Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into by and between Appello Inc, an Ontario corporation having its registered office address at 643 Railroad Street, Mount Brydges, ON, N0L1W0 ("Appello", "Processor", "we", "us", or "our"), and the customer that electronically accepts or otherwise agrees to this DPA by signing a SaaS Subscription Order Form and/or a SaaS License, Support, and Services Agreement ("SLSA") ("Customer", "Controller", "you", or "your").

This DPA forms an integral part of the overall subscription agreement applying to the Parties regarding the provision of the Appello software platform under the terms of the SLSA. This DPA sets forth the terms and conditions under which Appello will process Personal Data on behalf of Customer in connection with the Appello software platform.

1. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person that Customer or its end users submit, upload, or otherwise make available to Appello through the Appello software platform.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• "Data Subject" means the natural person to whom Personal Data relates.
• "Data Protection Laws" means all applicable laws, regulations, and binding guidance relating to the processing, privacy, and use of Personal Data, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), and any other applicable data protection laws.
• "Security Incident" means any unauthorized access, acquisition, disclosure, loss, destruction, or alteration of Personal Data.

2. Scope and Roles

This DPA applies to all Processing of Personal Data by Appello on behalf of Customer in connection with the Appello software platform. Customer is the Controller of Personal Data, and Appello is the Processor of Personal Data. Appello will process Personal Data only on documented instructions from Customer, including as set forth in the SLSA and this DPA, and in accordance with applicable Data Protection Laws.

3. Processing of Personal Data

3.1 Purpose and Duration

Appello will process Personal Data solely for the purpose of providing the Appello software platform and related services to Customer, as described in the SLSA, and for no other purpose unless required by applicable law. The duration of Processing will be for the term of the SLSA and as necessary to comply with legal obligations or as otherwise set forth in this DPA.

3.2 Types of Personal Data

The types of Personal Data processed may include, but are not limited to:

• Name, email address, physical address, phone number
• Job title, company information, and business contact details
• Employee information, including payroll and scheduling data
• Customer and vendor information
• Project and job-related information
• Any other Personal Data that Customer or its end users choose to submit through the Appello software platform

3.3 Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

• Customer's employees, contractors, and personnel
• Customer's customers and clients
• Customer's vendors and suppliers
• End users of the Appello software platform

4. Customer Obligations

Customer is responsible for:

• Ensuring that it has all necessary rights and consents to provide Personal Data to Appello for Processing
• Complying with all applicable Data Protection Laws in its use of the Appello software platform
• Providing accurate instructions regarding the Processing of Personal Data
• Ensuring that Personal Data provided to Appello is accurate, complete, and up-to-date
• Implementing appropriate technical and organizational measures to protect Personal Data before it is transmitted to Appello
• Responding to Data Subject requests regarding their Personal Data, with Appello's assistance as set forth in Section 7

5. Appello Obligations

5.1 Processing Instructions

Appello will process Personal Data only in accordance with Customer's documented instructions, including as set forth in the SLSA and this DPA, unless required by applicable law. If Appello is required by law to process Personal Data in a manner that conflicts with Customer's instructions, Appello will inform Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.

5.2 Confidentiality

Appello will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether by contract or by law.

5.3 Security Measures

Appello will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures include:

• Encryption of Personal Data in transit and at rest
• Regular security assessments and vulnerability testing
• Access controls and authentication mechanisms
• Regular backups and disaster recovery procedures
• Employee training on data protection and security
• Physical security measures for data centers and facilities
• Incident response and breach notification procedures

5.4 Sub-processors

Customer acknowledges and agrees that Appello may engage sub-processors to process Personal Data on Appello's behalf. Appello will:

• Ensure that sub-processors are bound by data protection obligations that are substantially similar to those set forth in this DPA
• Remain fully liable for the performance of sub-processors
• Inform Customer of any intended changes concerning the addition or replacement of sub-processors, giving Customer the opportunity to object to such changes

Current sub-processors include service providers for data hosting, cloud infrastructure, email delivery, and analytics services. A current list of sub-processors is available upon request.

6. Security Incidents

Appello will notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data. Appello will provide Customer with:

• A description of the nature of the Security Incident
• The categories and approximate number of Data Subjects and Personal Data records concerned
• The likely consequences of the Security Incident
• Measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects

Appello will cooperate with Customer and take reasonable steps to assist Customer in mitigating, where possible, the adverse effects of any Security Incident.

7. Data Subject Rights

Appello will assist Customer in responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of Processing
• Right to data portability
• Right to object to Processing

Appello will provide reasonable assistance to Customer in responding to such requests, including by providing Customer with the ability to access, correct, delete, or export Personal Data through the Appello software platform or by providing Customer with the necessary information to respond to Data Subject requests.

8. Data Transfers

Personal Data may be transferred to and processed in countries outside of the Data Subject's country of residence. Appello will ensure that such transfers comply with applicable Data Protection Laws, including by implementing appropriate safeguards such as standard contractual clauses approved by relevant data protection authorities or other mechanisms recognized under applicable Data Protection Laws.

9. Data Retention and Deletion

Appello will retain Personal Data only for as long as necessary to provide the Appello software platform and related services to Customer, or as required by applicable law. Upon termination of the SLSA or upon Customer's request, Appello will:

• Return all Personal Data to Customer in a structured, commonly used, and machine-readable format, or
• Delete all Personal Data, unless retention is required by applicable law

Customer may request deletion of Personal Data at any time through the Appello software platform or by contacting Appello. Appello will delete Personal Data within a reasonable timeframe, subject to any legal retention obligations.

10. Audits and Compliance

Appello will make available to Customer all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. Upon reasonable notice and during normal business hours, Appello will allow Customer or its authorized representatives to conduct audits or inspections of Appello's facilities and procedures relevant to the Processing of Personal Data, subject to appropriate confidentiality obligations and reasonable limitations to protect Appello's confidential information and the security of its systems.

11. Limitation of Liability

Each party's liability arising out of or related to this DPA will be subject to the limitations and exclusions of liability set forth in the SLSA. Nothing in this DPA will modify or limit either party's liability under the SLSA.

12. Term and Termination

This DPA will remain in effect for as long as Appello processes Personal Data on behalf of Customer in connection with the Appello software platform, or until terminated in accordance with the terms of the SLSA. Upon termination of this DPA, the provisions of Sections 9 (Data Retention and Deletion), 10 (Audits and Compliance), and 11 (Limitation of Liability) will survive.

13. General Provisions

13.1 Governing Law

This DPA will be governed by and construed in accordance with the laws of the Province of Ontario, Canada, without regard to its conflict of law principles.

13.2 Changes to this DPA

Appello may update this DPA from time to time to reflect changes in applicable Data Protection Laws or our Processing practices. Material changes will be notified to Customer by email or through the Appello software platform. Continued use of the Appello software platform after such changes constitutes acceptance of the updated DPA.

13.3 Severability

If any provision of this DPA is found to be unenforceable or invalid, such provision will be limited or eliminated to the minimum extent necessary so that this DPA will otherwise remain in full force and effect.

13.4 Entire Agreement

This DPA, together with the SLSA, constitutes the entire agreement between the parties regarding the Processing of Personal Data and supersedes all prior agreements and understandings, whether written or oral, relating to such subject matter.

13.5 Contact Information

For questions or concerns regarding this DPA or the Processing of Personal Data, please contact Appello at: