Data Processing Agreement

Posted: April 15, 2024

This Data Processing Agreement (the “DPA”) supplements the Cubby Services Agreement (“Agreement”) between Cubby and the customer that has executed or agreed to the Agreement (“Customer”). Capitalized terms used, but not defined, in this DPA are defined in the Agreement.

1. Nature of the Data and Role of the Parties. The rights and obligations in this DPA apply solely to the Processing of Personal Data by the Services by Cubby on behalf of Customer, but does not apply to Beta Services. For the purposes of this DPA, references to Customer Data shall mean any Personal Data incorporated in the Customer Data.
2. Data Processing.

2.1. Instructions. The Agreement and this DPA constitute Customer's instructions to Cubby to Process Customer Data. Cubby will use and Process Customer Data as Customer instructs in order to deliver the Services and to fulfill Cubby's obligations under the Agreement and this DPA. Cubby will inform Customer of any legal requirement which prevents it from complying with Customer's instructions, unless prohibited from doing so by applicable law or on important grounds of public interest.

2.2. Processing Activities. Cubby, Cubby personnel, and Sub-processors will only Process Customer Data to provide the Services and to fulfill Cubby's obligations in this Agreement. The categories of Personal Data to be Processed by Cubby and the Processing activities to be performed under this Agreement are set out in Exhibit A.

2.3. Personnel. Any Cubby personnel who have access to Customer Data will be bound by appropriate confidentiality obligations.

1. Security.

3.1. Security Measures. Cubby will implement the technical and organizational measures set forth in the Agreement for the applicable Services.

3.2. Security Incidents. Cubby will promptly, and without undue delay, notify Customer in writing at the email address associated with the account if a Security Incident occurs, so long as applicable law allows this notice. Without limiting the foregoing, Cubby will use commercially reasonable efforts to provide this notice within 72 hours of confirming the existence of a Security Incident. Cubby may limit the scope of, or refrain from delivering, any disclosures to the extent reasonably necessary to avoid compromising the integrity of Cubby's security, an ongoing investigation, or any Cubby customer's or end user's data. “Security Incident” means any actual unauthorized disclosure of or access to Customer Data, or compromise of Cubby's systems that Cubby determines is reasonably likely to result in such disclosure or access, caused by failure of Cubby's Security Measures and excluding any unauthorized disclosure or access that is caused by Customer or its End Users, including Customer or its End Users' failure to adequately secure equipment or accounts.

3.3. Notification. Cubby will assist the Customer in ensuring compliance with its obligations pursuant to EU Data Protection Laws by providing relevant information which may include: (a) the nature of the Security Incident, including, where possible, the categories and approximate number of personal data records concerned; (b) the likely consequences of the Security Incident; (c) the measures taken or to be taken to address the Security Incident, including, where appropriate, the measures to mitigate its possible adverse effects; (d) the name and contact details of the Data Protection Officer or other contact from whom more information may be obtained; and (e) justifications for any delay in notification;. Should it not be feasible for Cubby to provide all of the relevant information in its initial notification to the Customer, Cubby will provide further relevant details without undue delay.

1. Sub-processors.

4.1. Cubby Use of Sub-Processors. Customer consents to Cubby's appointment of Subcontractors, including Sub-processors, to perform the Services. Where a Sub-processor will process Personal Data, Cubby will ensure that the Sub-processor is subject to substantially similar data protection obligations as those set forth in this DPA regarding Personal Data and which satisfy the requirements of EU Data Protection Laws. Cubby will list its current Sub-processors for the Services in the Agreement. Cubby will remain liable for all acts or omissions of its Subcontractors or Sub-processors, and for any subcontracted obligations.

4.2. Customer Objections. Cubby may add or remove Sub-processors from time to time. Cubby will inform

Customer in advance of new Sub-processors for the applicable Services as described in the list of Sub-

processors. If Customer objects to a change, it will provide Cubby with notice of its objection to privacy@Cubby.com including reasonable detail supporting Customer's concerns within sixty days of receiving notice of a change from Cubby or, if Customer has not subscribed to receive this notice, within sixty days of Cubby publishing the change. Cubby will then use commercially reasonable efforts to review and respond to Customer's objection within thirty days of receipt of Customer's objection. Cubby's response to Customer's objection will include, at a minimum, reasonable accommodations, if any, that Customer or Cubby can take to limit or prevent a new Sub-processor from acting as a processor of Customer Data when Customer makes use of the Services. If Cubby does not respond to a Customer objection as described above, or cannot reasonably accommodate Customer's objection, Customer may terminate the Agreement by providing written notice to Cubby: (a) within thirty days of receipt of a Cubby response that does not comply with this Section 4.2; or (b) if Cubby fails to respond, within thirty days of the date Cubby's response was due.

1. Data Subject Rights. Customer is responsible for responding to any request by a data subject to exercise their rights under applicable privacy laws. If Cubby receives any such request in relation to the Customer Data, Cubby will direct the applicable data subject to Customer to exercise his or her rights without undue delay after verifying the request pertains to Customer Data. Cubby will provide Customer with information or tools that are reasonably designed to enable Customer to fulfill its obligations to respond to these requests through the functionality of the Services, taking into account the nature of the Processing and insofar as this is possible.
2. Compliance Assistance. To assist Customer with its compliance obligations under applicable privacy laws related to security, data protection impact assessments, and prior consultation with supervisory authorities, Cubby will make the following available during the Term: (a) the Audit Reports; (b) the information contained in Exhibit A; and (c) any applicable Security Measures and Security Resources set forth in the Agreement. If, after reviewing the aforementioned materials, Customer reasonably believes it needs further information in order to meet its compliance obligations, Cubby will use commercially reasonable efforts to respond to written questions by Customer regarding the materials. Without limiting the foregoing, Cubby will comply with valid requests from relevant supervisory authorities to the extent required by applicable EU Data Protection Law.
3. Deletion. Upon Termination of the Agreement and this DPA, Cubby will delete Stored Data in Customer's account in a commercially reasonable period of time following receipt of an Administrator's request to do so prior to such termination. Notwithstanding the foregoing, Customer acknowledges and agrees that Cubby may be a controller with respect to certain Account Data, and may retain this data in accordance with applicable privacy laws, provided that Cubby is solely responsible for its compliance with these laws in connection with its own Processing.
4. Inspections.

8.1European Data. Customer agrees that Cubby and its Sub-processors may transfer, store, and Process Customer Data in locations other than Customer's country. To the extent Personal Data that is subject to EU Data Protection Laws, the UK GDPR or the Swiss Federal Act on Data Protection, is Processed outside of the EEA, United Kingdom, or Switzerland (“European Data”), this Section 9 applies.

9.1. Instructions. Customer hereby instructs Cubby to process European Data in accordance with this DPA in order to deliver the Services. Customer acknowledges

that all communication with Cubby, Inc. in connection with the processing of European Data will be coordinated and directed through Cubby.

9.2. Transfers. Customer acknowledges and agrees that, to provide the Services, Cubby may transfer European Data and this transfer will be made pursuant to Processor Standard Contractual Clauses, or an alternative transfer means recognized by EU Data Protection Laws, or the UK GDPR, or the Swiss Federal Act on Data Protection, as applicable.

1. Effect of DPA. If a provision in this DPA conflicts with a provision in the Agreement, then this DPA will control with respect to the processing of Personal Data. The Agreement will remain in full force and effect and will be unchanged except as modified by this DPA. This DPA will terminate automatically upon expiration or termination of the Agreement.

Exhibit A

Details of Processing.

1. Subject Matter of the Personal Data Processing: The provision of the Services by Cubby to Customer.
2. Duration of the Personal Data Processing: The Term, and any period after the Term prior to Cubby's deletion of Customer Data.
3. Nature and Purpose of the Personal Data Processing: To enable Customer to receive and Cubby to provide the Services.
4. Categories of Personal Data: The Personal Data that will be included in Customer Data will depend upon Customer's use of the Services. To the extent the Customer Data contains Personal Data, it may consist of identifying information of end users (such as name, email address, physical address, IP address, or other unique identifier), identifying information of third parties with whom data is shared or to whom signature requests are sent, organization data. and any other Personal Data contained in documents, images and other content or data in electronic form stored or transmitted by End Users via the Services.
5. Data Subjects: The categories of data subjects will depend upon Customer's use of the Services. To the extent the Customer Data contains Personal Data, it may concern Customer's End Users including employees, contractors, collaborators and customers of the Customer, any individuals collaborating, sharing, or transacting with these End Users, or any other individual whose information is stored by Customer in the Stored Data as identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR.