‍Between:

• Bureau Works ("Processor" or "Vendor")
• Controller ("Controller" or "Client")

Last Updated: March 27, 2025

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement and/or Software Order Form ("Principal Agreement") between the parties.

1. INTRODUCTION AND PURPOSE

1.1 This DPA establishes the terms and conditions under which Vendor will process Personal Data on behalf of Client in connection with the services described in the Principal Agreement.

1.2 This DPA applies to all Personal Data processed by Vendor on behalf of Client that is subject to applicable privacy laws.

1.3 In case of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.

2. DEFINITIONS

2.1 "Applicable Privacy Law" means privacy and data protection laws applicable to the processing of Personal Data under this Agreement, including but not limited to the GDPR, UK GDPR, CCPA, and other similar laws.

2.2 "Personal Data" means any information relating to an identified or identifiable natural person processed by Vendor on behalf of Client.

2.3 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

2.4 "Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion.

2.5 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2.6 "Subprocessor" means any third party (excluding Vendor's employees) engaged by Vendor to process Personal Data.

3. ROLES AND RESPONSIBILITIES

3.1 Client acts as the Controller (or a Processor acting on behalf of a Controller) of the Personal Data.

3.2 Vendor acts as the Processor (or Subprocessor) of the Personal Data.

3.3 Each party will comply with their respective obligations under Applicable Privacy Law.

4. PROCESSING OF PERSONAL DATA

4.1 Scope and Purpose

Vendor shall process Personal Data only:

• To provide the services specified in the Principal Agreement
• In accordance with Client's documented instructions
• For the duration of the Principal Agreement

4.2 Details of Processing

Details regarding the processing activities are specified in Appendix 1, including:

• Categories of Data Subjects
• Types of Personal Data
• Nature and purpose of processing
• Duration of processing

4.3 Processing Instructions

4.3.1 The Principal Agreement, this DPA, and Client's use of Vendor's services constitute Client's documented instructions.

4.3.2 If Vendor believes an instruction violates Applicable Privacy Law, Vendor shall promptly inform Client.

4.3.3 If Vendor must process Personal Data to comply with applicable law, Vendor shall inform Client before processing, unless prohibited by law.

5. CONFIDENTIALITY AND SECURITY

5.1 Confidentiality

5.1.1 Vendor shall ensure that personnel authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.1.2 Vendor shall limit access to Personal Data to those personnel who need access to perform the services.

5.2 Security Measures

5.2.1 Vendor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Appendix 2.

5.2.2 In assessing security risks, Vendor shall consider risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.

5.2.3 Vendor shall regularly test, assess, and evaluate the effectiveness of its security measures.

6. SUBPROCESSING

6.1 General Authorization

6.1.1 Client authorizes Vendor to engage Subprocessors as necessary to provide the services under the Principal Agreement.

6.1.2 Current Subprocessors are listed in Appendix 3.

6.2 Notification of Changes

6.2.1 Vendor shall provide Client with 30 days' prior notice before authorizing any new Subprocessor.

6.2.2 If Client reasonably objects to a new Subprocessor within 15 days of notification, Vendor shall:

• Make commercially reasonable efforts to modify the services to avoid processing by the proposed Subprocessor; or
• Work with Client to find a mutually acceptable solution

6.2.3 If no resolution is possible within 30 days of Client's objection, Client may terminate the affected services with written notice.

6.3 Subprocessor Requirements

6.3.1 Vendor shall impose on Subprocessors data protection obligations no less protective than those in this DPA.

6.3.2 Vendor remains responsible for its Subprocessors' compliance with the obligations of this DPA.

7. DATA SUBJECT RIGHTS

7.1 Vendor shall implement appropriate technical and organizational measures to assist Client in responding to Data Subject requests.

7.2 If Vendor receives a Data Subject request related to Personal Data processed on behalf of Client, Vendor shall:

• Promptly notify Client
• Not respond directly to the Data Subject unless authorized by Client
• Assist Client in fulfilling the request as reasonably required

7.3 Vendor shall assist Client in meeting obligations to respond to Data Subject requests under Applicable Privacy Law, taking into account the nature of the processing and the information available to Vendor.

8. PERSONAL DATA BREACH

8.1 Notification

8.1.1 Vendor shall notify Client without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Client's Personal Data.

8.1.2 Notification shall include, to the extent possible:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate volume of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for further information

8.2 Cooperation and Mitigation

8.2.1 Vendor shall cooperate with Client and take reasonable steps to mitigate any adverse effects of a Personal Data Breach.

8.2.2 Vendor shall provide reasonable assistance to Client in meeting any notification obligations to regulatory authorities or Data Subjects.

9. DATA PROTECTION IMPACT ASSESSMENT

9.1 Vendor shall provide reasonable assistance to Client with any data protection impact assessments and prior consultations with supervisory authorities required under Applicable Privacy Law, taking into account the nature of the processing and information available to Vendor.

10. DATA RETURN AND DELETION

10.1 Upon termination of the Principal Agreement, or upon Client's request, Vendor shall:

• Return all Personal Data to Client in a commonly used electronic format; or
• Delete all Personal Data, including copies

10.2 Vendor may retain Personal Data if required by applicable law, in which case:

• Vendor shall ensure the confidentiality of such Personal Data
• Vendor shall process the retained data only as required by law
• Vendor shall notify Client of such legal requirement, unless prohibited by law

11. AUDIT RIGHTS

11.1 Vendor shall make available to Client information necessary to demonstrate compliance with this DPA.

11.2 Vendor shall allow for and contribute to audits, including inspections, conducted by Client or an auditor mandated by Client, subject to the following:

• Client shall provide at least 30 days' advance notice
• Audits shall occur no more than once per year, unless there is reasonable belief of non-compliance
• Client shall minimize disruption to Vendor's operations
• Audits shall be conducted during normal business hours
• All auditors shall be bound by confidentiality obligations

11.3 Vendor may satisfy audit requirements by providing third-party audit reports or certifications, provided they address the relevant compliance concerns.

12. INTERNATIONAL TRANSFERS

12.1 Vendor shall not transfer Personal Data outside the jurisdiction where Client is located unless:

• The transfer is to a country with an adequacy decision
• Appropriate safeguards are in place (such as Standard Contractual Clauses)
• A derogation under Applicable Privacy Law applies

12.2 If the transfer relies on Standard Contractual Clauses, the appropriate modules will be selected based on the parties' roles, and are incorporated by reference:

• Module 2 (Controller to Processor) or Module 3 (Processor to Processor), as applicable
• The governing law shall be the law of Client's country
• The competent supervisory authority shall be in Client's country

12.3 The parties shall implement any additional measures necessary to ensure compliance with data transfer requirements under Applicable Privacy Law.

13. GOVERNMENT ACCESS REQUESTS

13.1 If Vendor receives a legally binding request from a public authority to disclose Personal Data, Vendor shall:

• Promptly notify Client, unless prohibited by law
• Redirect the request to Client where possible
• Challenge the request if there are reasonable grounds to consider it unlawful
• Disclose only the minimum Personal Data required

13.2 If Vendor is prohibited from notifying Client, Vendor shall use reasonable efforts to obtain a waiver of the prohibition.

13.3 Vendor shall document its assessment of each request and make this documentation available to Client upon request, to the extent permitted by law.

14. CALIFORNIA CONSUMER PRIVACY ACT (CCPA) PROVISIONS

14.1 For purposes of the CCPA, Vendor is a "Service Provider" or "Contractor" as applicable.

14.2 Vendor shall not:

• Sell or share Personal Data
• Retain, use, or disclose Personal Data for any purpose other than providing services
• Combine Personal Data with personal information received from other sources

14.3 Vendor shall assist Client in fulfilling CCPA obligations regarding consumer rights.

15. GENERAL PROVISIONS

15.1 Liability and Indemnification

15.1.1 Each party's liability under this DPA shall be subject to the liability limitations in the Principal Agreement.

15.2 Term and Termination

15.2.1 This DPA shall commence on the Effective Date and continue for as long as Vendor processes Personal Data on behalf of Client.

15.2.2 The obligations regarding confidentiality, return or deletion of Personal Data, and audit shall survive termination.

15.3 Amendments

15.3.1 Any amendment to this DPA must be in writing and signed by both parties.

15.3.2 If changes to Applicable Privacy Law require modifications to this DPA, the parties shall cooperate in good faith to amend this DPA accordingly.

15.4 Severability

15.4.1 If any provision of this DPA is invalid or unenforceable, the remaining provisions shall remain in effect.

15.4.2 The parties shall replace any invalid or unenforceable provision with a valid and enforceable provision that achieves the same intent.

15.5 Notices

15.5.1 All notices under this DPA shall be in writing and delivered to the contact information provided in the Principal Agreement.

APPENDIX 1: DETAILS OF PROCESSING

Categories of Data Subjects:

• Employees, contractors, and representatives of Client
• End users of Client's services, as applicable
• Other individuals whose Personal Data is processed through the services

Types of Personal Data:

• Contact information (names, email addresses, phone numbers)
• Account credentials and authentication data
• Content and data provided by Client through the services
• Usage data and metadata related to use of the services

Nature and Purpose of Processing:

• Providing the services described in the Principal Agreement
• Supporting, maintaining, and improving the services
• Complying with legal obligations
• Other purposes specified in the Principal Agreement

Duration of Processing:

• For the term of the Principal Agreement, plus any additional period required for return or deletion of Personal Data

APPENDIX 2: SECURITY MEASURES

Vendor implements and maintains appropriate technical and organizational measures including:

Access Controls:

• Role-based access controls
• Multi-factor authentication for system access
• Unique user identification
• Regular access review procedures

Encryption:

• Encryption of data in transit using TLS
• Encryption of sensitive data at rest

System Security:

• Regular security updates and patching
• Vulnerability scanning and penetration testing
• Malware protection
• Intrusion detection/prevention systems

Physical Security:

• Physical access controls to data centers
• Environmental controls (fire, flood, power protection)
• Secure disposal procedures for media

Organizational Measures:

• Security awareness training for personnel
• Documented security policies and procedures
• Incident response procedures
• Regular security assessments

Business Continuity:

• Regular data backups
• Disaster recovery procedures
• Business continuity planning

APPENDIX 3: SUBPROCESSORS

Current subprocessors:

Vendor will provide an updated list of subprocessors upon request.