Data Processing Addendum

Effective October 15, 2021

This Data Processing Addendum (“DPA”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”) between you and Automox Inc. (“Automox”). Capitalized terms used but not defined in this DPA have the meanings ascribed in the Agreement.

1. PURPOSE AND SCOPE

In the course of providing the Offerings to you under the Agreement, Automox will Process Customer Data on your behalf. Customer Data may include Personal Data. Exhibit A describes the subject matter and details of processing.

This DPA reflects the parties’ agreement relating to the Processing of Customer Data in accordance with the requirements of Data Protection Laws and Regulations. This DPA accounts for the nature of the processing pursuant to the Agreement and describes the appropriate technical and organizational measures taken by Automox in processing Personal Data. This DPA will control in the event of any conflict with the Agreement.

2. DEFINITIONS

2.1 “2021 Standard Contractual Clauses” means the standard contractual clauses approved by the European Commission in decision 2021/914.
2.2 “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. as amended from time to time.
2.3 “Data Controller” means the entity that determines the purposes and means of Processing of Personal Data.
2.4 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller, including as applicable any “service provider” as that term is defined in the CCPA.
2.5 “Data Protection Laws and Regulations” means any data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states.
2.6 “Data Subject” means the individual to whom Personal Data relates.
2.7 “UK Standard Contractual Clauses” means the standard contractual clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU.
2.8 “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, to an identified or identifiable individual.
2.9 “Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
2.10 “Standard Contractual Clauses” means the 2021 Standard Contractual Clauses and UK Standard Contractual Clauses.
2.11 “Subprocessor” means Automox’s Affiliates or other third-party service providers that Process Customer Data for Automox.

3. PROCESSING OF CUSTOMER DATA

3.1 Data Processing Roles. As between you and Automox, you are the Data Controller of Customer Data and Automox is the Data Processor. You control the categories of Data Subjects and Personal Data Processed under the Agreement and provide such Personal Data to Automox for business purposes only. You are solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which you acquired the Customer Data.
3.2 Data Processing Instructions. This DPA and the Agreement are your complete and final instructions to Automox for the Processing of Customer Data and the transfer of Customer Data to any country or territory reasonably necessary to provide the Offerings. You and Automox must agree on any additional or alternate instructions. Automox will inform you if, in Automox’s opinion, your instructions violate Data Protection Laws and Regulations. Automox will process Customer Data in accordance with the Agreement (including all documents incorporated in the Agreement), and to comply with other reasonable instructions you provide to Automox (including by email) where your instructions are consistent with the Agreement.
3.3 Restrictions. Automox will not sell Customer Data. Automox will not collect, retain, use, or disclose Customer Data (A) for any purpose other than for the specific purpose set forth in the Agreement, or (B) outside the direct business relationship between you and Automox. Automox will disclose Customer Data if required to do so by applicable law, in which case Automox will inform you in advance unless Automox is prohibited from doing so. Automox certifies that it understands and will comply with the restrictions in this section 3 (Processing of Customer Data).

4. RIGHTS OF DATA SUBJECTS

4.1 Correction, Blocking and Deletion. If you do not have the ability to amend, block, or delete Customer Data as required by Data Protections Laws and Regulations, you can provide written instructions to Automox to act on your behalf. Automox will follow your instructions to the extent they are technically feasible and legally permissible. You will pay Automox’s costs of providing this assistance if the assistance exceeds the services provided under the Agreement.
4.2 Data Subject Requests. If permitted, Automox will promptly notify you of any request from a Data Subject for access to, correction, amendment or deletion of that Data Subject’s Personal Data. Automox will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.
4.3 Cooperation and Assistance. Automox will assist you to address any request, complaint, notice, or communication you receive relating to Automox’s Processing of Customer Data received from (A) a Data Subject whose Personal Data is contained within the Customer Data, or (B) any applicable data protection authority. Automox will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay Automox’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.

5. AUTOMOX PERSONNEL

5.1 Confidentiality. Automox informs its personnel engaged in the Processing of Customer Data about the confidential nature of such Customer Data. These personnel receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with Automox.
5.2 Limitation of Access. Automox ensures that access to Customer Data is limited to those personnel who require access to Process Customer Data under the Agreement.

6. SUBPROCESSORS

6.1 Authorization. You expressly authorize Automox to use Subprocessors to perform specific services on Automox’s behalf to enable Automox to perform its obligations under the Agreement. Automox has written agreements with its Subprocessors that contain obligations substantially similar to Automox’s obligations under this DPA. Automox is liable for any breach of this DPA caused by an act or omission of its Subprocessors.
6.2 Notice and Objection. Automox’s current Subprocessors are listed at automox.com/legal/authorized-subprocessors. Automox will publish changes to its Subprocessors to this website. You can subscribe to receive notice of any changes to Automox’s Subprocessors by emailing PrivacyNotices@Automox.com with the subject “Subscribe” from the email address to which you want notification sent. If you subscribe, Automox will notify you by email of new Subprocessors before authorizing such Subprocessor(s) to process Customer Data. You have a right to reasonably object to Automox’s use of a new Subprocessor by notifying Automox in writing within 10 business days after Automox publishes notice of a new Subprocessor. If you do so, Automox will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Customer Data by the new Subprocessor. If Automox is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate the Subscription Term for the Software and Cloud Service that Automox cannot provide without using the new Subprocessor. You must provide written notice of termination to Automox in accordance with the Agreement. Automox will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.

7. SECURITY AND AUDIT

7.1 Controls for the Protection of Customer Data. Automox maintains appropriate administrative, technical and organizational safeguards designed to protect Customer Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage. These safeguards are summarized in Exhibit B and fully described in the Information Security Addendum available at automox.com/legal/information-security-addendum. You are responsible for reviewing the security information that Automox makes available to you to determine whether they meet your requirements and legal obligations under Data Protection Laws and Regulations.
7.2 Third-Party Certifications. Automox’s third party certifications and independent audit reports are described in the Information Security Addendum available atautomox.com/legal/information-security-addendum. Automox will provide you with a copy of the SOC2 independent auditor report upon request.
7.3 Incident Management and Breach Notification. Automox will notify you within 24 hours of becoming aware of a breach of your Customer Data. To the extent known, the notice will include (A) a description of the nature of the Personal Data breach, including the categories and approximate number of your Data Subjects concerned and the categories and approximate number of your records concerned; (B) the name and contact details of a Automox contact point for more information; (C) the measures Automox is taking to address the breach, including measures to mitigate its possible adverse effects. You can find more information about Automox’s incident response procedures in the Information Security Addendum.
7.4 Audit Rights. If the information provided in section 7.2 (Third-Party Certifications) is insufficient to reasonably demonstrate Automox’s compliance with its obligations under this DPA, Automox will provide you with additional information - and will allow and contribute to audits, including inspections - reasonably necessary to demonstrate compliance. You will not exercise this right more than once per year. You will reimburse Automox for any time taken for an audit or inspection at Automox’s then-current professional service rates. Automox will provide those rates to you on request. You and Automox will agree in advance on the timing, scope, duration and reimbursement rates for any audit or inspection.
7.5 Impact Assessments and Consultations. Automox will reasonably cooperate with you in connection with any data protection impact assessment or consultation with regulatory authorities that may be required by Data Protection Laws and Regulations. If this requires Automox to devote significant resources to that effort, you will pay Automox’s costs of providing that cooperation.

8. RETURN AND DELETION OF CUSTOMER DATA

Upon termination or expiration of your Subscription Term, or at any time upon your request, Automox will return or destroy all Customer Data in accordance with the Agreement and the Documentation. The Software and Cloud Services allow you to retrieve Customer Data at any time prior to the end of a Subscription Term. Providing this functionality through the Software and Cloud Services during the Subscription Term satisfies Automox’s obligation to return Customer Data under this section.

9. DATA TRANSFERS

9.1 Data Transfer Assessment. Automox Offerings require that some amount of Personal Data be transferred to the United States. Automox has compiled a Data Transfer Assessment (also known as a Transfer Impact Assessment) available at automox.com/legal/transfer-impact-assessment.
9.2 Transfer Mechanism. To the extent Automox’s processing of Customer Data requires the transfer of Customer Data from the European Economic Area, Switzerland or the United Kingdom, to countries that do not ensure an adequate level of protection under Data Protection Laws and Regulations, such transfers will be subject to the Standard Contractual Clauses attached hereto as Exhibit C and the additional terms in Exhibits A and B.

EXHIBIT A – SUBJECT MATTER AND DETAILS OF PROCESSING

1. NATURE AND PURPOSE OF PROCESSING

Automox will process Personal Data as a Processor in accordance with your instructions in section 3 (Processing of Customer Data) of the DPA. Automox does not sell Customer Data and does not share Customer Data with third parties for compensation or for those third parties’ own business interests.

2. PROCESSING ACTIVITIES

Customer Data is processed to provide the Offerings that allow you to analyze and control your IT environment as described in the Agreement and Documentation.

3. DURATION OF PROCESSING

Automox will process Customer Data for the duration of the Agreement. Following termination of the Agreement, Automox will permanently delete all Customer Data.

4. CATEGORIES OF DATA SUBJECTS

The Data Subjects include your Authorized Users.

5. CATEGORIES OF PERSONAL DATA

The categories of Customer Data are those included in data pertaining to Data Subject devices. This includes information about operating systems, installed applications and device performance.

6. SENSITIVE DATA OR SPECIAL CATEGORIES OF DATA

Customer Data does not include sensitive data or special categories of data.

EXHIBIT B – SUBJECT MATTER AND DETAILS OF PROCESSING

1. MEASURES OF PSEUDONYMIZATION AND ENCRYPTION OF PERSONAL DATA

Automox encrypts Customer Data in transit using Transport Layer Security (“TLS”) and at rest using Advanced Encryption Standard (“AES”).

2. MEASURES FOR ENSURING ONGOING CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES

Each agreement between Automox and a Subprocessor contains confidentiality provisions similar to those in the Agreement. Automox’s Cloud Services are provided through multiple, fault-independent AWS availability zones and supported by tools and processes to maintain high availability.

3. MEASURES FOR ENSURING THE ABILITY TO RESTORE AVAILABILITY AND ACCESS TO PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT.

Automox maintains a Business Continuity Plan and Disaster Recovery Plan to manage significant disruptions to Automox operations and infrastructure. Automox conducts exercises to evaluate the response to specific incidents.

4. PROCESS FOR REGULAR TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANISATIONAL MEASURES IN ORDER TO ENSURE THE SECURITY OF PROCESSING

Automox has a dedicated security team that manages its security program. This team is involved in the development process and regularly tests the security of Automox’s products and operations. Automox has independent audits and assessments performed by third parties to evaluate the effectiveness of Automox’s security program.

5. MEASURES FOR USER IDENTIFICATION AND AUTHORIZATION

Automox personnel are required to use unique user access credentials and passwords to access the corporate network. Access to the cloud network requires two authentication steps; authorized users must log on to the corporate network and then authenticate using separate credentials through a secure shell (SSH) jump box server. Automox uses role-based access permissions based on the principle of least privilege to restrict access to Customer Data. Access is promptly removed upon role change or termination.

6. MEASURES FOR THE PROTECTION OF DATA DURING TRANSMIS

Customer Data in transit is encrypted using TLS.

7. MEASURES FOR THE PROTECTION OF DATA DURING STORAGE

Customer Data is stored encrypted using AES.

8. MEASURES FOR ENSURING PHYSICAL SECURITY OF LOCATIONS AT WHICH PERSONAL DATA ARE PROCESSED

Automox offices have a physical security program with controlled access. The Cloud Services operate on Amazon Web Services (“AWS”) and are protected by the security and environmental controls of Amazon. Detailed information about AWS security is available at aws.amazon.com/security.

9. MEASURES FOR ENSURING EVENTS LOGGING

Automox continuously monitors application, infrastructure, network, data storage space and system performance. Automox utilizes a security information event monitoring (SIEM) system. The SIEM pulls real-time security log information from servers, firewalls, routers, intrusion detection system (IDS) devices, end users and administrator activity. The SIEM is configured for alerts and is monitored on an ongoing basis. Logs contain details on the date, time, source, and type of events. Automox reviews this information and works events worthy of real-time review.

10. MEASURES FOR ENSURING SYSTEM CONFIGURATION, INCLUDING DEFAULT CONFIGURATION

Automox has a software development life cycle (SDLC) process that governs the acquisition, development, implementation, configuration, maintenance, modification, and management of Automox infrastructure and software components. Prior to the final release of a new Automox system version to the production cloud environment, code is pushed through lower tier environments for testing and certification Automox utilizes a code versioning control system to maintain the integrity and security of the application source code.

11. MEASURES FOR INTERNAL IT AND IT SECURITY GOVERNANCE AND MANAGEMENT

Automox maintains a written security program that (A) complies with applicable global industry recognized information security frameworks, (B) includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Customer Data and (C) is appropriate to the nature, size and complexity of Automox’s business operations. Automox policies, standards, and operating procedures related to security, confidentiality, integrity and availability (“Security Policies”) are made available to all: ; Automox personnel via the corporate intranet. Security Policies are reviewed, updated (as needed), and approved at least annually to maintain their continuing relevance and accuracy. The Automox Director Information Security and security governance group develop, maintain, review, and approve Automox Security Policies. Internal audits are aligned to Automox’s information security program and compliance requirements. Automox conducts internal control assessments to validate that controls are operating effectively. Issues identified from assessments are documented, tracked and remediated. Internal controls related to security, availability, processing integrity and confidentiality are audited by an external independent auditor at least annually and in accordance with applicable regulatory and industry standards.

12. MEASURES FOR CERTIFICATIONS/ASSURANCE OF PROCESSES AND PRODUCTS

Automox conducts various third-party audits to attest to various frameworks, including SOC 2 Type 2 and penetration testing.

13. MEASURES FOR ENSURING DATA MINIMIZATION

Automox collects the data necessary to perform the Agreement. Automox’s customers unilaterally determine which devices the Software is installed on and which features and functionality of the Offerings they use.

14. MEASURES FOR ENSURING DATA QUALITY

Automox uses the SDLC process described above in the development of its Software and Cloud Services. The Software and Cloud Services are developed and tested to ensure the accurate transmission and storage of Customer Data.

15. MEASURES FOR ENSURING LIMITED DATA RETENTION

Automox customers unilaterally determine which devices the Software is installed on and when the Software on those devices is deactivated. Automox deletes all Customer Data following termination of the Agreement.

16. MEASURES FOR ENSURING ACCOUNTABILITY

Automox has implemented internal data protection policies that all employees review and acknowledge upon hiring and annually thereafter. Automox maintains policies for the Processing of Personal Data and responding to security incidents involving Personal Data.

17. MEASURES FOR ALLOWING DATA PORTABILITY AND ENSURING ERASURE

Automox customers control the relationship with their Authorized Users and are responsible for responding to requests to exercise rights under Data Protection Laws and Regulations. If an Automox customer is unable to respond through the functionality provided in the Offerings, Automox will provide any assistance that the customer may reasonably require to comply with its obligations under Data Protection Laws and Regulations.

18. FOR TRANSFER TO SUB-PROCESSORS, ALSO DESCRIBE THE SPECIFIC TECHNICAL AND ORGANISATIONAL MEASURES TO BE TAKEN BY THE SUB-PROCESSOR TO BE ABLE TO PROVIDE ASSISTANCE TO THE CONTROLLER AND, FOR TRANSFERS FROM A PROCESSOR TO A SUB-PROCESSOR, TO THE DATA EXPORTER

When Automox engages a sub-processor, it does so pursuant to an agreement with data protection terms substantially similar to those in this DPA. In addition, Automox evaluates the technical and organizational measures taken by each sub-processor based on the nature of the Processing.

EXHIBIT C – ADDITIONAL TERMS FOR DATA TRANSFERS

1. UK STANDARD CONTRACTUAL CLAUSES

For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by reference) and completed as follows: The UK Controller to Processors SCCs will apply. The illustrative indemnification clause will not apply. Exhibit A serves as Appendix 1 of the UK Controller to Processor SCCs. Exhibit B serves as Appendix 2 of the UK Controller to Processor SCCs.

2. 2021 STANDARD CONTRACTUAL CLAUSES

For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by reference) and completed as follows:
2.1 Modules. Module Two (Controller to Processor) will apply where you are the Data Controller of Customer Data and Automox is a Processor of Customer Data. Module 3 (Processor to Processor) will apply where you are a Processor of Customer Data and Automox is a Subprocessor of Customer Data.
2.2 Options. For each Module, where applicable:
(A) In Clause 7, the optional docking clause will not apply.
(B) In Clause 9, option 2 will apply, and the time period for prior notice of sub-processors is set forth in section 6 (Subprocessors) of the DPA.
(C) In Clause 11, the optional clause will not apply.
(D) In Clause 17 (Option 1), the law of Ireland will apply.
(E) In Clause 18(b), disputes will be resolved in the courts of Ireland.
2.3 Annex 1, Part A.
(A) Data Exporter: You and your authorized Affiliates.
(B) Contact Details: Your account address and email address.
(C) Data Exporter Role: Your role is described in section 3.1 (Data Processing Roles) of the DPA.
(D) Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses, including their Annexes, as of the Effective Date.
(E) Data Importer: Automox Inc.
(F) Contact Details: Automox Privacy Team – legal@automox.com
(G) Data Importer Role: Automox’s role is described in section 3.1 (Data Processing Roles) of the DPA.
(H) Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, including their Annexes, as of the Effective Date.
2.4 Annex I, Part B.
(A) The categories of data subjects are described in Exhibit A, section 4.
(B) The sensitive data transferred is described in Exhibit A, section 6.
(C) The frequency of the transfer is a continuous basis for the duration of the Agreement.
(D) The nature of the processing is described in Exhibit A, section 1.
(E) The purpose of the processing is described in Exhibit A, section 1.
(F) The period of the processing is described in Exhibit A, section 3.
(G) For transfers to sub-processors, the subject matter, nature, and duration of processing is described at automox.com/legal/authorized-subprocessors.
2.5 Annex I, Part C. The Irish Data Protection Commission will be the competent supervisory authority.
2.6 Annex II. Exhibit B serves as Annex II of the Standard Contractual Clauses.

3. PRECEDENCE

To the extent there is any conflict between the Standard Contractual Clauses and the DPA, the provisions of the Standard Contractual Clauses will apply.