Data Processing Addendum

This Data Processing Addendum, including its Schedules and Appendices, (“DPA”) forms part of the MasterSubscription Agreement or other written or electronic agreement between Flosum Corporation. (“Flosum”) andthe Customer entity entering this Agreement for the purchase of online services from Flosum (the “Agreement”) to document the parties’ agreement regarding the Processing of Personal Data. If such Customer entity andFlosum have not entered into an Agreement, then this DPA is void and of no legal effect.

The Customer entity named above enters into this DPA for itself and, if any of its Affiliates act as Controllers of Personal Data, on behalf of those Authorized Affiliates. All capitalized terms not defined herein shall have themeaning set forth in the Agreement.

In the course of providing the SaaS Services to the Customer under the Agreement, Flosum may Process PersonalData on behalf of the Customer. The parties agree to the following terms with respect to such Processing.

‍

1. DEFINITIONS

“Affiliate,” means any entity, that directly or indirectly, through one or more intermediaries, controls, or is controlled by, or is under common control with a party to this Agreement, by way of majority voting stock ownership or the ability to otherwise direct or cause the direction of the management and policies of such. Customer shall notify Flosum in writing of the identity of its Affiliates and shall be jointly and severally liable for such Affiliate’s performance of its obligations under this Agreement. Notwithstanding the foregoing, Affiliates of Customer are limited to legal entities that are under common control with Customer.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et. seq., and its implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means the entity named above and its Affiliates.

“Data Protection Laws and Regulations” means all laws and regulations of the European Union and its member states, the European Economic Area and its member states, the United Kingdom, Switzerland, the United States, Canada, New Zealand, and Australia, and their respective political subdivisions, applicable to the Processing of Personal Data.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Europe” means the European Union, the European Economic Area, Switzerland, and the United Kingdom. Additional provisions applicable to such transfers are contained in Schedule 5. In the event that Schedule 5 is removed, the Customer warrants that it shall not process Personal Data subject to the Data Protection Laws and Regulations of Europe.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). “Flosum Group” means Flosum, its Affiliates, and it’s subsidiaries engaged in the Processing of Personal Data.

“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

“Personal Data Processing Services” means the SaaS Services listed in Schedule 2, for which Flosum may process Personal Data.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA.

“Standard Contractual Clauses” means the Annex to the European Commission’s implementing decision (EU) 2021/914 https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of the European Union and subject to required amendments for the United Kingdom and Switzerland further described in Schedule 5

“Sub-processor” means any Processor engaged by Flosum, by a member of the Flosum Group or by another Sub-processor.

‍“Supervisory Authority” means a governmental or government-chartered regulatory body having binding legal authority over the Customer.

“UK Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as may be amended from time to time by the Data Protection Laws and Regulations of the United Kingdom.

‍

2. PROCESSING OF PERSONAL DATA

1. Scope. The parties agree that this DPA shall apply solely to the Processing of Personal Data within the Personal Data Processing Services.
2. Roles of the Parties. The parties agree that with regard to the Processing of Personal Data, Customer is the Controller and Flosum is the Processor.
3. Flosum’s Processing of Personal Data. Flosum shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Orders; (ii) Processing initiated by Customer personnel in their use of the SaaS Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
4. No Commercial Use of Personal Data. Flosum shall not: (i) sell Personal Data; (ii) retain, use, disclose or Process Personal Data for any commercial or other purposes other than to perform the SaaS Services; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Flosum.
5. Notification of Unlawful Instructions. Flosum shall immediately inform Customer if, in its opinion, an instruction by Customer infringes any Data Protection Law or Regulation.
6. Details of the Processing. The subject matter of the Processing of Personal Data by Flosum is the performance of the SaaS Services pursuant to the Agreement. The duration of the Processing, the nature, and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects Processed under this DPA are further specified in Schedule 3 (Details of the Processing).
7. Data Protection Impact Assessment. Upon Customer's request, Flosum shall reasonably assist Customer in fulfilling Customer's obligation under Data Protection Laws and Regulations to carry out a data protection impact assessment related to Customer's use of the SaaS Services, to the extent Customer does not otherwise have access to the relevant information and such information is available to Flosum. Flosum shall reasonably assist Customer in its cooperation or prior consultation with a Supervisory Authority regarding any such data protection impact assessment to the extent required under applicable Data Protection Laws and Regulations.
8. Customer Obligations Regarding Personal Data. In its use of the SaaS Services, Customer will comply with the Data Protection Laws and Regulations, including any applicable requirements to provide notice to and/or obtain consent from Data Subjects for Processing by Flosum. The customer shall ensure that its instructions for the Processing of Personal Data comply with Data Protection Laws and Regulations. Customer shall be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer shall ensure that its use of the SaaS Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable.
   ‍

3. REQUESTS FOR CUSTOMER DATA

1. Requests from Data Subjects. Flosum shall, to the extent legally permitted, promptly notify Customer if Flosum receives a request from a Data Subject to exercise the Data Subject's right of access, right of rectification, right to restrict processing, right of erasure (“right to be forgotten”), right of data portability, right to object to the Processing, or right not to be subject to automated individual decision making, each such request being a “Data Subject Request.” Taking into account the nature of the Processing, Flosum shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the SaaS Services, does not have the ability to address a Data Subject Request, Flosum shall upon Customer’s request use commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Flosum is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. Where such assistance exceeds the scope of the contracted SaaS Services, and to the extent legally permitted, the Customer will be responsible for any additional costs arising from the assistance.‍
2. Requests from Other Third Parties. If Flosum receives a request from a third party other than a Data Subject (including, without limitation, a government agency) for Customer Data, Flosum shall where permitted by law direct the requesting party to the Customer and promptly notify the Customer of the request. Where Flosum is not permitted by law to notify the Customer of the request, Flosum shall only respond to the requesting party if required by law to do so and will make reasonable efforts to work with the requesting party to narrow the scope of the Customer's Data request.

4. FLOSUM PERSONNEL

1. Confidentiality. Flosum shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Flosum shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
2. Reliability. Flosum shall take commercially reasonable steps to ensure the reliability of any Flosum personnel engaged in the Processing of Personal Data.
3. Limitation of Access. Flosum shall ensure that Flosum’s access to Personal Data is limited to that personnel who require such access to perform the SaaS Services in accordance with the Agreement.
4. Data Protection Officer. Members of the Flosum Group will appoint a data protection officer where such an appointment is required by Data Protection Laws and Regulations. The appointed person may be reached at privacy@Flosum.com.

5. SUB-PROCESSORS

1. Appointment of Sub-processors. The customer grants Flosum a general authorization to appoint third-party Sub-processors in connection with the SaaS Services, in accordance with the procedures outlined in this DPA. Flosum or a Flosum Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Data, to the extent applicable to the services provided by such Sub-processor.
2. Current Sub-processors and Notification of New Sub-processors. A list of Sub-processors for the SaaS Services, as of the date this DPA is executed, is attached in Schedule 1. Flosum shall notify Customer in writing of any new Sub-processor before authorizing such new Sub-processor to Process Personal Data.
3. Objection Right for New Sub-processors. Customer may object to Flosum’s use of a new Sub- processor by notifying Flosum in writing within 30 days after receipt of a notice described in the preceding paragraph. If Customer objects to a new Sub-processor as permitted in the preceding sentence, Flosum will use commercially reasonable efforts to make available to Customer a change in the SaaS Services or recommend a change to Customer’s configuration or use of the SaaS Services, to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Flosum is unable to make available such a change in the SaaS Service, or to recommend such a change to Customer’s configuration or use of the SaaS Services that is satisfactory to Customer, within a reasonable period of time (which shall in no event exceed 30 days), Customer may terminate the applicable Order Form(s) by providing written notice to Flosum. In such event, Flosum will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination, without imposing a penalty for such termination on Customer.
4. Liability for Sub-Processors. Flosum shall be liable for the acts and omissions of its Sub-processors to the same extent Flosum would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise provided in the Agreement.

6. SECURITY

1. Controls for the Protection of Customer Data. Flosum shall maintain appropriate physical, technical and organizational measures for the protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, including Personal Data, in accordance with Schedule 4 (Flosum Security Controls). Flosum will not materially decrease the overall security of the SaaS Services during a subscription term.
2. Third-Party Audit Reports and Certifications. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations in the Agreement, Flosum shall make available to Customer a copy of Flosum’s then most recent third-party audit report SOC 2 audit report, and of any other audit reports and certifications that Flosum makes available to customers, provided Customer is not a competitor of Flosum.

7. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

1. Flosum maintains security incident management policies and procedures and shall notify Customer without undue delay after becoming aware of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Flosum or its Sub-processors of which Flosum becomes aware (a “Customer Data Incident”). Flosum shall make reasonable endeavors to identify the cause of such Customer Data Incident and take steps as Flosum deems necessary and reasonable to remediate the cause of such Customer Data Incident to the extent the remediation is within Flosum’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or its personnel.

8. RETURN AND DELETION OF CUSTOMER DATA

1. Flosum shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Agreement.

9. AUDIT

1. Upon Customer’s request, and subject to the confidentiality obligations in the Agreement, Flosum shall make available to Customer (or Customer’s third-party auditor and that has signed a nondisclosure agreement reasonably acceptable to Flosum) information regarding the Flosum Group’s compliance with the obligations set forth in this DPA in the form of Flosum’s completed standardized security questionnaires, third-party certifications and audit reports (e.g., its completed Standardized Information Gathering (SIG) and Cloud Security Alliance Consensus Assessments Initiative (CSA CAIQ) questionnaires, SOC 2 report and summary penetration test reports) and, for its Sub-processors, the third-party certifications and audit reports made available by them. Following any notice by Flosum to Customer of an actual or reasonably suspected unauthorized disclosure of Personal Data, upon Customer’s reasonable belief that Flosum is in breach of its Personal Data protection obligations under this DPA, or if such audit is required by Customer’s Supervisory Authority, Customer may contact Flosum to request an audit of the procedures relevant to the protection of Personal Data. Any such audit shall be conducted remotely, except Customer and/or its Supervisory Authority may conduct on on-site audit at Flosum’s premises if so required by the Data Protection Laws and Regulations. Any such request shall occur no more than once annually, except in the event of an actual or reasonably suspected unauthorised access to Personal Data. Before the commencement of any audit, Customer and Flosum shall mutually agree upon the scope, timing, and duration of the audit. In no event will any audit of a Sub-processor, beyond a review of reports, certifications and documentation made available by the Sub-processor, be permitted without the Sub-processor’s consent.

10. AFFILIATES

1. Contractual Relationship. The Customer entity signing this DPA does so for itself and, as applicable, in the name and on behalf of its Affiliates, thereby establishing a separate DPA between Flosum and each such Affiliate subject to the provisions of the Agreement, this Clause 10, and Clause 11 below. Each such Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, such Affiliates are not and do not become parties to the Agreement, and are only parties to this DPA. All-access to and use of the SaaS Services by such Affiliates must comply with the Agreement, and any breach of the Agreement by an Affiliate shall be deemed a breach by Customer.
2. Communication. The Customer entity signing this DPA shall remain responsible for coordinating all communication with Flosum under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates.
3. Rights of Customer Affiliates. Where a Customer Affiliate becomes a party to this DPA with Flosum, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
   1. Except where applicable Data Protection Laws and Regulations require the Customer Affiliate to exercise a right or seek any remedy under this DPA against Flosum directly, the parties agree that (i) solely the Customer entity that signed this DPA shall exercise any such right or seek any such remedy on behalf of the Customer Affiliate, and (ii) the Customer entity signing this DPA shall exercise any such rights under this DPA not separately for each Affiliate individually but in a combined manner for itself and all of its Affiliates together (as set forth, for example, in Clause 10.3.2 below).
   2. The Customer entity signing this DPA shall, when carrying out a permitted audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Flosum and its Sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Affiliates in one single audit.

11. LIMITATION OF LIABILITY

1. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Liability Limit” clauses, and such other clauses that exclude or limit liability, of the Agreement, and any reference in such clauses to the liability of a party means the aggregate liability of that party and all of its Affiliates.

12. CHANGES TO TRANSFER MECHANISMS

1. In the event that a current transfer mechanism relied upon by the parties for the facilitation of transfers of Personal Data to one or more countries that do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations is invalidated, amended, or replaced the parties will work in good faith to enact such alternative transfer mechanism to enable the continued Processing or Personal Data contemplated by the Agreement. The use of such an alternative transfer mechanism shall be subject to each party’s fulfillment of all legal requirements for use of such a transfer mechanism.

List of Schedules

Schedule 1: Current Sub-Processor List

Schedule 2: SaaS Services Applicable to Personal Data Processing Schedule 3: Details of the Processing

Schedule 3: Details of the Processing

Schedule 4: Flosum Security Controls Schedule

Schedule 5: European Provisions

SCHEDULE 1

Current Sub-Processor List

SCHEDULE 2

SaaS Services Applicable to Personal Data Processing

‍Flosum Backup, Restore and Archive

Flosum Data Migrator

Flosum Data Masking

Flosum Security Org Scanner

SCHEDULE 3

Details of the Processing

Data Exporter

Full Legal Name: The Customer entering this Agreement for the use of Flosum Services

Contact Details: The email address(es) or mailing address designated by the Customer in Customer’s account.

Data Importer

Full Legal Name: Flosum Corporation

Main Address: 11040 Bollinger Canyon Rd, Suite E-944, San Ramon, CA 94582

Contact: Privacy Officer

Contact Email: Contracts@flosum.com

Nature and Purpose of Processing

Flosum will Process Personal Data as necessary to perform the SaaS Services pursuant to the Agreement and Orders, and as further instructed by Customer in its use of the SaaS Services.

Duration of Processing

Flosum will Process Personal Data for the duration of the Agreement unless otherwise agreed in writing.

Retention

Flosum will retain Personal Data in the SaaS Services for the duration of the Agreement, unless otherwise agreed in writing, subject to the maximum retention period specified in the Documentation.

Frequency of Transfer

As determined by Customer through their use of the SaaS Services.

Transfers to Sub-processor(s)

As necessary to perform the SaaS Services pursuant to the Agreement and Orders, and as further described in Schedule 1.

Categories of Data Subjects

Customer may submit Personal Data to the SaaS Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to Personal Data relating to the following categories of data subjects:

• Prospects, customers, business partners and vendors of Customer (who are natural persons)
• Employees or contact persons of Customer’s prospects, customers, business partners and vendors
• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Customer’s users authorized by Customer to use the SaaS Services

Type of Personal Data

Customer may submit Personal Data to the SaaS Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to the following categories of Personal Data:

• First and last name
• Title
• Position
• Employer
• Contact information (company, email, phone, physical business address)
• ID data
• Professional life data
• Personal life data
• Localization data

Special categories of data (if appropriate)

Customer may submit special categories of Personal Data to the SaaS Services, the extent of which is determined and controlled by Customer in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

SCHEDULE 4

Flosum Security Controls 3.3

1. Introduction

1.1 Flosum software-as-a-service applications (SaaS Services) were designed from the beginning with security in mind. The SaaS Services are architected with a variety of security controls across multiple tiers to address a range of security risks. These security controls are subject to change; however, any changes will maintain or improve the overall security posture.
‍
1.2 The descriptions of controls below apply to the SaaS Service implementations on Amazon Web Services (AWS) (referred to as our Cloud Service Providers, or CSPs), except as specified in the Encryption section below.

2. Audits and Certifications

2.1 Flosum undergoes an annual SOC 2 Type II audit under SSAE-18 to independently verify the effectiveness of its information security practices, policies, procedures, and operations for the following Trust Services Criteria: Security, Availability, Confidentiality, and Processing Integrity.
‍
2.2 Flosum utilizes global CSP regions for its computing and storage for the SaaS Services. AWS is a top-tier facility with several accreditations, including SOC 1 - SSAE-18, SOC 2, SOC 3, and HIPAA.

3. Web Application Security Controls

3.1 Customer access to the SaaS Services is only via HTTPS (TLS 1.2+), ensuring encryption of data in transit.
‍
3.2 Customers can provision and de-provision SaaS Service users and their access.
‍
3.3 Role-based access controls are provided to manage multi-org permissions.
‍
3.4 Customers have access to audit trails (username, action, timestamp, source IP). Logs are viewable/exportable via UI and API.
‍
3.5 Access can be restricted by source IP address.
‍
3.6 Multi-factor authentication (MFA) using time-based one-time passwords is supported.
‍
3.7 Single Sign-On (SSO) via SAML 2.0 identity providers is supported.
‍
3.8 Customizable password policies are available to align with corporate standards.

4. Encryption

4.1 Flosum offers the following SaaS Service options for encryption of data at rest:

• 4.1.1 Standard Offering:
  • Data is encrypted using AES-256 server-side encryption via a key management system validated under FIPS 140-2
• 4.1.2 Advanced Key Management (AKM) option.
  • Data is encrypted in a dedicated object storage container with a customer-provided master encryption key (CMK).
  • AKM allows for future archiving of the key and rotating it with another master encryption key.
  • The customer can revoke master encryption keys, resulting in the immediate inaccessibility of the data.
• 4.1.3 Bring Your Own Key Management System (KMS) option (available on AWS only).
  • Encryption keys are created in the customer’s own, separately purchased account utilizing AWS KMS.
  • The customer defines the encryption key policy that permits the customer’s SaaS Service account on AWS to access the key from the customer’s own AWS KMS.
  • Data is encrypted in a dedicated object storage container managed by Flosum, and configured to use the customer’s encryption key.
  • The customer may instantly revoke access to the encrypted data by revoking Flosum’s access to the encryption key, without interacting with Flosum.
  • Flosum employees have no access to the encryption keys at any time and do not access the KMS directly.
  • All key usage activities are logged in the customer’s KMS, including key retrieval by the dedicated object storage.

4.2 Encryption in transit between the SaaS Services and the third-party data source (e.g., Salesforce) utilizes HTTPS with TLS 1.2+ and OAuth 2.0.

5. Network

5.1 The SaaS Services utilize CSP network controls to restrict network ingress and egress.
‍
5.2 Stateful security groups are employed to limit network ingress and egress to authorized endpoints.
‍
5.3 The SaaS Services use a multi-tier network architecture, including multiple, logically separated Amazon Virtual Private Clouds (VPCs) leveraging private, DMZs, and untrusted zones within the CSP infrastructure.
‍
5.4 In AWS, VPC S3 Endpoint restrictions are used in each region to permit access only from the authorized VPCs.

6. Monitoring and Auditing

6.1 The SaaS Service systems and networks are monitored for security incidents, system health, network abnormalities, and availability.
‍
6.2 The SaaS Services use an intrusion detection system (IDS) to monitor network activity and alert Flosum of suspicious behavior.
‍
6.3 The SaaS Services use web application firewalls (WAFs) for all public web services.
‍
6.4 Flosum logs application, network, user, and operating system events to a local Syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.Logs collected from multiple sources and analyzed using local Syslog and region-specific SIEM.
‍
6.5 Flosum utilizes security information and event management (SIEM) systems providing continuous security analysis of the SaaS Services’ networks and security environment, user anomaly alerting, command, and control (C&C) attack reconnaissance, automated threat detection, and reporting of indicators of compromise (IOC). All of these capabilities are administered by Flosum’s security and operations staff.
‍
6.6 Flosum’s incident response team monitors the security@Flosum.com alias and responds according to the company’s Incident Response Plan (IRP) when appropriate.

7. Isolation Between Accounts

7.1 The SaaS Services use Linux sandboxing to isolate customer accounts’ data during processing. This helps to ensure that any anomaly (for example, due to a security issue or a software bug) remains confined to a single Flosum account.
‍
7.2 Tenant data access is controlled through unique IAM users with data tagging that disallows unauthorized users from accessing the tenant data.

8. Disaster Recovery

8.1 Flosum uses CSP object storage to store encrypted customer data across multiple availability zones.
‍
8.2 or customer data stored on object storage, Flosum uses object versioning with automatic aging to support compliance with Flosum’s disaster recovery and backup policies. For these objects, Flosum’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 14-day period).
‍
8.3 Any required recovery of a compute instance is accomplished by rebuilding the instance based on Flosum’s configuration management automation.
‍
8.4 Flosum's Disaster Recovery Plan is designed to support a 4-hour recovery time objective (RTO).

9. Vulnerability Management

9.1 Flosum performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.
‍
9.2 On a semi-annual basis, Flosum hires independent third-party penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities (www.owasp.org).
‍
9.3 Vulnerability assessment results are incorporated into the Flosum software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into the Flosum internal ticket system for tracking through resolution.

10. Incident Response

10.1 In the event of a potential security breach, the Flosum Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies.If a potential breach is confirmed, Flosum will immediately act to mitigate the breach and preserve forensic evidence, and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.

11. Secure Software Development

11.1 Flosum employs secure development practices for Flosum software applications throughout the software development life cycle. These practices include static code analysis, Salesforce security review for Flosum applications installed in customers’ Salesforce instances, peer review of code changes, restricting source code repository access based on the principle of least privilege, and logging source code repository access and changes.

12. Dedicated Security Team

12.1 Flosum has a dedicated security team with combined multi-faceted information security experience. Additionally, the team members maintain a number of industry-recognized certifications, including but not limited to CISM and CISSP Lead Auditors.

13. Privacy and Data Protection

13.1 Flosum provides native support for data subject access requests, such as the right to erasure (right to be forgotten) and anonymization, to support compliance with data privacy regulations, including the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA).
13.2 Flosum also provides a Data Processing Addendum to address privacy and data protection laws, including legal requirements for international data transfers.

14. Background Checks

14.1 Flosum performs a panel of background checks of its personnel who may have access to customers’ data, based on the employee’s jurisdictions of residence during the prior seven years, subject to applicable law.

15. Insurance

15.1 Flosum maintains, at minimum, the following insurance coverage:
(a) workers' compensation insurance in accordance with all applicable law;
(b) commercial general liability (public liability) insurance with single limit coverage of $1,000,000 per occurrence and $2,000,000 general aggregate coverage;
(c) technology and media errors and omissions (cyber liability) insurance with a limit of $5,000,000 per event and $5,000,000 aggregate, including primary and excess layers, and including cyber liability, technology and professional services, technology products, data and network security, breach response, regulatory defense and penalties, cyber extortion and data recovery liabilities. Flosum will furnish to Customer with evidence of such insurance upon request.

Schedule 5

European Provisions

This schedule shall only apply to transfers of Personal Data (including onward transfers) from the Europe that, in the absence of the application of these provisions, would cause either Customer or Flosum to breach applicable Data Protection Laws and Regulations.

1. Transfer Mechanism for Data Transfers

1. The Standard Contractual Clauses apply to any transfers of Personal Data under this DPA from Europe to countries that do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of such territories, to the extent such transfers are subject to such Data Protection Laws and Regulations. Flosum enters into the Standard Contractual Clauses as data importer. The additional terms in this Schedule also apply to such data transfers.

2. Transfers Subject to the Standard Contractual Clauses

1. Customers Covered by the Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms specified in this Schedule apply to (i) Customer, to the extent Customer is subject to the Data Protection Laws and Regulations of Europe and, (ii) its Authorized Affiliates. For the purpose of the Standard Contractual Clauses and this Schedule, such entities are “data exporters.”
2. Modules. The Parties agree that where optional modules may be applied within the Standard Contractual Clauses, only those labelled “MODULE TWO: Transfer controller to processor” shall be applied.
3. Instructions. The instructions described in Clause 2.2 above are deemed to be instructions by Customer to process Personal Data for the purposes of Clause 8.1 of the Standard Contractual Clauses.
4. Appointment of New Sub-processors and List of Current Sub-processors. Pursuant to OPTION 2 to Clause 9(a) of the Standard Contractual Clauses, Customer agrees that Flosum may engage new Sub-processors as described in Clauses 5.1, 5.b, and 5.c above and that Flosum’s Affiliates may be retained as Sub-processors, and Flosum and Flosum’s Affiliates may engage third-party Sub- processors in connection with the provision of the Data Processing Services. The current list of Sub- processors as attached as Schedule 1.
5. Sub-processor Agreements. The parties agree that data transfers to Sub-processors may rely on a transfer mechanism other than the Standard Contractual Clauses (for example, binding corporate rules), and that Flosum’s agreements with such Sub-processors may therefore not incorporate or mirror the Standard Contractual Clauses, notwithstanding anything to the contrary in clause 9(b) of the Standard Contractual Clauses. However, any such agreement with a Sub-processor shall contain data protection obligations not less protective than those in this DPA regarding the protection of Customer Data, to the extent applicable to the services provided by such Sub-processor. Copies of the Sub-processor agreements that must be provided by Flosum to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses will be provided by Flosum only upon the written request of Customer and may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Flosum beforehand.
6. Audits and Certifications. The parties agree that the audits described in Clause 8.9 and Clause 13(b) of the Standard Contractual Clauses shall be carried out in accordance with Clause 9 above.
7. Erasure of Data. The parties agree that the erasure or return of data contemplated by Clause 8.5 or Clause 16(d) of the Standard Contractual Clauses shall be done in accordance with Clause 8 above and any certification of the deletion shall be provided by Flosum only upon Customer’s request.
8. Third-Party Beneficiaries. The parties agree that based on the nature of the SaaS Services, Customer shall provide all assistance required to allow Flosum to meet its obligations to data subjects under Clause 3 of the Standard Contractual Clauses.
9. Impact Assessment. In accordance with Clause 14 of the Standard Contractual Clauses the parties have conducted an analysis, in the context of the specific circumstances of the transfer, of the laws and practices of the destination country, as well as the specific supplemental contractual, organizational, and technical safeguards that apply, and, based on information reasonably known to them at the time, have determined that the laws and practices of the destination country do not prevent the parties from fulfilling each party’s obligations under the Standard Contractual Clauses.
10. Governing Law and Forum. The parties agree, with respect to OPTION 2 to Clause 17, that in the event that the EU Member State in which the data exporter is established does not allow for third-party beneficiary rights, the Standard Contractual Clauses shall be governed by the law of Ireland. In accordance with Clause 18, disputes associated with the Standard Contractual Clauses shall be resolved by the courts specified in the Agreement, unless the such court is not located in an EU Member State, in which case the forum for such disputes shall be the courts of Ireland.‍
11. Interpretation. The terms of this Schedule are intended to clarify and not to modify the Standard Contractual Clauses. In the event of any conflict or inconsistency between the body of this Schedule and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

3. Provisions for Transfers from Switzerland and the UK

1. Swiss Data Protection Laws. The parties agree that for purposes of the applicability of the Standard Contractual Clauses to facilitate transfers of Personal Data from Switzerland the following additional provisions shall apply: (i) Any references to Regulation (EU) 2016/679 shall be interpreted to reference the corresponding provisions of the Swiss Federal Act on Data Protection and other data protection laws of Switzerland (“Swiss Data Protection Laws”), (ii) Any references to “Member State” or “EU Member State” or “EU” shall be interpreted to reference Switzerland, and (iii) Any references to Supervisory Authority, shall be interpreted to refer to the Swiss Federal Data Protection and Information Commissioner.
2. United Kingdom Data Protection Laws. The parties agree that for purposes of the applicability of the Standard Contractual Clauses to facilitate transfers of Personal Data from the United Kingdom the following additional provisions shall apply: (i) Any references to Regulation (EU) 2016/679 shall be interpreted to reference the corresponding provisions of UK Data Protection Laws, (ii) Any references to “Member State” or “EU Member State” or “EU” shall be interpreted to reference the United Kingdom, (iii) Any references to Supervisory Authority, shall interpreted to refer to the Information Commissioner’s Office of the United Kingdom (“ICO”), (iv) the governing law of the Standard Contractual Clauses specified in Clauses 17 and 18 shall be the laws of England and Wales, and (v) the Standard Contractual Clauses are further amended by the mandatory clauses contained in Part 2 of the template Addendum issued by the ICO and laid before the UK Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 (“Approved Addendum”).