Data Processing Addendum

This Data Processing Addendum ("Addendum") forms part of the Terms of Service or other written agreement entered into between Appfigures, Inc. ("Appfigures") and you that incorporates this Addendum and appendixes by reference (the "Agreement"), and governs the Processing of Personal Information by Appfigures in providing its reporting service (the "Service") pursuant to the Agreement.

1. Definitions

1.1 "Data Subject" means any individual about whom Personal Information may be Processed under this Addendum.

1.2 "Data Protection Legislation" means the GDPR (as defined below), together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time.

1.3 "GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

1.4 "Personal Information" means personal data (as defined under the Data Protection Legislation) that are subject to the Data Protection Legislation and that you authorize Appfigures to collect in connection with Appfigures' provision of the Service under the Agreement.

1.5 "Process" or "Processing" means any operation or set of operations performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.

1.6 "Security Incident" means a breach of security of the Service or Appfigures' systems used to Process Personal Information leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed by Appfigures in the context of this Addendum.

1.7 "Sensitive Information" means Personal Information revealing a Data Subject's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.

2. Limitations on Use

Appfigures will Process Personal Information solely on your behalf and in accordance with the Agreement, this Addendum and any other documented instructions from you (whether in written or electronic form), or as otherwise required by applicable law. Appfigures is hereby instructed to Process Personal Information to the extent necessary to enable Appfigures to provide the Service in accordance with the Agreement. In case Appfigures cannot process Personal Information in accordance with your instructions due to a legal requirement under any European Union or Member State law to which Appfigures is subject, Appfigures shall (i) promptly notify you in writing (including by email) of such legal requirement before carrying out the relevant Processing, to the extent permitted by the applicable law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as you provides Appfigures with new instructions. you will be responsible for providing any necessary notices to, and obtaining any necessary consents from, Data Subjects whose Personal Information is provided by you to Appfigures for Processing pursuant to this Addendum. You acknowledge that the Service are not intended or designed for the Processing of Sensitive Information, and you agree not to provide any Sensitive Information through the Service.

3. Security

Appfigures shall implement, and maintain throughout the term of the Addendum at all times in accordance with then current good industry practice, appropriate technical and organizational measures to protect Personal Information in accordance with Article 32 of the GDPR. The Service provides reasonable technical and organizational measures as detailed in Appendix 1.

Appfigures will also assist you with conducting any legally required data protection impact assessments (including subsequent consultation with a supervisory authority), if so required by the Data Protection Legislation, taking into account the nature of Processing and the information available to Appfigures. Appfigures may charge a reasonable fee for any such assistance, as permitted by applicable law and with your approval.

4. Data Subject Requests

You are responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information Processed by Appfigures under this Addendum. Appfigures will notify you promptly and in any event no less than fifteen (15) business days' notice, unless prohibited by applicable law, if Appfigures receives any such requests or complaints. The Service include technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist customers, insofar as this is possible, in fulfilling their obligations to respond to such requests or complaints.

5. Regulatory Investigations

At your request, Appfigures will assist you in the event of an investigation by a competent regulator, including a data protection regulator or similar authority, if and to the extent that such investigation relates to the Processing of Personal Information by Appfigures on your behalf in accordance with this Addendum. Appfigures may charge a reasonable fee for such requested assistance except where such investigation arises from a breach by Appfigures of the Agreement or this Addendum, to the extent permitted by applicable law.

6. Security Incident

In the event that Appfigures becomes aware of a Security Incident, Appfigures will notify you promptly and in any event no later than forty-eight (48) hours after Appfigures discovers the Security Incident. In the event of such a Security Incident, Appfigures shall provide you with a detailed description of the Security Incident and the type of Personal Information concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Following such notification, Appfigures will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident. At your request, Appfigures will provide reasonable assistance and cooperation with respect to any notifications that you are legally required to send to affected Data Subjects and regulators. Appfigures may charge a reasonable fee for such requested assistance.

7. Sub-Processors

You agree that Appfigures may disclose Personal Information to its subcontractors for purposes of providing the Service ("Sub-Processors"), provided that Appfigures (i) shall enter into an agreement with its Sub-Processors that imposes on the Sub-Processors obligations regarding the Processing of Personal Information that are at least as protective of Personal Information as those that apply to Appfigures hereunder, including requiring the Sub-Processors to only process Personal Information to the extent required to perform the obligations sub-contracted to them, and (ii) shall remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processors. Appfigures' current list of Subprocessors is available by request.

8. Data Transfers

In connection with the performance of the Agreement, you authorize Appfigures to transfer Personal Information to the United States. You and Appfigures will enter into Standard Contractual Clauses for the Transfer of Personal Data to Processors Established In Third Countries pursuant to Commission Decision 2010/87/EU of 5 February 2010 Countries ("Model Contract").

9. Information

Appfigures shall make available to you all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by you or any auditor mandated by you. Appfigures shall immediately inform you if, in its opinion, an instruction infringes the Data Protection Legislation.

10. Return or Disposal

Upon termination of your User Account for any reason, Appfigures will destroy all Personal Information.

Details of Processing

This Appendix 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.

Nature and Purpose

Appfigures collects information on users of the service to ensure system operations, improve the platform, and provide customer support.

Duration

Customer information is collected upon signup and is retained for all active customers of the service. Personal information is deleted upon termination of the service.

Types of Personal Data

Appfigures collects the name and email address of all Appfigures users, as well as for any recipient of automated alerts and emails.

Categories of Data Subject

Appfigures collects this information for Customers that have registered with the service.

Technical and Organizational Security Measures

Preventing Unauthorized Product Access

Physical and environmental security: Appfigures hosts its product infrastructure with co-location providers. Access to Appfigures servers is only available to authorized employees.

Authentication: Appfigures requires authentication via a username and password to access its service.

Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of Appfigures' products is designed to ensure that only authorized individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user's permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using a unique API key in addition to a username and a password, or through Oauth authorization.

Preventing Unauthorized Product Use

Appfigures implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.

Intrusion detection and prevention: Appfigures implemented a Web Application Firewall (WAF) solution to protect customer data. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Security reviews of source code is performed routinly, checking for coding best practices and identifiable software flaws.

Bug bounty: Appfigures maintains a bug bounty program to incentivizes independent security researchers to ethically discover and disclose security flaws.

Limitations of Privilege & Authorization Requirements

Product access: A limited number of Appfigures employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a limited number of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Employee roles are reviewed at least once every twelve months.

Background checks: All Appfigures employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by state and federal laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

Transmission Control

In-transit: Appfigures utilizes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Appfigures' HTTPS implementation uses industry standard algorithms and certificates, and is kept up to date.

At-rest: Appfigures stores user passwords following industry standard practices for security.

Input Control

Detection: Appfigures infrastructure logs information about system behavior, traffic, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities.

Communication: If Appfigures becomes aware of unlawful access to Customer data stored within its products, Appfigures will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Appfigures is taking to resolve the incident; and 3) provide status updates to the Customer contact, as necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer's contacts in a form Appfigures selects, which may include via email or telephone.

Availability

The Appfigures platform and products are designed to ensure redundancy and seamless failover in case of failure. This design assists Appfigures operations in maintaining and updating the platform, applications, and backend while limiting downtime.

Updated 3/1/2019