1. DEFINITIONS

Capitalized terms used in this Exhibit that are not defined within this Section, have the meanings set forth in Section 1 of the Ozmo Support Platform Terms and Conditions. 

"Applicable Law” means all federal and state privacy and data protection laws, regulations, and orders applicable to Company due to its provision of services and/or products to Customer.

“Authorized Persons” means Company’s employees, contractors, agents, and auditors who have a need to know or otherwise access Personal Information to enable Company to perform its obligations under this Agreement, and who are bound by confidentiality and other obligations sufficient to protect Personal Information in accordance with these Terms and Conditions.

"Data Subject” means a natural person who can be identified by reference to a name, image, unique number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Personal Information” means information provided to Company by or at the direction of Customer, or to which access was provided to Company by or at the direction of Customer, in the course of Company’s  performance under this Agreement that: (i) directly or indirectly identifies an individual (including, without limitation, names, signatures, addresses, telephone numbers, e-mail addresses, images and other unique identifiers); or (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, answers to security questions and other personal identifiers), in case of both subclauses (i) and (ii), including, without limitation, all Sensitive Personal Information. 

“Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Security Breach” means (i) any act or omission that materially compromises either the security, confidentiality or integrity of Personal Information or the physical, technical, administrative or organizational safeguards put in place by Company that relate to the protection of the security, confidentiality or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of Company or a breach or alleged breach of these Terms and Conditions relating to such privacy and data security practices.

“Sensitive Personal Information” means any special or sensitive categories of Personal Information defined by Applicable Law as requiring special care, additional protections, or limited processing. Sensitive Personal Information includes: (i) an individual’s government-issued identification number (including social security number, driver’s license number or state-issued identification number); (ii) financial account number, credit card number, debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account; or (iii) biometric, genetic, health or health insurance data.

2. COMPANY AND CUSTOMER OBLIGATIONS

• (a) Company acknowledges and agrees that, in the course of its engagement by Customer, Company may create, receive or have access to Personal Information. Company shall comply with these Terms and Conditions in its collection, receipt, transmission, storage, disposal, use and disclosure of such Personal Information and be responsible for the unauthorized collection, receipt, transmission, access, storage, disposal, use or disclosure of Personal Information under its control or in its possession by all Authorized Persons.
• (b) In recognition of the foregoing, Company agrees and covenants that it shall: 
  • (i) keep and maintain all Personal Information in strict confidence, using such degree of care as is appropriate to avoid unauthorized access, use or disclosure; 
  • (ii) not create, collect, receive, access, or use Personal Information in violation of Applicable Law; 
  • (iii) use and disclose Personal Information solely and exclusively for the purposes for which the Personal Information, or access to it, is provided pursuant to these Terms and Conditions, and not use, sell, rent, transfer, distribute, or otherwise disclose or make available Personal Information for Company‘s own purposes or for the benefit of anyone other than Customer, in each case, without Customer’s prior written consent; 
  • (iv) not, directly or indirectly, disclose Personal Information to any person other than its Authorized Persons (an “Unauthorized Third Party”), without express written consent from Customer, unless and to the extent required by Government Authorities or as otherwise, to the extent expressly required, by applicable law, in which case, Company shall notify Customer before such disclosure or as soon thereafter as reasonably possible.
• (c) To the extent Company will process Personal Information, Company agrees and covenants that it shall:
  • (i) implement, as required by Applicable Law, a compliant notice and consent mechanism appropriate to the nature of Personal Information it collects and process the Personal Information in accordance with Company’s privacy policy available at https://ozmo.com/company/privacy-policy/;
  • (ii) have all appropriate technical and organizational measures to fulfill its obligations associated with Data Subject requests and rights under Applicable Law;
  • (iii) inform Customer promptly (in no event longer than 24 hours) of any request from a Data Subject to exercise any Data Subject rights regarding Personal Information held by Company.
• (d) Customer covenants and agrees that it shall:
  • (i) comply with these Terms and Conditions;
  • (ii) be responsible for any unauthorized creation, collection, receipt, transmission, access, storage, disposal, use, or disclosure of Personal Information under its control or in its possession;
  • (iii) comply with any Applicable Law and use only secure methods, according to accepted industry standards, when transferring or otherwise making available Personal Information to Company; 
  • (iv) where required by applicable data protection laws, ensure that it has obtained/will obtain all necessary consents and complies with all applicable requirements; and
  • (iv) provide written notice to Company if any information Customer provides to Company under these Terms and Conditions contains Personal Information. Company will not be responsible for determining on its own that any information Customer provides under this Agreement qualifies as Personal Information.

3. PROCESSING DETAILS

• (a) Duration. The duration of the processing of Personal Information shall be the term of the base agreement plus the limited time following its expiration or termination to allow for the return or deletion of Personal Information.
• (b) Purpose. Company shall process Personal Information solely to provide the services and products set forth in the base agreement.
• (c) Nature. Company will perform the following processing operations on Personal Information:
  • Collection directly from Data Subjects
  • Collection other than from Data Subjects
  • Storage (e.g., hosting, archive, logging, organizing)
• (d) Categories of Personal Information:
  • Name
  • Photographic / Video Images
  • Email
  • Phone Number
  • IP Addresses
  • Login Credentials
• (e) Data Subjects. Company wll process Personal Information related to Customer’s employees and Customer’s customers.
• (f) Storage Location. Personal Information will be stored, accessed, or co-located by Company in the following counties:
  • United States
• (g) Subprocessors. Customer consents to Company’s use of the following Subprocessors:

Name	Processing Services	Countries where information is stored
Amazon Web Services	Hosting Provider	United States
Google Cloud Platform	Hosting Provider	United States
MIcrosoft Azure	Hosting Provider	United States

4. INFORMATION SECURITY

• (a) Company represents and warrants that its collection, access, use, storage, disposal and disclosure of Personal Information does and will comply with all Applicable Law, including all applicable directives. 
• (b) Company shall implement administrative, physical and technical safeguards to protect Personal Information and shall ensure that all such safeguards, including the manner in which Personal Information is collected, accessed, used, stored, processed, disposed of and disclosed, comply with Applicable Law, as well as these Terms and Conditions.
• (c) At a minimum, Company’s safeguards for the protection of Personal Information shall include: (i) limiting access of Personal Information to Authorized Persons; (ii) securing business facilities, data centers, paper files, servers, backup systems, and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability; (iii) implementing network, application, database, and platform security; (iv) securing information transmission, storage, and disposal; (v) implementing authentication and access controls within media, applications, operating systems, and equipment; (vi) encrypting Sensitive Personal Information stored on any media; (vii) encrypting Sensitive Personal Information transmitted over public or wireless networks; (viii) strictly segregating Personal Information from information of Company or its other customers so that Personal Information is not commingled with any other types of information; (ix) conducting risk assessments, penetration testing, and vulnerability scans and promptly implementing, at Company’s sole cost and expense, a corrective action plan to correct any issues that are reported as a result of the testing; (x) implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law; and (xi) providing appropriate privacy and information security training to Authorized Persons.
• (d) During the term of each Authorized Person’s employment by Company, Company shall at all times cause such Authorized Persons to abide strictly by Company’s obligations under these Terms and Conditions.  Company further agrees that it shall maintain a disciplinary process to address any unauthorized access, use or disclosure of Personal Information by any of Company’s officers, partners, principals, employees, agents or contractors. 

5. SECURITY BREACH PROCEDURES

• (a) Company shall: 
  • (i) provide Customer with the name and contact information for an employee of Company who shall serve as Customer’s primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach; 
  • (ii) notify Customer of a Security Breach as soon as practicable, but no later than twenty-four (24) hours after Company becomes aware of it; and 
  • (iii) notify Customer of any Security Breaches by telephone and with a copy by e-mail to Company’s primary business contact within Customer. 
• (b) Immediately following Company’s notification to Customer of a Security Breach, the parties shall coordinate with each other to investigate the Security Breach. Company agrees to reasonably cooperate with Customer in Customer’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) facilitating interviews with Company’s employees and others involved in the matter; and (iii) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise reasonably required by Customer.
• (c) Company shall use its best efforts to immediately remedy any Security Breach and prevent any further Security Breach at Company’s expense in accordance with applicable privacy rights, laws, regulations and standards. 
• (d) Company reserves the right, in its sole discretion, to report criminal acts relating to the use and disclosure of Personal Information to applicable Government Authorities and shall notify Customer as soon as practicable that such reporting has occurred. With respect to instances in which Company is considering notifying Government Authorities concerning civil, but not criminal, acts, Company shall notify Customer in writing and consult with Customer prior to making any such notification. The parties shall immediately endeavor in good faith to reach agreement on the need and nature of such notification. If such agreement cannot be reached within seventy-two (72) hours after Company has provided Customer with written notice, Company  shall have the right to inform Government Authorities solely to the extent required by applicable law.
• (e) Company agrees to maintain and preserve all documents, records, and other data related to any Security Breach.
• (f) Company agrees to reasonably cooperate with Customer in any litigation or other formal action deemed reasonably necessary by Customer to protect its rights relating to the use, disclosure, protection and maintenance of Personal Information. 

6. OVERSIGHT OF SECURITY COMPLIANCE; RISK ASSESSMENT

Company shall implement and maintain a risk assessment program that includes an at least annual assessment of the sufficiency of its existing safeguards in relation to its collection, storage and processing of Personal Information. Customer, upon written request, at most once per year, may obtain a copy of Company’s internal risk assessment, along with Company’s written confirmation of compliance with these Terms and Conditions, as well as all Applicable Law and industry standards. Company shall promptly and accurately respond to such a written request from Customer.

7. RETURN OR DESTRUCTION OF PERSONAL INFORMATION

At any time during the term of the Agreement, at the Customer’s written request or upon the termination or expiration of this Agreement for any reason, Company shall, and shall instruct all Authorized Persons to, promptly return to the Customer all copies, whether in written, electronic or other form or media, of Personal Information in its possession or the possession of such Authorized Persons, or securely dispose of all such copies, and certify in writing to the Customer that such Personal Information has been returned to Customer or disposed of securely within 30 days of receiving the Customer’s request. Company shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Personal Information. If Company is not reasonably able to return or securely dispose of Personal Information, including, but not limited to, Personal Information stored on backup media, Company will continue to protect such Personal Information in accordance with these Terms and Conditions until such time that it can reasonably return or securely dispose of such Personal Information.

8. INDEMNIFICATION

Company shall defend, indemnify, and hold harmless Customer  and its affiliates, and its respective officers, directors, employees, agents, successors, and permitted assigns (each, a "Customer Indemnitee") from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys' fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against any Customer Indemnitee arising out of or resulting from Company’s failure to comply with any of its obligations under Sections 2 and 4.