1. Relationship with the Agreement

1.1. This Data Processing Addendum (this "DPA") is part of the Agreement between Company and Product Sense, Inc. ("Product Sense"). Product Sense and Company are individually a "party" and, collectively, the "parties."

1.2. This DPA applies only to the extent that Product Sense receives, stores, or processes Personal Data in connection with the Services. Schedule 1 describes the processing activities in-scope of this DPA.

1.3. The parties agree that this DPA will replace any existing data processing addendum the parties may have previously entered into in connection with the Services.

1.4. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict.

1.5. Any claims brought under or in connection with this DPA will be subject to the Agreement.

2. Definitions

2.1. The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

2.2. "Agreement" means the agreement(s) entered into between the parties, which govern the provision of the Services to Company.

2.3. "Company Data" means any Personal Data that Product Sense processes on behalf of Company as a Processor in the course of providing Services.

2.4. "Controller" means the entity that determines the purposes and means of the processing of Personal Data.

2.5. "Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including European Data Protection Law, and U.S. Data Protection Law.

2.6. "Data Subject" means an identified or identifiable natural person.

2.7. "European Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data (General Data Protection Regulation) ("EU GDPR"); (ii) in respect of the United Kingdom the Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law; and (iii) the Swiss Federal Act on Data Protection, in each case as may be amended, superseded or replaced from time to time.

2.8. "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject.

2.9. "Personal Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Data.

2.10. "Process" or "Processing" any operation or set of operations that a party performs on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, blocking, erasure or destruction.

2.11. "Processor" means an entity that processes Personal Data on behalf of another entity.

2.12. "Services" means the performance assessment and talent management services provided by Product Sense to Company pursuant to the Agreement.

2.13. "Standard Contractual Clauses" means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2.14. "Subprocessor" means a Processor engaged by Product Sense.

2.15. "U.S. Data Protection Law" means all state laws in effect in the United States of America that are applicable to the processing of personal data under this DPA, including the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.

3. Processing Activities and Roles

3.1. Schedule 1 describes the purposes of the parties' processing, the types of Company Data processed, and the categories of Data Subjects.

3.2. Product Sense acts exclusively as a data processor under this DPA. Product Sense will process Company Data only on behalf of Company, in accordance with the Agreement, and as set forth in this DPA. Product Sense will not process Company Data for its own purposes.

4. International Data Transfer

4.1. The parties will comply with any International Data Transfer Mechanisms required for the lawful transfer of Personal Data across borders.

4.2. With respect to Personal Data of Data Subjects located in the EEA, United Kingdom, or Switzerland, Product Sense agrees to the Standard Contractual Clauses, which are incorporated into this DPA by reference and take precedence over this DPA in the case of any conflict.

4.3. All data processing currently occurs in AWS us-east-2 (Ohio). For European Data Subjects, Standard Contractual Clauses apply. Product Sense monitors data protection adequacy decisions and adapts transfer mechanisms accordingly.

5. Data Protection Obligations

5.1. Product Sense will process Company Data only for the purposes described in this DPA and only in accordance with Company's documented, lawful instructions as set forth in this DPA, the Agreement, or as otherwise directed by Company.

5.2. Product Sense is prohibited from: (i) selling Company Data; (ii) retaining, using, or disclosing Company Data for any purpose other than providing the Services; or (iii) retaining, using, or disclosing Company Data outside of the direct business relationship between Company and Product Sense.

5.3. Company represents and warrants that it has the consent or other lawful basis necessary to collect and disclose Personal Data to Product Sense in connection with the Services.

5.4. The parties will ensure that their employees, independent contractors, and agents are subject to an obligation to keep Personal Data confidential.

6. Technical and Organizational Measures

6.1. Product Sense implements and maintains appropriate technical and organizational security measures to protect Company Data, including:

• AWS Serverless Architecture: 100% serverless processing via stateless Lambda functions
• Data Encryption: AES-256 encryption at rest with customer-managed KMS keys
• Network Security: VPC isolation with IAM-based database access controls
• Additional Encryption: S3 bucket encryption, CloudWatch log encryption, Secrets Manager encryption
• Monitoring: AWS GuardDuty threat detection, VPC Flow Logs, AWS Config compliance monitoring
• API Security: API Gateway with proper authentication and rate limiting
• Zero Trust Architecture: Stateless Lambda architecture eliminates persistent access vectors

6.2. Company is responsible for reviewing the information made available by Product Sense relating to data security and making an independent determination as to whether the Services meet Company's requirements and legal obligations under Data Protection Laws.

7. Subprocessors

7.1. Company grants Product Sense general authorization to engage the Subprocessors listed in Schedule 1, provided that Product Sense ensures each Subprocessor is bound by data protection obligations no less protective than this DPA.

7.2. Product Sense will provide 5 business days' email notification before adding new Subprocessors. Company may object to new Subprocessors within 5 calendar days of such notice on reasonable grounds relating to data protection.

7.3. Product Sense will be liable for the acts or omissions of its Subprocessors to the same extent as Product Sense would be liable if performing the services directly under this DPA.

7.4. Current Subprocessor list is maintained here.

8. Data Breach Notification

8.1. Product Sense will notify Company without undue delay, but in any event within 24 hours, of a Personal Data Breach affecting Personal Data processed in connection with the Services.

8.2. Upon request, Product Sense will provide information to Company about the Personal Data Breach to the extent necessary for Company to fulfill any obligations it has to investigate or notify authorities.

8.3. All incidents are formally documented with root cause analysis and remediation steps by our CEO/DPO (Brendan Fortune).

9. Data Subject Rights

9.1. Product Sense will promptly inform Company if it receives a request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law.

9.2. Company will be responsible for responding to such requests. Product Sense will provide Company with commercially reasonable assistance to help Company respond to Data Subject requests.

10. Audit Rights

10.1. Upon reasonable request, Product Sense will verify its compliance with this DPA by providing SOC 2 Type II reports once available (target: within 12 months) or summary copies of independent audit reports.

10.2. Until SOC 2 certification is complete, Company may conduct direct system audits with 45 days' advance notice, during regular business hours, subject to reasonable confidentiality controls.

11. Data Return and Deletion

11.1. Upon termination or expiration of the Agreement, Product Sense will (at Company's election) delete all Company Data after providing Company the ability to download assessment results in CSV format and supporting evidence.

11.2. Product Sense maintains a 90-day grace period after contract termination for potential renewal, after which automated deletion occurs with written confirmation to Company.

12. Liability and Indemnification

12.1. Liability under this DPA is limited to annual contract value.

12.2. Indirect, consequential, and punitive damages are excluded, except where prohibited by applicable law.

12.3. Product Sense remains fully liable for Subprocessor performance per GDPR Article 28(4) and handles all claims related to Subprocessor data protection failures.

Schedule 1: Processing Details

Processing Purposes

Evidence-based performance assessment and merit-driven talent management exclusively. No processing for broader analytics, product improvement, or secondary commercial purposes.

Data Categories

• Employee communication data from integrated platforms
• Development activity and project management data
• Assessment results and competency mapping
• Supporting evidence snippets (minimized to essential data only)
• Manager profile and authentication information

Data Subject Categories

• Company employees being assessed
• Company managers conducting assessments

Processing Duration

During the term of the Agreement plus 90-day grace period for potential renewal.

Geographic Processing

AWS us-east-2 (Ohio) with planned migration to AWS EU regions for European customers within 1-2 years.

Current Subprocessors

Current Subprocessor list is maintained here.

Questions or Concerns

If you have questions about this Data Processing Addendum or need to request execution of this DPA, please contact us at: