Data Processing Agreement

This Data Processing Agreement (the “DPA”) is made by and between the Parties and is subject to and is incorporated into the Agreement. The DPA is effective as of the Effective Date of the Agreement.

This DPA applies to the extent AlignOps Processes Your Personal Data in connection with AlignOps’ provision of Services to You. In the event of any inconsistency between the DPA and the Agreement as to AlignOps’ Processing of Your Personal Data, the DPA shall control. 

1. Definitions
   1.  “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Process” and “Supervisory Authority” shall have the same meaning as set out in applicable Data Protection Laws with the same or equivalent terms.
   2. “Your Personal Data” means any Personal Data within Subscriber Data.
   3. “Data Protection Laws” means all applicable laws, rules and regulations relating to the Processing of Personal Data as amended, repealed, consolidated or replaced from time to time.
   4. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any of Your Personal Data by AlignOps that compromises the security, confidentiality or integrity of such Your Personal Data.
   5. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data annexed to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
   6. “Subprocessor” means any Processor engaged by AlignOps to Process Your Personal Data on AlignOps’ behalf.
   7. “Third Country” means any destination country outside of a source country in which the Data Protection Laws restrict transfers of Personal Data to such other destination countries, except where the Data Protection Laws and applicable regulatory authorities of the source country adopted an adequacy decision regarding the Data Protection Laws of the destination country such that transfers of Personal Data to that destination country are not restricted.
   8. “UK Addendum” means United Kingdom (“UK”) Information Commissioner’s (“ICO”) International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Version B1.0 in force 21 March 2022.
2. Data Processing
   1. AlignOps will only Process Your Personal Data in accordance with the Agreement (including any order form), and Your written instructions, to the extent necessary to provide the Services to You, including with respect to transfers of Your Personal Data, unless Processing is required by other applicable laws, in which case AlignOps shall, to the extent permitted by applicable law, inform You of that legal requirement before so Processing Your Personal Data. The Agreement (including any order form) and the DPA shall be Your complete and final instructions to AlignOps in relation to the Processing of Your Personal Data. Processing outside the scope of the foregoing will require prior written agreement between You and AlignOps on additional instructions for Processing and may be subject to additional fees.
   2. AlignOps is prohibited from (a) selling or sharing (as such terms may be defined in Data Protection Laws) Your Personal Data; (b) retaining, using or disclosing Your Personal Data for any purpose other than providing Services under the Agreement; (c) processing Your Personal Data outside of the direct business relationship between You and AlignOps; and (d) combining Your Personal Data with Personal Data of another customer or otherwise obtained outside of the scope of Services unless permitted by applicable Data Protection Laws. Except as otherwise expressly provided in the Agreement, Your Personal Data is not processed by AlignOps as consideration for any Service provided to You. You may take reasonable and appropriate steps to help to ensure that AlignOps uses Your Personal Data in a manner consistent with AlignOps’ obligations. AlignOps will notify You if it makes a determination that AlignOps can no longer meet its obligations under Data Protection Laws. You may, upon written notice to AlignOps and as set forth herein, take reasonable and appropriate steps to stop and remediate unauthorized use of Your Personal Data.
   3. Unless otherwise expressly permitted by AlignOps or as part of a specific feature of the Service, Your Personal Data shall not include any sensitive or special categories of data that impose specific data security or data protection obligations on AlignOps in addition to or different from those specified in the Agreement or which are not provided as part of the Services.
   4. If applicable Data Protection Laws recognize the roles of Controller and Processor as applied to Your Personal Data then, as between You and AlignOps, You act as Controller and AlignOps acts as a Processor (or Subprocessor, as the case may be) of Your Personal Data.
   5. By entering into the Agreement, You agree that Your Personal Data will be transferred to the United States of America or other countries as set forth in this DPA for purposes such as providing the Services as a Processor, account registration, administration, billing, communication with customers, direct marketing, security, license compliance and fraud prevention, user experience optimization, product and service improvements.
   6. As required by applicable Data Protection Laws, if AlignOps believes any of Your instructions to Process Your Personal Data will violate applicable Data Protection Laws, or if applicable Data Protection Laws require AlignOps to process Your Personal Data in a way that does not comply with Your documented instructions, AlignOps shall notify You in writing, unless applicable Data Protection Laws prohibit such notification, provided AlignOps is not responsible for performing legal research or providing legal advice to You.
   7. AlignOps shall Process Your Personal Data for the duration of the provision of Services in accordance with the Agreement and thereafter only as set forth in the Agreement and this DPA.
   8. Each party will comply with Data Protection Laws applicable to such party in connection with the Agreement and this DPA. For example, You will provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Your Personal Data by AlignOps in accordance with the Agreement and will obtain all necessary consents. AlignOps is not responsible for providing such notices or obtaining such consents. 
3. Subprocessing
   1. Consent to Subprocessor Engagement. You generally authorize the engagement of third parties as Subprocessors provided such engagement complies with this Section 3. For the avoidance of doubt, this authorization constitutes Your prior written consent to the subprocessing of Your Personal Data for purposes of Clause 9, Option 2 of the Standard Contractual Clauses and any similar requirements of other data transfer mechanisms.
   2. Information about Subprocessors. A current list of Subprocessors is available in the application (“Subprocessor List”) to current AlignOps customers and may be updated by AlignOps from time to time in accordance with this DPA. AlignOps will provide notice of additions to the Subprocessor List via email.
   3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, AlignOps will:
      1. execute with Subprocessors a written agreement providing the Subprocessor (1) Processes Your Personal Data only to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA and (2) the Subprocessor utilizes substantially the same level of data protection and security with regard to its Processing of Your Personal Data as described in this DPA; and
      2. be responsible for the Subprocessor’s violations of this DPA or Data Protection Laws in relation to the services such Subprocessor provides to AlignOps to the extent AlignOps would be liable for the same violations under the terms of the Agreement.
   4. Opportunity to Object to Subprocessor Changes. You may, on reasonable and objective grounds, object to AlignOps’ use of a new Subprocessor by providing AlignOps with written notice within ten (10) days after AlignOps has provided notice to You as described herein with documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA or Data Protection Laws (“Objection”). In the event of an Objection, You and AlignOps will work together in good faith to find a mutually acceptable resolution to address such Objection, including but not limited to reviewing additional documentation supporting the Subprocessor’s compliance with the DPA or Data Protection Laws. 
4. International Transfers
   1. In accordance with Your instructions above, AlignOps may Process Your Personal Data on a global basis as necessary to provide the Services, including for IT security purposes, maintenance and provision of the Services and related infrastructure, technical support, and change management.
   2. To the extent that the Processing of Your Personal Data by AlignOps involves the transfer of Your Personal Data from a country whose Data Protection Laws restrict the transfer of Personal Data to Third Countries, then such transfers shall be subject to the protections and provisions of the Standard Contractual Clauses (the Appendix for which is attached to this DPA in Exhibit A), the UK Addendum for transfers from the UK to Third Countries, or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws. For purposes of this Section 4, transfers to the United States shall be carried out under the SCCs and UK Addendum, as applicable.
   3. You shall be deemed to have signed the SCC in Exhibit A, Annex I in Your capacity of “data exporter” and AlignOps in its capacity as “data importer.” Module One of the SCCs shall apply when You and AlignOps both act as Controller of the Personal Data. Module Two shall apply when You are Controller of Your Personal Data and AlignOps is Processor of such data. Module Three shall apply when You are a Processor of Your Personal Data on behalf of Your customer and AlignOps is a subprocessor of such data. If Module Three applies, You hereby notify AlignOps that You are a Processor and the instructions shall be as set forth in this DPA. For purposes of Clauses 17 and 18 of the SCCs, the Parties select The Netherlands. Clause 7 is omitted. In Clause 11(a), the optional provision shall not apply. To the extent such a transfer includes Personal Data subject to Data Protection Laws of Switzerland, the Standard Contractual Clauses shall be adapted to use for Switzerland (where the Swiss Federal Act on Data Protection shall apply as the applicable Data Protection Law, Clauses 17 and 18 of the SCCs shall refer to Switzerland, and Data Subjects in Switzerland shall be able to avail themselves of any rights conferred by the Standard Contractual Clauses).
   4. If the UK Addendum applies, then:
      1. Table 1 of the UK Addendum is completed with the Parties’ details and Key Contacts of You (as data exporter) and AlignOps (as data importer), as provided above. The “Start date” is the Effective Date or other similar date of the Agreement.
      2. Table 2 of the UK Addendum is completed by selecting “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”.
      3. For the purposes of Table 2 and Table 3 of the UK Addendum, the “Approved EU SCCs” are completed with the Modules, selections, and details set forth above.
      4. Table 4 of the UK Addendum is completed by selecting “neither party”.
   5. The SCC, or UK Addendum, as applicable, will cease to apply if AlignOps has implemented an alternative recognized compliance mechanism for the lawful transfer of personal data in accordance with applicable Data Protection Laws.
   6. In the event of any conflict between any terms in the SCC or UK Addendum, as applicable, and the DPA, the SCC or UK Addendum, as applicable, shall prevail to the extent of the conflict.
      
      
5. Security, Audits, and Notifications
   1. AlignOps Security Obligations. AlignOps shall implement appropriate technical and organizational measures designed to protect Your Personal Data. AlignOps may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of the Agreement. Such measures shall include process for regularly testing, assessing, and evaluating the effectiveness of the measures.
   2. Security Audits.
      1. AlignOps will, upon Your written request, verify its compliance with its obligations in this DPA by first providing to You documentation regarding the same and, if such documentation is not reasonably sufficient to address Your inquiries, participate in audits as set forth below.
      2. You may, upon at least 30 days’ advance written notice and at reasonable times, audit (either by yourself or using independent third-party auditors) AlignOps’ compliance with the security measures set out in this DPA solely for the purpose of confirming AlignOps’ compliance with its obligations under this DPA. AlignOps shall reasonably assist with any audits conducted in accordance with this Section. Such audits may be carried out once per year, or more often if required by Data Protection Law or Your applicable Supervisory Authority.
      3. Any third party engaged by You to conduct an audit must be pre-approved by AlignOps (such approval not to be unreasonably withheld) and sign AlignOps’ confidentiality agreement. You must provide AlignOps with a proposed audit plan at least two weeks in advance of the audit, after which You and AlignOps shall discuss in good faith and finalize the audit plan prior to commencement of audit activities.
      4. Audits may be conducted only during regular business hours, in accordance with the finalized audit plan and AlignOps’ security and other policies and may not unreasonably interfere with AlignOps’ regular business activities.
      5. Information obtained or results produced in connection with an audit are AlignOps confidential information and may only be used by You to confirm compliance with this DPA and for complying with Your requirements under Data Protection Laws.
      6. Without prejudice to the audit rights granted above, if the requested audit scope is addressed in a SOC, ISO, or similar audit report or attestation letter issued by a qualified third party auditor within the prior twelve months and AlignOps provides such report or attestation letter to You confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report or attestation letter in lieu of requesting an audit of the same controls covered by the report.
      7. Upon Your written request, AlignOps shall make available all information reasonably necessary to demonstrate compliance with this DPA as required by Data Protection Laws.
   3. Personal Data Breach.
      1. If AlignOps becomes aware of and determines a Personal Data Breach has occurred, AlignOps will notify You of the Personal Data Breach without undue delay and, in any case, within seventy-two (72) hours after such determination, at the contact information on file.
      2. AlignOps’ contact point for additional details regarding a Personal Data Breach is legal@alignops.com. AlignOps’ provision of any notification of a Personal Data Breach shall not constitute an admission of fault.
      3. You are solely responsible for fulfilling any Personal Data Breach notification obligations applicable to You. You and AlignOps shall work together in good faith within the timeframes for You to provide Personal Data Breach notifications in accordance with Data Protection Laws to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Laws. AlignOps’ prior written approval shall be required for any statements regarding, or references to, AlignOps made by You in any such notifications.
   4. AlignOps shall treat Your Personal Data as Your Confidential Information, and shall put procedures in place to ensure that any employees or other personnel with access to Your Personal Data have committed themselves to confidentiality of Your Personal Data or are under an appropriate statutory obligation of confidentiality and do not Process Your Personal Data other than in accordance with this DPA.
      
      
6. Access Requests and Data Subject Requests
   1. Save as required (or where prohibited) under applicable law, AlignOps shall promptly notify You of any request received by AlignOps or any Subprocessor from a Data Subject in respect of their Personal Data included in Your Personal Data (“Data Subject Request”) and shall not respond to the Data Subject Request where the Data Subject identifies You as its Controller. If a Data Subject does not identify a Controller, AlignOps will instruct the Data Subject to identify and contact the relevant Controller.
   2. Where applicable, and taking into account the nature of the Processing, AlignOps shall use reasonable endeavors to assist You by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Your obligation to respond to Data Subject Requests as required by Data Protection Laws. In order to receive such assistance, You shall utilize any tools provided by AlignOps including those providing You with the ability to correct, delete, block, access or copy the Personal Data of a Data Subject. If such functionality or other tools are not available, You may contact legal@AlignOps.com requesting assistance and clearly stating the nature of the Data Subject Request. 
7. Data Protection Impact Assessments and Prior Consultation
   1. To the extent required under applicable Data Protection Laws, AlignOps shall provide reasonable assistance to You with any data protection impact assessments and with any prior consultations to any of Your Supervisory Authorities, in each case solely in relation to Processing of Your Personal Data and taking into account the nature of the Processing and information available to AlignOps.
   2. Such cooperation and assistance are provided to the extent You do not otherwise have access to the relevant information, and to the extent such information is available to AlignOps. AlignOps may fulfill its above obligations by providing You with documentation regarding its Processing operations.
      
      

8. Deletion and Retrieval of Your Personal Data

   1. After (i) cessation of Processing of Your Personal Data by AlignOps on Your written request or (ii) termination or expiration of the Agreement, except as otherwise permitted by applicable Data Protection Laws, AlignOps shall retain Your Personal Data then available in the Services in electronic format for thirty (30) days (“Retention Period”) and thereafter reserve the right to delete all other copies of Your Personal Data Processed by AlignOps, and where deletion is not possible, may sufficiently de-identify Your Personal Data such that it is no longer Personal Data.
   2. Upon Your written request during the term of the Agreement and the Retention Period, we will make a file of Your Personal Data available to you in a non-proprietary format. Certain Services may be subject to additional data retrieval and deletion terms as set forth in an applicable Service Addendum or Order Agreement
   3. AlignOps may retain Your Personal Data to the extent and for such period required by applicable Data Protection Laws, provided that AlignOps shall ensure the confidentiality of all such Your Personal Data and that such Your Personal Data is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Laws requiring its storage.
      

EXHIBIT A
APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES

ANNEX I

1. LIST OF PARTIES
   

   Data exporter
   

   Name:	The data exporter is the entity identified as “Subscriber” or “You” in the Agreement.
   Address:	As set forth in the Agreement
   Contact person:	As set forth in the Notices provision in the Agreement
   Activities relevant to the data transferred under these Clauses:	As set forth in the Agreement
   Signature and date:	Refer to Agreement
   Role:	Controller, except when processing data on behalf of another entity, in which case data exporter is a Processor

    

   Data importer
   

   Name:	The data importer is the entity identified as “AlignOps” in the Agreement
   Address:	As set forth in the Agreement
   Contact person:
   Activities relevant to the data transferred under these Clauses:	As set forth in the Agreement
   Signature and date:	Refer to Agreement
   Role:	Processor, or Subprocessor if data exporter is a Processor

    

    

2. DESCRIPTION OF TRANSFER
   
   

   Categories of data subjects whose personal data is transferred:	Data exporter’s personnel.
   Categories of personal data transferred:	.As determined by data exporter in its sole discretion, which may include User name, email, phone number, photos, payment and billing information, general location information, and device information.
   Sensitive categories of data (if appropriate):	Solely as applicable to certain Services, and solely at data exporter’s discretion, biometric information and precise geolocation information. Data exporter agrees the safeguards set forth in Annex II are sufficient for protection of such sensitive categories of data.
   The frequency of the transfer:	As set forth in the Agreement
   Nature of the processing:	The subject-matter and nature of the processing of data exporter Personal Data by data importer is for the provision of the Services to the data exporter under the Agreement.
   Purposes of the data transfer and further processing:	Refer to the DPA.
   The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:	Personal Data will be processed for the duration of the Agreement, subject to the DPA
   For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:	Refer to the DPA and the Agreement

    

3.  COMPETENT SUPERVISORY AUTHORITY
   The competent Supervisory Authority shall be the Netherlands, the UK ICO for matters related to the UK or UK data subjects, or the Swiss Federal Data Protection and Information Commissioner for matters related Switzerland or Swiss data subjects. 
   
   ANNEX II
   Technical and organizational measures including technical and organizational measures to ensure the security of the Customer Personal Data:

• • Administrative controls
    • Security education, training, and awareness program - data importer trains all employees on hire and on a recurring basis on security concepts. Training exercises are conducted to provide opportunities to use their knowledge.
    • Developer security training - Software developers receive additional ongoing training in secure coding concepts.
    • User access reviews - Access to critical systems is reviewed for appropriate authorizations regularly on a recurring basis.
    • Backup strategy - maintain backups consistent with availability and durability requirements.
    • Incident response team - data importer maintains an incident response capability including a specific team to handle such incidents.
    • Secure system development lifecycle - System development follows a documented process and includes security considerations throughout the lifecycle.
    • Change management process - All changes to software go through a documented change management process.
  • Technical Controls
    • Encryption in transit - Communication with the web application is performed through a TLS-secured connection with a restricted cipher suite.
    • Encryption at rest - data exporter personal data is protected with AES256 encryption and unique keys for each user.
    • Backups - Critical data and system configuration information is backed up on a regular and rolling basis.
    • Vulnerability scanning - Web application scanning occurs regularly to identify potential vulnerabilities within data importer’s platform.
    • Static code analysis - Source code is subjected to static analysis to uncover errors or security risks which are remediated in accordance with standard processes for secure software development.
    • Capacity monitoring - Information assets are monitored to ensure capacity exceeds that needed to meet demand.
    • Data segregation – Customer Data stored in the Service is logically segregated from data of other customers.
  • Physical Controls
    • Infrastructure hosted and secured by Amazon Web Services - data importer infrastructure to deliver services is hosted by Amazon Web Services and includes physical measures designed to protect against fire, flood, power interruption, and sabotage.
      
      

ANNEX III

The data exporter has authorized the use of the following subprocessors:

As set forth in the DPA.