Data Processing Addendum

This Data Processing Addendum (“DPA”) is between GlossGenius, Inc. (“GlossGenius,”) and you. This DPA amends and forms part of the GlossGenius Terms of Service, as updated from time to time, or any other agreement about the delivery of the GlossGenius Services between GlossGenius and you (collectively, the “Agreement”). This DPA applies to the extent GlossGenius Processes Professional Personal Data (each as defined below) in the provision of the GlossGenius Services. This DPA will terminate automatically upon termination of the Agreement. In the event of a conflict between the terms and conditions of this DPA, the Agreement, or any other documentation, the terms and conditions of this DPA govern and control with respect to the subject matter of Processing of Professional Personal Data (as those terms are defined below). Capitalized terms used but not defined in this DPA will have the meanings given in the Agreement.

1.Definitions

For purposes of this DPA, the following terms will have the meaning ascribed below:

1.1 “Controller” means “controller” and “business” (and analogous variations of such terms) under Data Protection Law.

1.2. “Data Protection Law” means the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020 or otherwise and any regulations promulgated thereunder, and any similar laws adopted in other states, including but not limited to the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, and the Virginia Consumer Data Protection Act.

1.3. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.4. “Personal Data” means “personal data” and “personal information” (and analogous variations of such terms) under Data Protection Law.

1.5. “Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, extending further to such operation or operations under Data Protection Law.

1.6. “Processor” means “processor” and “service provider” (and analogous variations of such terms) under Data Protection Law.

1.7. “Professional Personal Data” means Personal Data that GlossGenius collects from or about your end user customers in connection with providing the Services.

1.8. “Security Incident” means “personal data breach” and “security incident” (and analogous variations of such terms) under Data Protection Law.

1.9. “Gloss Genius Services” means the services provided by GlossGenius pursuant to the Agreement.

2. Data Processing and Protection

2.1. Scope of DPA. This DPA applies where GlossGenius Processes Professional Personal Data on behalf of you, the Controller, in connection with providing the GlossGenius Services. The parties agree that GlossGenius is the Processor of Professional Personal Data.

2.2 Limitations on Use. In GlossGenius’s capacity as a Processor, GlossGenius will Process Professional Personal Data only: (a) pursuant to your documented instructions as specified under Section 2.3 (Instructions); (b) as otherwise required by applicable laws. As a Processor, GlossGenius will not: (x) retain, use, or disclose such Personal Data (i) outside of the direct business relationship between the parties, (ii) for any purpose other than for the specific purpose of performing the GlossGenius Services; (y) sell or share (as defined by Data Protection Law) such Personal Data; or (z) combine such Personal Data with Personal Data GlossGenius receives from individuals or other sources, except as permitted by Data Protection Law.

2.3. Processor Instructions. You instruct GlossGenius to Process Personal Data as necessary to provide the GlossGenius Services and as otherwise authorized or permitted under this DPA and the Agreement. This DPA, the Agreement, and any instructions you provide through configuration tools made available by GlossGenius (if available) are your documented instructions regarding GlossGenius’s Processing of Personal Data. Additional instructions you provide (if any) require prior written agreement between you and GlossGenius. You will not instruct GlossGenius to Process Professional Personal Data in violation of any Data Protection Law. GlossGenius may suspend Processing based upon any of your instructions that GlossGenius reasonably suspects violate Data Protection Law, provided GlossGenius will promptly inform you if GlossGenius believes an instruction infringes Data Protection Law.

2.4. Scope of Processing. The GlossGenius Services are not designed to Process Protected Health Information as defined by the Health Insurance Portability and Accountability Act (HIPAA) or data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status, and other attributes or data that constitute “sensitive personal data” or “sensitive personal information” under Data Protection Laws. Further, GlossGenius is currently only available for use within the United States and is not designed to process the Personal Data of individuals protected by the General Data Protection Regulation (GDPR) or local laws implementing the same. You agree that you will not provide sensitive information or Personal Data governed by the GDPR or similar laws to the GlossGenius Services except with our explicit consent.

2.5. Compliance. Each party will comply with its obligations under Data Protection Law. You are responsible for providing all notices and obtaining any consents that may be necessary for the performance of the GlossGenius Services. GlossGenius shall promptly notify you if it determines that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from you that GlossGenius has Processed Professional Personal Data without authorization, GlossGenius will take reasonable and appropriate steps to stop and remediate such Processing.

2.6. Security. GlossGenius will implement and maintain appropriate administrative, technical, and organizational measures designed to protect the confidentiality, integrity, and availability of Personal Data and prevent any unauthorized or unlawful Processing of such data.

2.7. Retention and Disposal. GlossGenius will retain the Personal Data until the termination of the Agreement, unless otherwise agreed to by the parties. At your choice, GlossGenius will (or will enable you via the GlossGenius Services to) delete (and will delete existing copies of) or return all Professional Personal Data after termination of the Agreement (unless Data Protection Law requires the storage of such Professional Personal Data by GlossGenius, in which case GlossGenius will only further retain and Process such Professional Personal Data for the limited duration and purposes required by such Data Protection Law.

3. Data Processing Assistance

3.1. Data Subject Rights Assistance. You shall be responsible for responding to requests from individuals, including your Clients, exercising rights under Data Protection Law relating to Personal Data for which you are a Controller (each a “Data Subject Request”). To the extent you, in your use of the GlossGenius Services, do not have the ability to address the Data Subject Request, GlossGenius will, on your request, provide commercially reasonable assistance to you in responding to such Data Subject Request, to the extent GlossGenius’ response to such Data Subject Request is required under Data Protection Law.

3.2. Compliance Assistance. Taking into account the nature of Processing and the information available to GlossGenius, GlossGenius will provide commercially reasonable cooperation and assistance to you in your efforts to comply with your obligations under Data Protection Law.

3.3. Security Incident Notice and Assistance. GlossGenius will notify you without undue delay after becoming aware of a Security Incident in accordance with applicable Data Protection Law. GlossGenius will further take commercially reasonable steps to mitigate the effects and minimize any impact from any Security Incident and reasonably assist you in complying with any related notification obligations under Data Protection Law. These obligations shall not apply if a Security Incident results from the actions or omissions of you, except where required by Data Protection Law. GlossGenius’s obligation to report or respond to a Security Incident under Section 2.3 will not be construed as an acknowledgement by GlossGenius of any fault or liability with respect to the Security Incident.

4. Audits. You have the right to take reasonable and appropriate steps to ensure that GlossGenius uses Personal Data in a manner that is consistent with your obligations under Data Protection Law (“Audit Rights”). Except in the event of a Security Incident or a regulatory investigation, you agree to exercise your Audit Rights under Data Protection Law no more than once every 12 months and will provide no less than 30 days’ advance notice of your request for an on-site audit and will cooperate in good faith with GlossGenius to schedule any such audit on a mutually agreeable date and time. Any such on-site audit must occur during GlossGenius’s normal business hours and be conducted by you or a nationally recognized independent auditor that has agreed to confidentiality provisions reasonably acceptable to GlossGenius. You are responsible for ensuring that the audit will comply with GlossGenius’ applicable on-site policies and procedures and will not unreasonably interfere with GlossGenius’ business activities. You will provide a written summary of any audit findings to GlossGenius, and the results of the audit will be the confidential information of GlossGenius. You will bear the costs of such an audit, unless the audit reveals material vulnerabilities, in which case GlossGenius will cover the costs of the audit.

5. Limitation of Liability. Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in the Agreement. Nothing in this Section 5 is intended to restrict the rights of individuals under Data Protection Law.