This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement and/or any applicable SOWs or Order Forms (together, the “Agreement”) between GrowthFactor, Inc., a Delaware Corporation (“GrowthFactor”) and the customer entity that has executed the Agreement (“Customer”).

This DPA is an addendum to, and forms part of, the Agreement. It shall be effective and legally binding as of the date the Agreement is executed. This DPA sets out the terms that apply when Personal Information is Processed by GrowthFactor under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Information are Processed.

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

DATA PROCESSING TERMS:

1. Definitions
   
   1. Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
   2. For the purposes of this DPA the following words and phrases shall have the following meanings:
2. "Consumer” means an identified natural person as defined by applicable Data Protection Laws and Regulations. 

“Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Information;

“Customer Personal Information” means electronic data and information submitted by or for Customer to GrowthFactor, in connection with the performance of the Services under the Agreement containing Personal Information;

“Data Protection Laws and Regulations” means all applicable federal and state laws and regulations binding on a Party with respect to the Party’s processing, protection, or privacy of the Personal Information, including where applicable, binding guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.  Data Protection Laws and Regulations includes, but is not limited to, the California Consumer Privacy Act of 2018, as amended and supplemented by the California Privacy Rights Act of 2020, as may be further amended from time to time, and their implementing regulations (“CCPA”), the Connecticut Data Privacy Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and any corresponding or equivalent United States state or federal laws or regulations as may be promulgated including any amendment, update, modification to or re-enactment of such laws, as applicable to a party in its respective performance or receipt of services.

“Services” has the meaning set forth in the Agreement; 

“Business Purpose,” “Processing”, “Processed,” “Process,” “Personal Information,” “Sell,” “Service Provider,” “Share,” “Subcontractor” shall have the same meaning as those terms in the CCPA or other Data Protection Laws and Regulations.

3. Processing of Customer Personal Information
   
   1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Information as is necessary for providing the Services, Customer is the Controller, GrowthFactor is the Service Provider.
   2. Data Minimization. Customer shall endeavor to, and shall train its personnel to, exercise all possible care in minimizing GrowthFactor’s access to or Processing of any Customer Personal Information to the extent solely and strictly necessary for the performance of the Services.  
   3. Customer’s Processing of Customer Personal Information. Customer, as Controller, shall: (i) be responsible for ensuring that it has complied, and will continue to comply, with all applicable Data Protection Laws and Regulations; (ii) ensure it has, and will continue to have, the right to process, transfer, and/or provide access to, the Customer Personal Information to GrowthFactor for Processing in accordance with the terms of the Agreement and this DPA; and (iii) have sole responsibility for the accuracy, quality, and legality of Customer Personal Information and the means by which Customer acquired Customer Personal Information. Customer specifically acknowledges that its use of the Services will not violate the rights of any Consumer that has opted-out from sales or other disclosures of Personal Information, to the extent applicable under the CCPA. 
   4. GrowthFactor’s Processing of Customer Personal Information. GrowthFactor shall treat Customer Personal Information as Confidential Information and shall Process Customer Personal Information on behalf of Customer as is necessary for providing the Services and only in accordance with Customer’s documented instructions as set out in this DPA. Any Processing required outside of the scope of these instructions will require prior written agreement between the Parties. The Parties acknowledge and agree that GrowthFactor’s Processing of Customer Personal Information is as a Service Provider for a Business Purpose (i.e., performing services on behalf of Customer).
   5. Data Protection Impact Assessments. Upon Customer’s request and if required by applicable Data Protection Laws and Regulations, GrowthFactor shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation to carry out a data protection impact assessment related to Customer’s use of the Services. 
4. Details of Data Processing.
   
   1. Subject Matter: The subject matter of the Processing under this DPA is the Customer Personal Information.
   2. Frequency and Duration: Notwithstanding expiration or termination of the Agreement, GrowthFactor will Process the Customer Personal Information continuously and until deletion of all Customer Personal Information as described in this DPA.
   3. Purpose: GrowthFactor will Process the Customer Personal Information only for the limited and specified Business Purposes and described in this DPA.
   4. Nature of the Processing: GrowthFactor will perform Processing as needed for the Business Purposes, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this DPA. The Parties acknowledge and agree that the processing of Personal Information by the GrowthFactor under this DPA may include the use of automated tools and technologies, including Artificial Intelligence, for purposes that are consistent with the legitimate Business Purposes outlined in the Agreement, such as data analysis, optimization, and service enhancement.
   5. Retention Period. The period for which Customer Personal Information will be retained and the criteria used to determine that period is determined by Customer during the term of the Agreement via Customer’s use and configuration of the Service. Upon termination or expiration of the Agreement, Customer may retrieve or delete Customer Personal Information as described in the Agreement. 
   6. Categories of Consumers: The categories of Consumers to which Customer Personal Information relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
      
      1. Employees or contact persons of Customer or Customer’s business partners.
      2. End customers of Customer.
   7. Categories of Personal Information: The types of Customer Personal Information are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:
      
      1. Identification and contact data (name, phone number, email address, mailing address);
5. Rights of Consumers
   
   1. Consumer Request. GrowthFactor shall promptly notify Customer if GrowthFactor receives a request from a Consumer to exercise the Consumer’s rights, including to access, correct, obtain a portable copy, or delete Personal Information as allowed by the CCPA or applicable Data Protection Laws and Regulations (each such request being a “Consumer Request”). Taking into account the nature of the Processing, GrowthFactor shall assist Customer by appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to a Consumer Request under CCPA or Data Protection Laws and Regulations. In addition, if requested by Customer, GrowthFactor shall assist Customer in responding to such Consumer Request.
6. GrowthFactor Personnel
   
   1. Confidentiality. GrowthFactor shall ensure that its personnel engaged in the Processing of Customer Personal Information are informed of the confidential nature of the Customer Personal Information, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. 
7. Subcontractors
   
   1. Use of subcontractors. Customer acknowledges and agrees that: (i) GrowthFactor’s Affiliates may be retained as subcontractors, and (ii) GrowthFactor and GrowthFactor’s Affiliates may engage third-party subcontractors in connection with the provision of the Services. GrowthFactor has entered into a written agreement with each subcontractors containing data protection obligations that complies with the CCPA and are not less protective than those in this Agreement with respect to the protection of Customer Personal information to the extent applicable to the nature of the Services provided by such subcontractors.
   2. Liability. GrowthFactor shall be liable for its subcontractors to the same extent GrowthFactor would be liable if performing the services of each subcontractors directly under the terms of this DPA.
8. Security

1. Controls for the Protection of Customer Personal information. GrowthFactor shall maintain reasonable and appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal information), confidentiality and integrity of Customer Personal information. 

2. Personnel.  GrowthFactor shall take all reasonable steps to ensure the reliability of any GrowthFactor Personnel who may have access to, or are authorized to process, Customer Personal information. GrowthFactor shall ensure that such GrowthFactor Personnel are bound by appropriate contractual confidentiality, data protection, and data security obligations in accordance with applicable Data Protection Laws and Regulations and this DPA.
3. Compliance Monitoring. 
   
   1. Upon Customer’s reasonable request, GrowthFactor shall make available to Customer all information in GrowthFactor’s possession necessary to demonstrate GrowthFactor’s compliance with its obligations under this DPA and applicable Data Protection Laws and Regulations.
   2. Customer may monitor GrowthFactor’s compliance with this DPA through reviews, audits, or regular assessments to be conducted in the form of a written questionnaire once per year.

9. CCPA Specific Provisions.
   
   1. Scope. The following provisions apply to Customer Personal Information that is subject to the CCPA, or to any other Customer Personal Information to the extent required by other Data Protection Laws and Regulations, GrowthFactor shall not:
      
      1. Sell or Share Customer Personal Information or any other similar concepts defined in Data Protection Laws and Regulations except to perform the Business Purposes specified in this DPA and the Agreement;
      2. Combine Customer Personal Information that GrowthFactor receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a Consumer, except to perform the Business Purposes specified in this DPA and the Agreement.
      3. Retain, use, or disclose Customer Personal Information that it receives from, or on behalf of, Customer for any purpose, including any commercial purpose, other than the Business Purposes specified in this DPA, the Agreement, or as otherwise permitted by the CCPA or outside of the direct business relationship between Customer and GrowthFactor. 

2. Notification. Upon determination by GrowthFactor that it can no longer comply with CCPA or any Data Protection Laws and Regulations, GrowthFactor shall notify Customer without undue delay.  

3. Certification. GrowthFactor certifies that it understands the restrictions set forth in this DPA and the CCPA and shall comply with these restrictions. 

4. Remediation. Upon notice, Customer reserves the right to take reasonable and appropriate steps to stop and remediate GrowthFactor’s unauthorized use of Customer Personal Information.

10. Customer Personal information Incident Management and Notification

1. GrowthFactor shall notify Customer without undue delay after becoming aware of a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information (a “Customer Personal Information Incident”). 
2. To assist Customer in relation to any personal data breach notifications Customer is required to make under the applicable Data Protection Laws and Regulations, GrowthFactor shall include in the notification such information about the Customer Personal Information Incident as is required by such Data Protection Laws and Regulations, to the extent that such information is reasonably available to GrowthFactor and shall take all reasonable and necessary steps to remediate the cause of such Customer Personal Information Incident, to preclude further Customer Personal Information Incidents. Where and insofar as GrowthFactor cannot provide all the information relevant to a Customer Personal Information Incident at the same time, it may provide such information in phases without undue further delay. 

11. General Provisions
    
    1. Except as amended by this DPA, the Agreement will remain in full force and effect.
    2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
    3. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
    4. This DPA will automatically terminate on the termination or expiry of the Agreement.

‍