Data Processing Addendum

This Data Processing Addendum (“DPA”) is an agreement between Proposify Inc., a company registered in Nova Scotia, Canada with a mailing address of PO Box 57 Main, Dartmouth, NS B2Y 3Y2 (“we” or “us” or “Proposify”) and you or the entity you represent (“Customer” or “you”). This DPA supplements the Proposify Terms of Service as updated from time to time (“Terms of Service”), when we process personal data on your behalf in connection with the Services.

1. Definitions

Terms defined in the Terms of Service shall apply in this DPA, unless defined otherwise in this DPA. The following terms used in this DPA shall have the following meanings:

“Data Protection Legislation”
shall mean all applicable laws relating to data protection and privacy including (without limitation) the EU General Data Protection Regulation (2016/679) and any implementing national laws, the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, and any amending or replacement legislation from time to time;

“Customer Personal Data”
shall mean all personal data (as defined in the Data Protection Legislation) controlled by the Customer which is processed by Proposify in providing with the Services; and

“Services”
the services provided by Proposify to the Customer.

1.1 In this DPA, the terms “process”, “data controller”, “data processor” and “data subject” shall have the meanings set out in the Data Protection Legislation.

1.2 The parties shall each comply with their respective obligations under the Data Protection Legislation as regards the Customer Personal Data. The parties agree that the Customer shall be the data controller and Proposify shall be a data processor of any Customer Personal Data. The Customer warrants that its instructions to Proposify in respect of the Customer Personal Data are lawful.

1.3 Proposify shall:

(a) Only Process Personal Data for the purposes outlined in this DPA or as otherwise agreed within the scope of your lawful, documented Instructions, except as otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us. Proposify shall inform the Customer of the legal requirement before processing the Customer Personal Data other than in accordance with the Customer’s instructions, unless legally prohibited from doing so;

(b) ensure that its personnel are subject to appropriate obligations of confidentiality;

(c) on termination of this DPA, upon the Customer’s request, return or delete the Customer Personal Data, and delete any existing copies in its possession unless required to retain such Customer Personal Data under applicable law.

1.4 The Customer consents to Proposify engaging the subcontractors listed in Schedule 1 to process the Customer Personal Data on its behalf (“Sub-processors”). Proposify shall ensure Sub-processors are subject to contractual obligations which are the same as or equivalent to those imposed on Proposify under this DPA. Proposify shall inform the Customer of changes concerning the addition or replacement of any Sub-processor - should it be considered to affect the use and stability of the product, upon temporary integration or in the long-term - within a reasonable time, prior to implementation of such a change that may cause disruption. In the event of the Customer objecting to such change, fitting the description above, Proposify shall make reasonable efforts to address the Customer’s concerns.

1.5 The Customer acknowledges and agrees that Customer Personal Data may be processed by Sub-processors outside the European Economic Area or the country where the Customer is located in order to carry out the Services and Proposify’s other obligations under the Terms of Service. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

1.6 Proposify shall use appropriate technical and organisational measures to protect Customer Personal Data stored within Proposify infrastructure against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration, as described in our Security standards.

1.7 The customer acknowledges that the Proposify Service is hosted by our hosting Sub-Processors who maintain independently validated security programs (including SOC 2 and ISO 27001) and that our systems are audited annually as part of SOC 2 compliance and regularly tested by independent third party vulnerability testing firms. Upon request, we will supply (on a confidential basis) our SOC 2 report and summary copies of our vulnerability testing report(s) to you so that you can verify our compliance with this DPA.

1.8 Proposify shall notify the Customer without undue delay of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Customer Personal Data ("Security Breach"). Proposify shall provide the Customer with reasonable assistance in relation to the Security Breach, including the provision of such information as is known to Proposify regarding the nature of the breach, the categories and approximate number of data subjects and records concerned.

1.9 The Customer Personal Data processing activities carried out by Proposify under this DPA may be described as follows:

Subject matter: The provision of the Services.

Duration: The duration of the Services plus the period from the expiry of the services until deletion of all Customer Personal Data by Proposify.

Nature and purpose: To enable Proposify to provide the Services.

Data categories: personal information relating to employees and business associates of the
Customer, which may include name, email, business address, IP address, location by region
or country and product usage statistics.

Data subjects: authorized users, employees of Customer, consultants of Customer, contractors of Customer, customers of Customer, agents of Customer, and/or third parties with which Customer conducts business.

2. Conflict

Except as amended by this DPA, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and this DPA, the terms of this DPA will control.

3. Changes to the Terms of Service and the Service

Proposify reserves the right to update this DPA from time to time, at our discretion and without notice. Each new version will be made available on our Website and it is your responsibility to regularly check our Website for new versions. Your continued use of the Services following the publishing of an updated DPA means that you accept and agree to the changes.

This DPA was last updated on the July 18, 2023.

SCHEDULE 1 – APPROVED SUB-PROCESSORS