests. BoostUp will upon Customer’s request (and at Customer’s expense) provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If BoostUp receives a request from a Data Subject in relation to their Customer Data, BoostUp will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.
Return or Deletion of Customer Data
BoostUp will, within sixty (60) days after request by Customer following the termination or expiration of the Agreement, delete all Customer Data from BoostUp’s systems.
Notwithstanding the foregoing, Customer understands that BoostUp may retain Customer Data if required by law, and such data will remain subject to the requirements of this Addendum.
International Provisions
Processing in the United States. Customer acknowledges that, as of the Effective Date, BoostUp’s primary processing facilities are in the United States.
Jurisdiction Specific Terms. To the extent that BoostUp Processes Customer Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this Addendum.
Cross Border Data Transfer Mechanism. To the extent that Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the United Kingdom (“UK”), Switzerland or any other jurisdiction listed in Schedule 3) to BoostUp located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

SCHEDULE 1

SUBJECT MATTER & DETAILS OF PROCESSING

Nature and Purpose of the Processing. BoostUp will process Personal Data as necessary to provide the Services under the Agreement. BoostUp does not sell Customer Data (or end user information within such Customer Data) and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.
Customer Data. BoostUp will process Customer Data as a processor in accordance with Customer’s instructions as outlined in Section 6.a (Customer Instructions) of this Addendum.
Usage Data. BoostUp will process Usage Data as a controller for the purposes outlined in Section 4.b (BoostUp as Controller) of this Addendum.
Processing Activities.
Customer Data. Customer Data will be subject to the following basic processing activities: only processing activities are to provide the Services as part of BoostUp’s Platform.
Usage Data. Personal Data contained in Usage Data will be subject to the following processing activities by BoostUp: BoostUp may use Usage Data to operate, improve and support the Services and for other lawful business practices, such as analytics, benchmarking and reporting.
Subprocessor List: BoostUp has authorized the use of the following sub-processors:

Sub-processor	Contact Information	Purpose of Processing	Duration
Amazon AWS	410 Terry Avenue North, Seattle, WA 98109-5210	Hosting Provider. BoostUp is fully hosted within AWS. All customer data storage and processing happens within AWS. Data is hosted in US data centers (US-east and US-west).	Duration of the applicable governing agreement between Data Exporter and Data Importer
Snowflake	Suite 3A, 106 East Babcock Street, Bozeman, Montana 59715, USA	Data warehouse to store various types of data used for analytics processing	Duration of the applicable governing agreement between Data Exporter and Data Importer
MongoDB	1633 Broadway 38th Floor New York, NY 10019 United States +1 866 237 8815	Primary database used to store all data	Duration of the applicable governing agreement between Data Exporter and Data Importer

Duration of the Processing.The period for which Personal Data will be retained and the criteria used to determine that period is as follows:
Customer Data. Prior to the termination of the Agreement, BoostUp will process stored Customer Data for the purpose of providing the Services until Customer elects to delete such Customer Data via the BoostUp Services or in accordance with the Agreement.
Usage Data. Upon termination of the Agreement, BoostUp may retain, use and disclose Usage Data for the purposes set forth above in Section 2.b (Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. BoostUp will anonymize or delete Personal Data contained within Usage Data when BoostUp no longer requires it for the purpose set forth in Section 2.b (Usage Data) of this Schedule 1.
Categories of Data Subjects.
Customer Data.Customer’s users who are provisioned within BoostUp.
Usage Data: Customer’s users who have access to log into BoostUp.
Categories of Personal Data.
Customer Data. Categories of Data include any category that the Customer has authorized BoostUp to ingest to provide the Services under the Agreement. This may include confidential data such as CRM data, email data, or calendar data and Personal data such as prospect name and business email address.
Usage Data. BoostUp processes Personal Data within Usage Data.
Sensitive Data or Special Categories of Data.
Customer Data. BoostUp does not ingest any sensitive data or special categories of data.
Usage Data. Sensitive Data is not contained in Usage Data.

SCHEDULE 2

TECHNICAL & ORGANIZATIONAL SECURITY MEASURES

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding BoostUp’s technical and organizational security measures set forth below.

BoostUp is SOC2 Type 2 compliant. A full copy of the SOC2 Report can be provided upon request.
In addition, BoostUp performs comprehensive annual penetration tests by an external security vendor. These cover all our external-facing API endpoints, web applications, AWS infrastructure, and other infrastructure aspects. A copy of the penetration test report can also be provided upon request.
More detailed information on BoostUp’s security and privacy policies and procedures can be found at www.boostup.ai/security.

The section below describes some of the security measures that BoostUp has taken. It is not meant to be comprehensive list. The SOC2 report and Pen-Test reports are the most comprehensive descriptions of BoostUp’s security and privacy procedures.

Technical and Organizational Security Measures:

Measures of encryption of personal data during transmission and storage

BoostUp maintains Customer Data in an encrypted format at rest and in transit. BoostUp uses TLS 1.2 to encrypt all network traffic between the user's browser and BoostUp's ELB. All API endpoints require SSL. The ELB fronts a bank of API servers that reside in a private VPC. The API servers use MongoDB as the primary database. MongoDB also resides within the same private VPC. The network connection between API server and database is also encrypted. Data is stored in MongoDB in an encrypted format. MongoDB runs on EBS volumes that are themselves encrypted using AES-256 bit encryption. So, there is end to end encryption of all data, both in transit and at rest

Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services.

BoostUp's customer agreements contain strict confidentiality obligations. Additionally, BoostUp requires every downstream Sub-processor to sign confidentiality provisions that are substantially similar to those contained in BoostUp's customer agreements. The infrastructure for the BoostUp Services spans multiple fault-independent AWS availability zones in geographic regions physically separated from one another, supported by various tools and processes to maintain high availability of services.

Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

BoostUp performs regular backups of Customer Data, which is hosted in AWS data centers. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).

Processes for regular testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of processing.

Measures for user identification and authorization.

BoostUp personnel are required to use unique user access credentials and passwords for authorization. BoostUp follows the principles of least privilege through role-based and time-based access models when provisioning system access. BoostUp personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval prior to access provisioning. Access is promptly removed upon role change or termination.

Measures for ensuring physical security of locations at which personal data are processed.

BoostUp headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security. All employees, contractors, and visitors are required to wear identification badges.

The Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of Amazon.

Detailed information about AWS security is available at https://aws.amazon.com/security/ and http://aws.amazon.com/security/sharing-the-security-responsibility/. For AWS SOC Reports, please see https://aws.amazon.com/compliance/soc-faqs/.

Measures for ensuring events logging.

BoostUp monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is centralized by the security team. Log activities are investigated when necessary and escalated appropriately.

Measures for ensuring systems configuration, including default configuration.

BoostUp applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new Services are deployed; (b) annual penetration testing by independent third parties; and (c) threat models for new Services to detect any potential security threats and vulnerabilities.

BoostUp adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. Monitors are in place to notify the security team of changes made to critical infrastructure and services that do not adhere to the change management processes.

Measures for internal IT and IT security governance and management.

BoostUp maintains a risk-based assessment security program. The framework for BoostUp’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. BoostUp’s security program is intended to be appropriate to the nature of the Services and the size and complexity of BoostUp’s business operations. BoostUp has a separate and dedicated Information Security team that manages BoostUp’s security program. This team facilitates and supports independent audits and assessments performed by third parties. BoostUp’s security framework is based on the ISO 27001 Information Security Management System and includes programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with the Chief Technology Officer (CTO) overall responsible for security and privacy program. The CTO meets with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all BoostUp employees for their reference.

Measures for certifications/assurance of processes and products.

BoostUp conducts various third-party audits to attest to various frameworks including SOC 2 Type 2, and annual application penetration testing.

Measures for ensuring data minimization.

BoostUp Customers unilaterally determine what Customer Data they route through the BoostUp Services and how the Services are configured. As such, BoostUp operates on a shared responsibility model. BoostUp provides tools within the Services that gives Customers control over exactly what data enters the platform and enables Customers with the ability to block data at the Source level. Additionally, BoostUp has built in self-service functionality to the Services that allow Customers to delete and suppress Customer Data on demand.

Measures for ensuring data quality.

BoostUp has a three-fold approach for ensuring data quality. These measures include: (i) unit testing to ensure the quality of logic used to make API calls, (ii) volume testing to ensure the code is able to scale, and (iii) end-to-end testing to ensure that the input values match expected values. BoostUp applies these measures across the board, both to ensure the quality of any Usage Data that BoostUp collects and to ensure that the BoostUp Platform is operating in accordance with the documentation.

Each BoostUp Customer chooses what Customer Data they route through the BoostUp Services and how the Services are configured. As such, BoostUp operates on a shared responsibility model. BoostUp ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data leaves BoostUp to flow to a downstream destination.

Measures for ensuring limited data retention.

BoostUp Customers unilaterally determine what Customer Data they route through the BoostUp Services and how the Services are configured. As such, BoostUp operates on a shared responsibility model. BoostUp deletes Customer Data upon the Customer's written request, within the timeframe specified in the Data Protection Addendum and in accordance with Applicable Data Protection Law. BoostUp’s Data Deletion Policy is available at https://www.boostup.ai/user-data-deletion-policy

Measures for ensuring accountability.

BoostUp has adopted measures for ensuring accountability, such as implementing data protection policies across the business, publishing BoostUp's Information Security Policy (available at www.boostup.ai/security), maintaining documentation of processing activities, recording and reporting Security Incidents involving Personal Data. Additionally, BoostUp conducts regular third-party audits to ensure compliance with our privacy and security standards.

Measures for allowing data portability and ensuring erasure.

BoostUp's Customers have direct relationships with their end users and are responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws. BoostUp has built-in self-service functionality to the Services that allow Customers to delete and suppress Customer Data. If a Customer is unable to use such self-service functionality, BoostUp specifies in the Data Protection Addendum that it will provide assistance to such Customer as may reasonably be require to comply with Customer's obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). If BoostUp receives a request from a Data Subject in relation to their Customer Data, BoostUp will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

For transfers to [sub]-processors, also describe the specific technical and organizational measures to be taken by the [sub]-processor to be able to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the data exporter.

When BoostUp engages a sub-processor under this Addendum, BoostUp and the sub-processor enter into an agreement with data protection terms substantially similar to those contained herein. Each sub-processor agreement must ensure that BoostUp is able to meet its obligations to Customer. In addition to implementing technical and organizational measures to protect personal data, sub-processors must a) notify BoostUp in the event of a Security Incident so BoostUp may notify Customer; b) delete data when instructed by BoostUp in accordance with Customer’s instructions to BoostUp; c) not engage additional sub-processors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with Customer’s instructions to BoostUp.

SCHEDULE 3

CROSS BORDER DATA TRANSFER MECHANISM

Definitions

“Standard Contractual Clauses”means, depending on the circumstances unique to any particular Customer, any of the following:

(i) UK Standard Contractual Clauses; and

(ii) 2021 Standard Contractual Clauses

“UK Standard Contractual Clauses” means:

(i) Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”); and

(ii) Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC (“UK Controller to Controller SCCs”).

"2021 Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
UK Standard Contractual Clauses. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by reference) and completed as follows:
The UK Controller to Processor SCCs will apply where BoostUp is processing Customer Data. The illustrative indemnification clause will not apply. Schedule 1 serves as Appendix 1 of the UK Controller to Processor SCCs. Schedule 2 serves as Appendix 2 of the UK Controller to Processor SCCs.
The UK Controller to Controller SCCs will apply where BoostUp is processing Usage Data. In Clause II(h), BoostUp will process personal data in accordance with the data processing principles set forth in Annex A of the UK Controller to Controller SCCs. The illustrative commercial clause will not apply. Schedule 1 serves as Annex B of the UK Controller to Controller SCCs. Personal Data transferred under these clauses may only be disclosed to the following categories of recipients: i) BoostUp’s employees, agents, Affiliates, advisors and independent contractors with a reasonable business purpose for needing such personal data; ii) BoostUp vendors that, in their performance of their obligations to BoostUp, must process such personal data acting on behalf of and according to instructions from BoostUp; and iii) any person (natural or legal) or organization to whom BoostUp may be required by applicable law or regulation to disclose personal data, including law enforcement authorities, central and local government.
The 2021 Standard Contractual Clauses. For data transfers from the European Economic Area, the UK, and Switzerland that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will apply in the following manner:
Module One (Controller to Controller) will apply where Customer is a controller of Usage Data and BoostUp is a controller of Usage Data.
Module Two (Controller to Processor) will apply where Customer is a controller of Customer Data and BoostUp is a processor of Customer Data;
Module Three (Processor to Processor) will apply where Customer is a processor of Customer Data and BoostUp is a sub-processor of Customer Data;
For each Module, where applicable:

(i) in Clause 7, the option docking clause will not apply;

(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (Subprocessing) of this Addendum;

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law.

(v) in Clause 18(b), disputes will be resolved before the courts of Ireland;

(vi) In Annex I, Part A:

Data Exporter: Customer and authorized Affiliates of Customer.

Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive privacy communications.

Data Exporter Role: The Data Exporter’s role is outlined in Section 4 of this Addendum.

Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer: BoostUp

Contact Details: BoostUp Privacy Team – Amit Sasturkar, CTO, 2040 Martin Ave., Santa Clara, CA 95050, amit@boostup.ai

Data Importer Role: The Data Importer’s role is outlined in Section 4 of this Addendum.

Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

(vii) In Annex I, Part B:

The categories of data subjects are described in Schedule 1, Section 4.

The sensitive data transferred is described in Schedule 1, Section 6.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is described in Schedule 1, Section 1.

The purpose of the processing is described in Schedule 1, Section 1.

The period of the processing is described in Schedule 1, Section 3.

For transfers to sub-processors, the subject matter, nature, and duration of the processing is outlined in Schedule 1 of this Addendum.

(viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.

(ix) Schedule 2 serves as Annex II of the Standard Contractual Clauses.

As to the specific modules, the parties agree that the following checked modules apply, as the circumstances of the transfer may apply:

 Controller-Controller - Module One

☑ Controller-Processor - Module Two

☑ Processor-Processor - Module Three

To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses will prevail.

SCHEDULE 4

JURISDICTION SPECIFIC TERMS

California

The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (“CCPA”).
The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the CCPA.
With respect to Customer Data, BoostUp is a service provider under the CCPA.
BoostUp will not (a) sell Customer Data; (b) retain, use or disclose any Customer Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Customer Data outside of the direct business relationship between BoostUp and Customer.
The parties acknowledge and agree that the Processing of Customer Data authorized by Customer’s instructions described in Section 6 of this Addendum is integral to and encompassed by BoostUp’s provision of the Services and the direct business relationship between the parties.
Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that BoostUp’s access to Customer Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
To the extent that any Usage Data (as defined in the Agreement) is considered Personal Data, BoostUp is the business with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at www.boostup.ai/privacy-policy.
EEA
The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679)(“GDPR”).
When BoostUp engages a Subprocessor under Section 7 (Subprocessing), it will:

(i) require any appointed Subprocessor to protect Customer Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
Switzerland
The definition of “Applicable Data Protection Laws” includes the Swiss Federal Act on Data Protection.
When BoostUp engages a Subprocessor under Section 7 (Subprocessing), it will

United Kingdom
References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
When BoostUp engages a Subprocessor under Section 7 (Subprocessing), it will: