DATA PROCESSING AGREEMENT/ ADDENDUM (“DPA”)

This DPA forms part of the SaaS Subscription Agreement (the “Agreement”) between Oasis Security Inc. and its affiliated entities (“Oasis”) and Customer. Both parties shall be referred to as the “Parties” and each, a “Party”. The Parties agree as follows:

  1. Definitions. For purposes of this DPA, defined terms shall have the meaning set forth in the General Data Protection Regulation (“GDPR”) any data protection laws substantially amending, replacing or superseding the GDPR, the United Kingdom General Data Protection Regulation (“UK GDPR”), the and/or Israeli Privacy Protection Law, 1981 and the regulations promulgated thereunder (including Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001 and Privacy Protection Regulations (Data Security), 5777-2017), and any binding instructions, guidelines and requirements of the Israeli Privacy Protection Authority with respect to the Customer Personal Data (“Israeli Law”) and the applicable data protection or privacy laws of the United States of America (federal and state privacy and security laws) (collectively, “DP Laws”). “Services” means performance of the services and activities provided pursuant to or in connection with the Agreement previously entered between Oasis and Customer.
  2. Roles of the Parties. Regarding the Processing of Personal Data, Customer is the Data Controller and Oasis is the Data Processor. Oasis will process Personal Data as necessary to perform the Services pursuant to the Agreement. The duration, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects are further specified in Schedule 1 of this DPA.
  3. Customer’s Instructions. Subject to the Agreement, Oasis shall Process Personal Data only in accordance with Customer’s documented instructions, unless required to otherwise by Union or Member State law or any other applicable law to which Oasis and its affiliates are subject, in which case, Oasis shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Customer’s instructions for the processing of Personal Data shall always comply with the DP Laws and any other applicable law. To the extent that Oasis or its affiliates cannot comply with a request (including, without limitation, any instruction) from Customer and/or its authorized users relating to Processing of Personal Data or where Oasis considers such a request to be unlawful, Oasis (i) shall inform Customer, providing relevant details of the problem, (ii) Oasis may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement, and Customer shall pay to Oasis all the amounts owed to Oasis or due before the date of termination.
  4. Rights of Data Subject. If Oasis receives a request from a Data Subject to exercise its rights under DP Laws, Oasis shall, to the extent legally permitted, promptly notify and forward the request to Customer. Oasis shall use commercially reasonable efforts to assist Customer, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject request under DP Laws.
  5. Assistance. Upon the Customer’s request, Oasis will use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the DP Laws taking into account the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Oasis.
  6. Oasis personnel. Oasis shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know basis and ensure that such persons have committed themselves to confidentiality. For the avoidance of doubt, Oasis may disclose and Process the Personal Data also (a) to the extent required by a court of competent jurisdiction or other supervisory authority and/or otherwise as required by applicable laws or DP Laws, or (b) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), and investors or potential acquirers.
  7. Sub-processors. Customer hereby approves Oasis’s current list of sub-processors included in Schedule 2 (“Sub-processor List”). Customer may subscribe to notifications of new Sub-processors by sending an email to privacy@oasis.security and if Customer subscribes, Oasis shall provide notification of any new Sub-processor(s) in connection with the provision of the Services. Customer may reasonably object to Oasis’s use of a new Sub-processor for reasons related to the DP Laws by notifying Oasis promptly in writing within three (3) business days after receipt of Oasis’s notice. Failure to object to such new Sub-processor in writing within three (3) business days following Oasis’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Oasis will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Oasis is unable to make available such change within a reasonable period of time, Customer may, as a sole remedy, terminate the applicable Agreement by providing written notice to Oasis, provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Oasis. Until a decision is made regarding the new Sub-processor, Oasis may temporarily suspend the processing of the affected personal data.
  8. Security and audits. Taking into account the state of the art, Oasis shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the DP Laws. Upon Customer’s written request at reasonable intervals (subject to the confidentiality obligations) Oasis shall make available to Customer relevant information that is necessary to demonstrate compliance with the obligations laid down in this Section (provided, however, that such information shall only be used by Customer to assess compliance with this Section and shall not be disclosed to any third party without Oasis’s prior written approval). At Customer’s cost and expense, Oasis shall allow audits conducted by the Customer or another auditor mandated by Customer (who is not a competitor of Oasis), provided that the Parties shall agree on the scope, methodology and timing of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that does not belong to Customer.
  9. Personal data incident management and notification. To the extent required under DP Laws, Oasis shall notify Customer without undue delay after becoming aware of an incident related to Customer´s Personal Data. Oasis shall make reasonable efforts to identify the cause of such Personal Data incident and take those steps as Oasis deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data incident to the extent the remediation is within Oasis’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, Oasis will not be responsible for notifying supervisory authorities and/or concerned Data Subjects.
  10. Return and deletion of Personal Data. Oasis shall, at the choice of Customer, delete or return the Personal Data to Customer after the end of the provision of the Services relating to Processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Oasis may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations.

Transfers of Personal Data. Personal Data may be transferred from the EU Member States, the three EEA member countries and the United Kingdom to countries that were declared adequate per the adequacy decisions published by the relevant data protection authorities, without any further safeguard being necessary. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an adequacy decision, the Parties shall comply with Chapter V of the DP Laws.

  1. Termination. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
  2. Miscellaneous. This DPA may not be amended or modified except by a written instrument which is signed by both Parties. This DPA may be executed in counterparts. Customer may assign this DPA or its rights or obligations hereunder to any affiliate thereof, or to a successor or any affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the parties and to the maximum extent permitted by law: (A) Oasis’s (including Oasis’s affiliates’) entire, total and aggregate liability, related to Personal Data or privacy, including, without limitation, if any, any indemnification related thereto, shall be limited to the amounts paid to Oasis under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will Oasis and/or Oasis affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) the foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Oasis, Oasis affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).

SCHEDULE 1 - DETAILS OF THE PROCESSING

Subject matter - Oasis will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.

Nature and Purpose of Processing

  1. Providing the Service(s) to Customer; Performing the Agreement, this DPA and/or other contracts executed by the Parties;
  2. Providing support and technical maintenance, if agreed in the Agreement; and
  3. Resolving disputes; enforcing the Agreement, this DPA and/or defending Oasis’s rights.

Duration of Processing - Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof.

Type of Personal Data - Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

Categories of Data Subjects - Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Employees, agents, advisors, freelancers of Customer (who are natural persons)

The frequency of the transfer. Continuous basis

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described in this DPA and/or the Agreement

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. As detailed in Schedule 2.

SCHEDULE 2 – SUB-PROCESSOR LIST

Entity Name

Sub-Processing Activities

Location

AWS

Infrastructure, Monitoring, Storage, DBs

United States

HotJar

UI Engagement

European Union

GCP

Storage

United States

Microsoft Azure

Storage

United States

FrontEgg

User Authentication

United States

Airflow

BI

United States

Metabase

BI

United States

SCHEDULE 3 - STANDARD CONTRACTUAL CLAUSES

EU SCCs. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses, as available here, as updated, amended, replaced or superseded from time to time by the European Commission as follows:

a) The Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) if applicable, will apply, with respect to restricted transfers between Customer and Oasis that are subject to the EU GDPR.

b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Oasis (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method 7 the DPA (Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Customer, as informed by Customer to Oasis; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Dublin, as their choice of forum and jurisdiction.

c) Annex I.A: With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is Oasis as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is Oasis as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.

d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.

e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Irish supervisory authority.

f) Annex II of the Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.

g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.

UK SCCs. If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. The Parties hereby agree to execute the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as follows:

a) The UK Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) if applicable, will apply with respect to restricted transfers between Customer and Oasis that are subject to the UK GDPR.

b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and Oasis (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of England and Wales; and (v) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.

c) Annex I.A: With respect to Module Two: Data Exporter is Customer as a data controller and the Data Importer is Oasis as a data processor. With respect to Module Three: Data Exporter is Customer as a data processor and the Data Importer is Oasis as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these UK Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.

d) Annex I.B of the UK Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.

e) Annex I.C of the UK Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the ICO supervisory authority.

f) Annex II of the UK Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.

g) Annex III of the UK Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.