International Data Processing Addendum

This Data Processing Addendum including all attached Schedules (“Addendum”) dated January 1, 2023 (“Addendum Effective Date”) forms part of the existing or contemporaneous contract for goods and services (“Agreement”) between: Sycomp A Technology Company, Inc. (“Sycomp”) and the client company (“Company”) acting on its own behalf and/or as agent for its corporate Affiliates in accepting this Addendum.

Company and Sycomp have entered into an Agreement pursuant to which Sycomp provides to Company certain software and SaaS licenses, professional services and hardware (referred to in this Addendum as the “Solutions”), offered by third party original equipment manufacturers, software and SaaS licensors and service providers (the “Resale Partners”). Sycomp collects and processes minimal Company Personal Data (defined below) as defined by Applicable (defined below) Laws in providing the Solutions. Where only the Resale Partners have access to information related to Company Personal Data, including, without limitation, information about Company customers, employees, officers, contractors, and agents, including without limitation, personal information/personal data as defined by Applicable Laws and Sycomp does not have access to and is not involved in the processing of Company Personal Data, Company acknowledges that its relationship with Resale Partners governs the processing of Company Personal Data under Applicable Laws and this Addendum does not apply.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

The parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

1. Global Terms

1.1 Definitions.

1.1.1 “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Company or Sycomp respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.

1.1.2 “Applicable Laws” means any privacy or security law that applies to Company Personal Data. This includes (without limitation) the General Data Protection Regulation (EU 2016/679) (“GDPR”), the Directive on privacy and electronic communications (2002/58/EC), the UK Data Protection Act (DPA) and UK GDPR, the Swiss Federal Data Protection Act, the California Consumer Privacy Act of 2018, (California Civil Code §§ 1798.100 et seq.,) and the California Privacy Rights Act of 2020, the Virginia Consumer Data Protection Act (Va. Code Ann. tit. 59.1, Ch. 53 et seq.), the Colorado Privacy Act (Colo. Rev. Stat. Ann. §§ 6-1-1302 et seq.), the Utah Consumer Privacy Act (Utah Code Ann. §§ 13-61-101 et seq.), any other United States state privacy legislation of similar scope to the aforementioned statutes, and any implementing regulations adopted thereunder (all of which as may be amended from time to time.

1.1.3 “Company Personal Data” means information that is processed by Sycomp, or collected by Sycomp, on behalf of Company which identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular identified or identifiable person or household.

1.1.4 “Data Subject” means any identifiable individual or household included, or previously included, within the Company Personal Data.

1.1.5 “Personal Data Breach” means the accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed. Should any other definition of “breach,” “data breach,” or “personal data breach” that appears in any Applicable Law be broader in scope than the definition provided here, the definition in said Law shall control.

1.1.6 “Process” means any operation or set of operations that are performed on Company Personal Data.

1.1.7 “Processing Records” means complete, accurate, and up-to-date written records of all Processing activities carried out on behalf of Company.

1.1.8 “Processor” means any entity that performs the Processing of Company Personal Data. For the purposes of this Agreement and Addendum, Sycomp and any authorized subcontractors are Processors.

1.1.9 “Regulator” refers to any government agency responsible for enforcing the Applicable Laws.

1.1.10 “Sell”/”Sale” has the meaning as may be set forth in Applicable Laws (e.g. the California Consumer Privacy Act of 2018). By example, and not by way of limitation, “Sell” may mean selling, renting, releasing, disclosing, disseminating, making available or transferring a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

1.1.11 “Share” has the meaning as may be set forth in Applicable Laws (e.g. the California Privacy Rights Act of 2020). By example, and not be way of limitation “Share” may mean any disclosure of Company Personal Data (renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means) to a third party for cross-contextual behavioral advertising.

1.1.12 “Subprocessor” means any Processor (including any third party and any Sycomp Affiliate) appointed by Sycomp to Process Company Personal Data. This includes (without limitation) entities that are defined as Service Providers subject to the California Consumer Privacy Act of 2018.

1.2 Authorization to Process Data.

1.2.1 The parties do not intend for Sycomp to process Company Personal Data in the ordinary course of performance of the Agreement. However, in the event that Sycomp Processes Company Personal Data Sycomp will do so in compliance with the terms of this Addendum.

1.2.2 Sycomp shall not Process Company Personal Data for any purpose other than those specified in the Agreement, this Addendum, or Company’s documented instructions. Sycomp shall immediately inform the Company if, in its opinion, any processing instruction violates any Applicable Law. Sycomp shall not access, retain, use, or disclose Company Personal Data for a commercial purpose other than as needed to provide the Solutions and perform services under the Agreement.

1.2.3 Schedule 1 to this Addendum sets out certain information regarding Sycomp’s Processing of the Company Personal Data. Company may make reasonable amendments to Schedule 1 by written notice to Sycomp from time to time.

1.3 Compliance with Applicable Laws. Sycomp and Company each represents and warrant that they will comply with Applicable Laws, including all regulations that have been or are further enacted relating thereto, and other similar laws and regulations. Company represents that it has all rights necessary to provide Company Personal Data to Sycomp in connection with providing the Solutions.

1.4 Confidentiality & Security.

1.4.1 Sycomp shall implement and maintain appropriate technical and organizational measures in relation to the processing of Company Personal Data by Sycomp in compliance with Applicable Laws. Specifically, Sycomp will during the Term of the Agreement maintain ISO/IEC 27001:2013 compliance and provide a certificate evidencing the foregoing upon request by Company. Sycomp shall ensure that its agents and representatives processing Company Personal Data on behalf of Company have signed agreements requiring them to keep Company Personal Data confidential, and Sycomp shall take all reasonable steps to ensure that Sycomp representatives processing Company Personal Data receive adequate training on compliance with this Addendum and relevant laws.

1.5 Data Subject Rights.

1.5.1 Sycomp shall assist Company in responding to complaints, communications, or requests by a Data Subject to exercise a right under Applicable Laws relating to the Company Personal Data maintained by Sycomp or its Subprocessors. This shall include, at minimum, that Sycomp and its Subprocessors maintain the ability to access, modify, remove from processing, or irrevocably delete or destroy, correct, transport (i.e. right to data portability), restrict or limit use of Sensitive Personal Information (as this phrase may be defined in Applicable Laws), or not to Sell or Share (as those terms may be defined in Applicable Laws) the data of an individual Data Subject when requested by Company (“Data Subject Request”).

1.5.2 Should Sycomp or any Subprocessor or other subcontractor directly perform any data collection from Data Subjects in connection with the Company’s instructions, Sycomp shall ensure that Data Subjects receive the Company’s Privacy Policy at or before the point at which any information is collected about the Data Subject.

1.5.3 Sycomp shall promptly notify Company if it receives a Data Subject Request. If required by Applicable Laws, Sycomp will inform the Data Subject that Sycomp is a Service Provider or Processor (based on the Applicable Laws) and the Data Subject should contact the Company or appropriate Resale Partner. Otherwise, Sycomp shall await instructions from Company concerning whether, and how to, respond to such a request. Company shall provide Sycomp with current contact information to enable Sycomp to direct Data Subject Requests.

1.6 Personal Data Breach.

1.6.1 In the event of any actual or suspected access or acquisition of Company Personal Data by an unauthorized third party, Sycomp shall notify Company immediately of the potential Personal Data Breach without undue delay (but in no event later than 48 business hours after becoming aware of the potential Personal Data Breach) and provide Company, in writing or via email, without undue delay (wherever possible, within 10 business days of becoming aware of the potential Personal Data Breach) with such details as Company reasonably requires, recognizing that this may be supplemented as additional details are discovered over time. In addition, Sycomp shall investigate and remediate the potential Personal Data Breach and, to the extent that a Personal Data Breach results in a legal obligation for Company or Sycomp to notify relevant authorities or affected Data Subjects or would put affected Data Subjects at risk, Sycomp shall provide the Company with assurances satisfactory to Company that a Personal Data Breach will not recur. Sycomp warrants that if there has been a Personal Data Breach of Company Personal Data, all responsive steps will be documented and a post-incident review will be made of both the events and also remedial actions taken, if any, to prevent a recurrence. Sycomp agrees to fully cooperate with Company in Company’s handling of the matter, including without limitation any investigation, reporting, or other obligations required by applicable law or regulation, including responding to regulatory inquiries or investigations, or as otherwise required by Company, and will work with Company to otherwise respond to and mitigate any damages caused by the Personal Data Breach. Sycomp shall not notify any third party of the Personal Data Breach without Company’s prior, written authorization.

1.6.2 Sycomp shall, and shall require any Subprocessor to, co-operate with Company and each Company Affiliate and take such reasonable commercial steps to assist in the investigation, mitigation, and remediation of any such Personal Data Breach.

1.7 Deletion or return of Company Personal Data. Sycomp shall, without delay, either securely delete or return any Company Personal Data to Company in hardcopy or electronic form at the Company’s written request. As soon as reasonably possible upon completion of the services anticipated by the Agreement, Sycomp shall securely delete all existing copies of Company Personal Data, in electronic and hard copy form, unless storage of any data is required by Applicable Laws or other relevant laws. In the event that Company Personal Data is stored on backup media, deletion of Company Personal Data will only be required when the backup media is used to restore Sycomp systems.

1.8 Data Privacy Impact Assessment and Prior Consultation. Sycomp shall provide reasonable assistance to Company with any data protection impact assessments which are required under Applicable Law in relation to the Sycomp’s Processing of Company Personal Data.

1.9 Indemnification. Sycomp agrees that it shall reimburse and indemnify Company for all costs incurred in responding to and/or mitigating damages caused by a breach of this Addendum, including security breaches involving Company Personal Data maintained by Sycomp or its Subprocessors or any material breach by Sycomp of its data protection and privacy obligations under this Addendum.

1.10 Performance at Sycomp’s Sole Expense. Sycomp’s compliance with this Addendum, and any actions required of Sycomp to comply with Applicable Laws in connection with the Agreement, will be at Sycomp’s sole and exclusive expense and will not result in additional fees for Solutions (except as may already be set forth in the Agreement). Any actions required of Company to comply with Applicable Laws in connection with the Agreement, will be at Company’s sole and exclusive expense (except as may already be set forth in the Agreement).

1.11 Changes to this Addendum. Sycomp may update the terms of this Addendum from time to time; provided, however, that Sycomp will not materially weaken the protections in this Addendum unless it provides at least 30 days prior written notice to Company, and the opportunity to cancel the Agreement within 7 days of receiving such notice if Company does not agree to the material changes.

1.12 Changes in Applicable Laws. Should any Applicable Laws materially change in any respect as to jeopardize the suitability of this Addendum in conforming to any new or amended Applicable Laws (“New Laws”), Company may propose amendments to this Addendum which Company reasonably considers to be necessary to address the requirements of any New Laws (“Proposed Amendments”). Both Sycomp and Company shall negotiate any Proposed Amendments in good faith, with Sycomp’s written consent not to be unreasonably withheld.

1.13 General Terms. Any obligation imposed on Sycomp under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum for so long as Personal Data is Processed. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. Company and Sycomp expressly recognize and agree that this Addendum includes provisions addressed in other portions of the Agreement. Company and Sycomp hereby agree that the terms and conditions set out herein shall be added as an Addendum to the Agreement. This Addendum and the other portions of the Agreement shall be read together and construed, to the extent possible, to be in concert with each other. In respect of any conflict between the Agreement and this Addendum, the provisions which provide the greatest protection of the Company Personal Data shall prevail; provided, however, that in no event shall this Addendum be deemed to eliminate, limit, or otherwise diminish Sycomp’s obligations or commitments to Company under portions of the Agreement.

2. International Terms. In the event that Company notifies Sycomp that the personal information of residents of the European Economic Area, Switzerland, the United Kingdom, Brazil, or other applicable jurisdiction outside the United States may be Processed pursuant to the Agreement, the provisions of this Section 2 shall apply to all parties and the Processing of Company Personal Data in connection with the provision of the Solutions.

2.1 Subprocessing.

2.1.1 Company authorizes Sycomp to engage Subprocessors from the list presented in Schedule 1, Section C. below. Sycomp will inform Company of any addition of a Subprocessor to this list in writing. Upon receiving this notice, Company will have 30 days to object, on reasonable grounds, to the addition of a Subprocessor, where required by applicable law. In the event that Sycomp elects to engage a Subprocessor despite reasonable objection by Company, Company will have the right to terminate the Agreement pursuant to the Termination clause therein.

2.1.2 With respect to each Subprocessor, Sycomp shall:

2.1.2.1 carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for Company Personal Data as is required by this Addendum and provide evidence of such due diligence if requested by a Regulator;

2.1.2.2 enter into a binding written contract and include terms in the contract between Sycomp and each Subprocessor that are materially similar to the terms set out in this Addendum;

2.1.2.3 ensure that approved Subprocessors have agreed to use the information only for Company’s business purposes and in compliance with all Applicable Laws, rules and regulations, and Company instructions; and

2.1.2.4 remain fully liable to Company for the actions of Subprocessors in relation to the Company Personal Data.

2.2 International Data Transfers.

2.2.1 Sycomp must have prior written consent or instruction from Company to transfer any Company Personal Data internationally or, in the case of Company Personal Data received from Company within the European Economic Area (“EEA”), Switzerland or United Kingdom (“UK”), to transfer such data outside the EEA or to any international organization (an “International Transfer”). If Company consents to such an international transfer, Sycomp shall ensure that such transfer (and any onward transfer thereafter): (i) is pursuant to a written contract including adequate provisions relating to security and confidentiality of any Company Personal Data; (ii) is made pursuant to a legally enforceable mechanism for such cross-border data transfers of Company Personal Data under relevant laws (the form and content of which shall be subject to the Company’s written approval); (iii) is made in compliance with this Addendum; and (iv) otherwise complies with relevant privacy laws. Unless the parties are able to avail themselves of an alternative transfer mechanism based on an adequacy mechanism approved by the EEA, Switzerland, and the UK (“Adequacy Mechanism”, e.g. a transfer mechanism based on Executive Order 14086 which is to facilitate the EU-US Data Privacy Framework between the United States and the European Union), the parties shall execute and annex to this Addendum as necessary approved Standard Contract Clauses (“SCCs”) or other legally acceptable contractual provisions to facilitate Company Personal Data transfers.

2.2.2 Territory.

2.2.2.1 European Economic Area. With respect to facilitating international transfers of Company Personal Data of EEA residents, the parties shall be deemed to have executed the EEA SCCs which are incorporated into this Addendum at Schedule 2.

2.2.2.2 Both European Economic Area and United Kingdom. With respect to facilitating international transfers of Company Personal Data of EEA residents and UK residents, the parties shall be deemed to have executed the EEA SCCs and the UK International Data Transfer Addendum which are incorporated into this Addendum at Schedule 2 and Schedule 3.

2.2.2.3 United Kingdom Only. With respect to facilitating international transfers of Company Personal Data of United Kingdom (“UK”) residents and no Company Personal Data of EEA residents, the parties shall be deemed to have executed the UK International Data Transfer Agreement, which is incorporated into this Addendum at Schedule 4.

2.2.2.4 Brazil. With respect to facilitating international transfers of Company Personal Data of Brazil residents, the parties shall be deemed to have executed and annexed to this Agreement the Brazil SCCs, if and when available.

2.2.2.5 In case of conflict, such attachments with SCCs, UK International Data Transfer Agreement/Addendum or other specific provisions shall take precedence where applicable over the terms of this Addendum.

2.2.2.6 For purposes of any transfers of personal data also subject to Switzerland’s Federal Act on Data Protection of 19 June 1992 (“FADP”): (i) the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of bringing legal proceedings to enforce their rights in their place of habitual residence in accordance with Clause 18(c) and (ii) the clauses also protect the data of legal entities until the entry into force of the revised FADP.

2.2.2.7 Should the parties be able to rely on an Adequacy Mechanism to facilitate an International Transfer, the parties agree that the appropriate transfer mechanism shall be such an Adequacy Mechanism and not the Standard Contractual Clauses or UK International Data Transfer Agreement/Addendum.

2.3 Relevant Records and Audit Rights.

2.3.1 Sycomp shall maintain Processing Records, and shall make available to Company on request in a timely manner such information (including the Processing Records) as is reasonably required by Company to demonstrate Sycomp’s compliance with its obligations under Applicable Laws and this Addendum, which Company may disclose to regulatory authorities. Processing Records shall contain, at a minimum, a description of all Company Personal Data Processed by Sycomp on behalf of Company, the type of Processing, the purposes of the Processing, a record of consent (if any), and any other information reasonably required by Company.

2.3.2 Sycomp shall provide reasonable additional assistance, information, and cooperation to Company at Company’s expense to comply with Company’s obligations under the Applicable Laws with respect to: (i) data security; (ii) data breach notification; (iii) responding to requests relating to Company Personal data and/or Company’s data privacy or security practices from regulators or individuals; and (iv) conducting data privacy impact assessments. Sycomp shall implement and maintain appropriate technical and organizational measures to assist Company in the fulfilment of Company’s obligations to respond to Data Subjects’ requests relating to Company Personal Data. This includes ensuring that all requests relating to Company Personal Data are recorded and then referred to Company within three (3) days of receipt of the request. Sycomp shall otherwise cooperate with Company in Company’s efforts to monitor Sycomp’s compliance.

3. United States Terms. In the event that Company notifies Sycomp that the personal information of residents of the United States may be Processed pursuant to the Agreement, the provisions of this Section 3 shall apply to all parties and the Processing of Company Personal Data in connection with the provision of the Solutions.

3.1 Relationship of the Parties. To the extent Sycomp processes Company Personal Data subject to the Data Protection Laws, Sycomp is a “Service Provider” as defined by the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020, a “Processor” as defined by the Virginia Consumer Data Protection Act and the Colorado Privacy Act, and any other term similar in meaning as those terms are understood pursuant to the Applicable Laws.

3.2 Purpose of Processing Company Personal Data. Any Company Personal Data that Sycomp receives, accesses, transfers, or collects in connection with the Solutions is done solely for the purpose of Sycomp delivering the Solutions, as described in greater detail in Schedule 5 below, and shall not constitute a Sale of such data and shall not otherwise be for any monetary or other consideration. Further, no Company Personal Data is shared for targeted or cross-contextual advertising purposes.

3.3 Sycomp Treatment of Company Personal Data. In the course of providing the Solutions to Company and in connection with Company User Information it receives, accesses, transfers, or collects in connection with the Solutions, Sycomp will:

3.3.1 not take any action that would cause Company to not comply with Applicable Laws or other privacy laws;

3.3.2 not collect any additional Company Personal Data from any Data Subject other than as strictly required to provide the Solutions to Company;

3.3.3 treat all Company Personal Data as “Confidential Information” under the confidentiality provisions in the Agreement;

3.3.4 not attempt to identify or re-identify any Data Subject and not associate any personal information with any Data Subject or any Data Subjects’ online activity, other than as strictly required to provide the Solutions to Company;

3.3.5 not co-mingle Company Personal Data with the data of any third party, other than as strictly required to provide the Solutions to Company;

3.3.6 not under any circumstances Sell, Share, or license to any third party, or use for the benefit any third party, any Company Personal Data; and

3.3.7 notify Company immediately if it makes a determination that it can no longer meet its obligations under the Applicable Laws.

3.4 Subcontractors. Should Sycomp engage any subcontractors who will Process Company Personal Data, Sycomp shall include terms in the contract between Sycomp and each subcontractor that are materially similar to the terms set out in this Addendum.

3.5 Relevant Records and Audit Rights. Where required by Applicable Laws, and upon Company’s request, Sycomp shall make available to Company Personal Data reasonably necessary to demonstrate compliance with this Addendum and/or Applicable Laws.

3.6 Certification. Sycomp certifies that it understands and will comply with the restrictions on the use of Company Personal Data in connection with providing the Solutions.

This Addendum is entered into and becomes a binding part of each Agreement with Company with effect from the Addendum Effective Date first set out above.

SCHEDULE 1: DATA PROCESSING

A. Details of Processing of Company Data

1. Categories of Data Subjects Whose Personal Data is Transferred

Company employees and subcontractors

2. Categories of Personal Data Transferred

Contact information including name, business and/or home address, business email and phone number.

3. Sensitive Data Transferred and Applicable Restrictions and Safeguards

No sensitive personal data is to be transferred by Company

4. Frequency of Transfer

Continuous during the delivery of Solutions

5. Nature of the Processing

Company Personal Data shall be processed in the manner set forth in the Agreement and as may be modified by the parties in a Statement of Work or other writing. In particular, Company Personal Data will be used and disclosed for the following purposes:

Contact and communications regarding the sale and delivery of Solutions to Company including delivery of hardware and software to remote employees

6. Purpose(s) of the Transfer and Further Processing

Company Personal Data shall be processed for the purposes set forth in the Agreement and as may be modified by the parties in a Statement of Work or other writing.

Sale and delivery of Solutions to Company including delivery of hardware and software to remote employees

7. Period for Which the Personal Data Will be Retained

During the sale, delivery, and support of Solutions and as legally allowed to substantiate the history of the same

B. Technical and Organizational Measures

Sycomp’s ISMS security program includes commercially reasonable and technically appropriate policies to protect company and third party information from unauthorized access, acquisition, use or misuse, disclosure, destruction, and modification. Information is protected according to its sensitivity and risk of loss. Although not every measure is applicable to every class of Information, the security program includes the following baseline policies and practices:

This Information Security Policy document provides external stakeholders with an overview of Sycomp’s Information Security Management System (ISMS) policies, practices, and procedures. Security is key to any organization’s success and Sycomp is continuously collaborating with its partners and clientele to optimize and improve the integrity of its operations.

Minimum Technical and Organizational Measures
Sycomp’s ISMS security program includes commercially reasonable and technically appropriate policies to protect company and third party information from unauthorized access, acquisition, use or misuse, disclosure, destruction, and modification. Information is protected according to its sensitivity and risk of loss. Although not every measure is applicable to every class of Information, the security program includes the following baseline policies and practices:

Acceptable Use
Acceptable Use policies establish the minimum acceptable requirements for using data, assets, and resources within the ISMS scope of registration by all personnel authorized for such use, including:

- Annual Employee Security Awareness Training and ISMS Policy Reviews
- System monitoring controls
- Appropriate resource handling and protection while on- and off-premises

Access Control
Access Control policies include appropriate measures to prevent unauthorized access to systems where “information” is processed or stored, including:

- Formal access control process for user account approval, creation, and termination
- Password management and multi-factor authentication
- Established secure areas with physical controls and continuous monitoring
- Protection and restriction of access and access authorizations for employees and approved third parties
- Annual review of user and privileged access accounts

End-User Devices
Desktop and Mobile Device Security policies establish a framework for the management of end-user computing devices. The policies are applied to all workstations and to mobile devices such as laptops, tablets, and smartphones, including:

- Formal hardware and software approval and registration process
- Consistent, documented configuration standards
- Implementation of real-time malicious software protection and email filtering mechanisms
- Use of industry standard encryption technologies, including for data-at-rest and data-in-transit
- Automatic temporary lock-out of user devices if left idle, with identification and password required to reopen
- Automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events and monitoring of break-in-attempts

Human Resources
Human Resource Policies ensure that employees and third party subcontractors understand their responsibilities and are suitable for the roles for which they are considered, including:

- On-boarding processes include employment, subcontractor, and non-disclosure agreements, background screening and criminal checks, where applicable
- Disciplinary process for information security violation or breach
- Off-boarding process includes termination of access privileges and return of assets

Network and System Security
Network and Security policies ensure secure operation and protection of networks and systems by enforcing:

- Formal hardware and software approval and registration process
- Role-based authorization, secure access via multi-factor authentication
- Port lock-down and password protection
- Remote access restrictions and controls
- Monitoring and logging for threat and anomaly detection
- Segregation of Duties for change management
- Adherence to acceptable encryption standards

Risk, Incident and Vulnerability Management
Risk, Incident and Vulnerability Management policies establish the workflow, tasks, responsibilities, and functions for reporting, responding, and managing information security risks, incidents and known or discovered vulnerabilities:

- Annual Risk Assessment to identify the threats to ISMS assets, vulnerabilities that might be exploited by those threats, assignment of a risk owner, and establish risk treatment options, if required

- Annual vulnerability scan and timely resolution of critical and high vulnerabilities
- Formal process for reporting, recording, and resolving security incidents, to include lessons learned
- Process for communicating with external parties, as required

Continuity and Availability
Sycomp has implemented and will maintain reasonable and appropriate measures to ensure that critical systems and data areprotected from accidental destruction or loss, including:

- Infrastructure redundancy
- Maintenance of Business Continuity and Recovery procedures, to include data replication and tape backup processes
- Disposal of records containing personal information in accordance with privacy policies and when there no longer exists any lawful basis for processing

Privacy Policy
The Sycomp Privacy Policy describes our practices regarding the user information we collect, use, and share. This Privacy Policy applies to the information we collect when you interact with us, including through our websites, email communications, products, or other features or services (the “Services”), unless otherwise specifically agreed in a contract or other writing between us and you or the company for who you work and whose behalf you interact with us. For more details, please visit https://sycomp.com/privacy-policy/

C. Authorized Sub-processors

SYCOMP A TECHNOLOGY COMPANY INC

LIST OF SUBPROCESSORS

A. Third Party Employee Contacts Subprocessors
Name of Subprocessor	Contact & Address	Description of Processing
Sales Force dot Com, Inc.	Salesforce Tower
415 Mission Street, 3rd Floor San Francisco, CA 94105 USA	Trading partners’ account records
ABSYZ, Inc.	6th Floor, Shanta Sriram Techpark, DLF Cyber City, Gachibowli, Telangana 500032, India	SFDC Administration
Microsoft Corporation	700 Bellevue Way NE - 22nd Flr
Bellevue, WA, 98004 USA	MS 365 – email, sharepoint, & other business applications

B. Managed Services Provider (MSP) Subprocessors
Country	Courier Services	White Glove
ANZ	DHL
	Auspost
Japan	Sagawa	EDCOM
Taiwan	ZerOne
Singapore	TCK (Local Shipments)
	Adcom (International)
	DHL (smaller boxes)
	Mamgistics PTE Ltd (rarely)
Thailand	DHL
India	Bluedart	NA
	IJetz
	JS Cargo (Local shipments within Bangalore)
	DTDC
EMEA	DHL (All EU & UK)	ACS France
	DPD (UK)	CCS Germany
	UPS (Belgium)	Rhenus
	Tiger AG (CH)	ASL Cargo
	Emerald Freight Express (CZ)	Fast Forward Freight
	Bollore Logistics (CZ)	Emerald Freight
	Optys (CZ)	Dore to Door
	BDA Logistics (Netherlands)	Michael Lynch Logistics
	Emerald Freight (IR)
Israel	ONE’s Drivers (S1)	NA
	Taxi (Hand Delivery)
	UPS
	Virtual Graffiti
USA	FedEx
	Adcom (Rarely)
UAE	DXB
Canada	FedEx
	Purolator
	UPS
South Africa	The Courier Guy Worldwide Express.

SCHEDULE 2: EU STANDARD CONTRACTUAL CLAUSES

The EEA Standard Contractual Clauses are completed as follows:
1. In the event that Company is a Controller, Module 2 (Controller to Processor) will apply.
2. In the event that Company is a Processor, Module 3 (Processor to Processor) will apply.
3. In Clause 7, the optional docking will apply.
4. In Clause 9, option 2 will apply, and the time period for prior notice of sub-processors is 30 days.
5. In Clause 11(a), the optional clause will not apply
6. In Clause 13, Option 1 will apply if Company has an establishment in the European Union; Option 2 will apply if Company is not established in the European Union and has an appointed representative; and Option 3 will apply if Company has neither an establishment nor a representative in the European Union.
7. In Clause 17 (Option 2), the law of Republic of Ireland will apply.
8. In Clause 18(b), disputes will be resolved in the courts of the Republic of Ireland.
The EEA Standard Contractual Clauses, Annex I, Part A is completed as follows:
1. Data Exporter: Company
2. Contact Details: Company address, Company contact and email address as set forth on each component of the Agreement(s)
3. Data Exporter Role: Controller
4. Signature and Date: Signature on file at the date of the relevant Agreement(s)
5. Activities relevant to the data transferred under the Standard Contractual Clauses: Provide Services described in the Agreement.
6. Data Importer: Sycomp, Inc.
7. Contact Details: 950 Tower Lane, Suite 1785, Foster City, CA 94404, [email protected]
8. Data Importer Role: Processor
9. Signature & Date: Signature on file at the date of the relevant Agreement(s)
10. Activities relevant to the data transferred under the Standard Contractual Clauses: Provide Services described in the Agreement.
The EEA Standard Contractual Clauses, Annex I, Part B is completed as follows:
1. Categories of data subjects whose personal data is transferred: As set forth in Schedule 1.
2. Categories of personal data transferred: As set forth in Schedule 1.
3. Sensitive data transferred: As set forth in Schedule 1. Safeguards are listed pursuant to Annex II.
4. The frequency of transfer: The data is transferred on a continuous basis.
5. Nature of the processing: The nature of the processing is as set forth in Schedule 1.
6. Purpose(s) of the data transfer and further processing: The purpose of the data transfer and processing is as set forth in Schedule 1.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The duration of the processing is as set forth in Schedule 1.
8. For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing: The subject matter, nature, and duration of Processing undertaken by Subprocessors will be the same as set forth in this Annex 1.B with respect to Sycomp.
The EEA Standard Contractual Clauses, Annex I, Part C is completed as follows: Competent supervisory authority is The Republic of Ireland
The EEA Standard Contractual Clauses, Annex II. The Technical and Organizational Measures are described in Schedule 1, Section B.

SCHEDULE 3: UK INTERNATIONAL DATA TRANSFER ADDENDUM

The UK Addendum is completed as follows:
1. Part 1
  1. Table 1: The Start Date is the effective date of the Agreement. The Parties as detailed in Section 2 of Schedule 2
  2. Table 2: Selected SCCs, Modules and Selected Clauses: as detailed in Section 1 of Schedule 2
  3. Table 3: Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the SCCs (other than the Parties), and which is set out in Sections 2, 3, and 5 of Schedule 2.
  4. Table 4: The Importer may end the UK Addendum as set out in Section 19 of the UK Addendum
2. Part 2
  1. Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses.

SCHEDULE 4: UK INTERNATIONAL DATA TRANSFER AGREEMENT

The UK Addendum is completed as follows:
1. Table 1
  1. Start Date: Effective date of the Agreement.
  2. Parties Details: <<Sycomp, this may be a text box prompting customers to fill in the name and address of their company and name and title of their primary contact. >>
  3. Table 2: Selected SCCs, Modules and Selected Clauses: as detailed in Section 1 of this Appendix 2
2. Table 2
  1. Governing Law: England and Wales
  2. Primary Place for Legal Claims: England and Wales
  3. Status of Exporter: Controller
  4. Status of Importer: Exporter’s Processor or Subprocessor
  5. Whether UK GDPR applies: UK GDPR applies
  6. Linked Agreement: The Addendum contains the Exporter’s instructions to Importer
  7. Term: The period for which the Linked Agreement (the Addendum) is in force
  8. Ending the IDTA before the end of the Term: The Importer may end the UK Addendum as set out in Section 29 of the UK IDTA
  9. Which Parties may end IDTA before end of the Term: Exporter and Importer
  10. Can the Importer Make Further Transfers: The Importer MAY transfer on the Transferred Data to another organization or person (who is a different legal entity) in accordance with Section 16.1 (Transferring on the Transferred Data).
  11. Specific Requirements for Further Transfer: to the authorized receivers (or the categories of authorized receivers) set out in: Section 2.1 of the Addendum
  12. Review Dates: The parties will review the security requirements no more frequently than annually at the request of the Exporter
3. Table 3
  1. Transferred Data: The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement (the Addendum) referred to.
  2. Special Categories Data: None of the above. The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement (the Addendum) referred to.
  3. Relevant Data Subjects: The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement (the Addendum) referred to.
  4. Purpose: The Importer may Process the Transferred Data for the purposes set out in: the Addendum, the Agreement, or a Statement of Work subject to the Agreement and the Addendum. The purposes will update automatically if the information is updated in the Linked Agreement (the Addendum) referred to.
4. Table 4
  1. Security Requirements: The security requirements are described in Schedule 1, Section B.
  2. Updates to Security Requirements: The Security Requirements will update automatically if the information is updated in the Linked Agreement (the Addendum) referred to.
5. Part 2
  1. Extra Protection Clauses: There are no extra protection clauses
6. Part 3
  1. Commercial Clauses: There are no commercial clauses beyond the terms of Agreement and Addendum.

SCHEDULE 5: BUSINESS PURPOSES

Sycomp may process Company Personal Data on behalf of Company for the following business purposes (check all that apply):

Providing Solutions on behalf of Company, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of Company.

Helping to ensure security and integrity to the extent the use of Company Personal Data is reasonably necessary and proportionate for such a purpose.

Debugging to identify and repair errors that impair existing intended functionality of the Solutions.

Undertaking internal research for technological development and demonstration.