COMPANYCAM TERMS OF SERVICE

U.S. DATA PROCESSING ADDENDUM

This Data Protection Addendum (​“DPA”) shall apply to CompanyCam, Inc.’s (“CompanyCam”) Processing of Customer Personal Information pursuant to the Terms of Service and Enterprise Agreement (“Agreement”). ​“Customer” is the entity listed in the Enterprise Agreement or the entity that opened an Organization Account to use the Licensed Product. Customer and CompanyCam may each be referred to as ​“Party” and together, ​“Parties.”

1. Definitions
   The defined capitalized terms below will have the following meanings when used in this DPA. Other capitalized terms used in this DPA are defined in the context in which they are used and shall have the meanings indicated. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement or in applicable Data Protection Laws
   1. “Controller” means the person or entity who determines the purposes and means of the Processing of Personal Information and includes the term ​“Business” as similarly defined under applicable Data Protection Laws.
   2. “Customer Personal Information” means Personal Information Processed by CompanyCam on behalf of Customer pursuant to the Agreement.
   3. “Business Purpose” means the Processing of Customer Personal Information (i) as necessary for the provision of the Licensed Application pursuant to Agreement; (ii) as otherwise permitted by Data Protection Laws in connection with the Licensed Application; and (iii) to comply with CompanyCam’s legal obligations which do not conflict with Data Protection Laws.
   4. “Data Protection Laws” means any applicable current and future laws, rules, regulations and guidance governing the privacy, security and protection of Personal Information processed under the Agreement, including but not limited to: (i) the US Data Protection Laws; and (ii) the European Data Protection Laws.
   5. “Data Subject” means an identified or identifiable natural person or a ​“Consumer” as defined under applicable Data Protection Laws.
   6. “Data Subject Request” means a request from an individual seeking to exercise the rights granted to Data Subjects under the Data Protection Laws which may include, the right to access, correct, opt out, restrict Processing, and data portability.
   7. “European Data Protection Laws” means all applicable legislation applicable to data protection and privacy regarding residents of the EU, UK or Switzerland, including but not limited to: (i) the EU General Data Protection Regulation ((EU) ²⁰¹⁶⁄₆₇₉) (the ​“EU GDPR”); (ii) Directive 2002/58/EC the Privacy and Electronic Communications Regulations 2003 as amended (iii) the EU GDPR as applicable as part of UK domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (as amended) (“UK GDPR”); (d) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (the ​“FADP”); and any applicable guidance or codes of practice issued by any applicable Supervisory Authorities from time to time.
   8. “Licensed Application” shall mean the ​“Services” as defined in the Agreement.
   9. “Personal Information” or ​“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. Personal Information does not include information that has been deidentified or aggregated such that the information can no longer identify or link to an individual.
   10. “Personnel” means those employees, approved agents, or Sub-Processors that CompanyCam uses to perform its obligations or exercise its rights under the Agreement or this DPA.
   11. “Process” or ​“Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, such as collection, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, deletion or destruction or as otherwise defined in the Data Protection Laws.
   12. “Processor” means the entity which Processes Personal Information on behalf of Customer and includes the term ​“Service Provider” as similarly defined under applicable Data Protection Laws.
   13. “Restricted Transfer” means (i) where EU GDPR or the FADP applies, a transfer of Personal Information from the European Economic Area (“EEA”) including Switzerland to a country outside of the EEA, which is not the subject of an adequacy determination by the European Commission; and (ii) where UK GDPR applies, a transfer of Personal Information from the United Kingdom to any country which is not subject based on adequacy regulations pursuant to Section 17A of the UK Data Protection Act.
   14. “Sub-Processor” means a third party engaged by CompanyCam or another Processor to assist in the provision of the Licensed Application and which will Process Customer Personal Information.
   15. “Security Incident” means unauthorized loss, destruction, acquisition, use, disclosure of, or access to Customer Personal Information in CompanyCam’s possession, custody, or control and includes ​“Personal Data Breach” as defined in EU Data Protection Laws.
   16. “Standard Contractual Clauses” means:
       
       in respect of Personal Data subject to GDPR, the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) ²⁰²¹⁄₉₁₄, including the text from Module Two;
       
       in respect of Swiss Personal Data, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ​‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18© of the clauses and
       
       in respect of UK Personal Data, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 but, as permitted by Clause 17 of such Addendum, the Parties agree to change the format of the information set out in Part 1 of the Addendum so that:
       1. The details of the parties in Table 1 of the Addendum shall be as set out in Appendix 1 to this DPA (with no requirement for signature);
       2. For the purposes of Table 2 of the Addendum, the Addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted above) and Clause 13(2)(a) below selects the option and timescales for Clause 9 of the EU Standard Contractual Clauses;
       3. The appendix information listed in Table 2 of the Addendum is set out in Appendices 2 and 3 to this DPA; and
       4. For the purposes of Table 3 of the Addendum, the following option is selected regarding which party/​ies may end the Addendum as set out in Clause 19 thereof: the Data Controller only.
   17. “Supervisory Authority” means any international, federal, state, or local agency, department, official, legislature, or any governmental or professional body, regulatory or supervisory authority, board, or other body responsible for administration of and enforcement of the Data Protection Laws with regard to CompanyCam Data Processed under this Agreement.
   18. “US Data Protection Laws” means the US federal, state and local laws, rules, regulations and guidance related to the privacy, security and protection of Personal Information processed under the Agreement, including but not limited to: (i) the Federal Trade Commission Act, 15 U.S.C. § 45 and its implementing regulations; (ii) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations, and (iii) any other U.S. federal or state consumer privacy laws, data breach notification laws and data security laws.
2. Processing of Customer Personal Information
   
   1. Role of the parties. The Parties agree that Customer shall be the Controller and CompanyCam shall be the Processor concerning the Customer Personal Information CompanyCam Processes pursuant to the Agreement.
   2. Customer Obligations. Customer shall comply with the Data Protection Laws in connection with the Processing of Customer Personal Information as applicable to Customer as a Controller. Customer shall have sole responsibility for the accuracy, quality, and legality for the Processing of Customer Personal Information. Customer warrants that it has all rights necessary top provide the Customer Personal Information to CompanyCam for Processing in accordance with the Agreement and this DPA. Customer shall not instruct CompanyCam to Process Customer Personal Information under this DPA in a manner that Customer knows or reasonably should know, violates the Data Protection Laws that are applicable to such instructions.
   3. Details of the Processing. This DPA includes Customer’s instructions for the Processing Customer Personal Information by CompanyCam, including: (1) provision of the Licensed Application pursuant to the Agreement; (2) Processing initiated by Data Subjects in their use of the Licensed Application; and (3) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the scope of the Services described in the Agreement and the terms of this DPA.
   4. Processor Obligations
      1. For the purposes of the Agreement and this DPA, CompanyCam shall comply with the Data Protection Laws as applicable to CompanyCam as a Processor. Additionally, CompanyCam shall promptly inform Customer if CompanyCam becomes aware that Customer’s instructions, in its reasonable opinion, infringes any obligations under the Data Protection Laws.
         
      2. CompanyCam shall not
         1. sell or share (as and to the extent such terms are defined in the Data Protection Laws) Customer Personal Information, except as provided in CompanyCam’s Privacy Policy;
            
         2. retain, use, or disclose Customer Personal Information for any purpose other than the Business Purposes specified in the Agreement or this DPA;
         3. process Customer Personal Information for commercial purposes other than as required to perform its obligations under the Agreement;
         4. retain, use, or disclose Customer Personal Information outside of the Parties’ direct relationship;
         5. reidentify any deidentified or aggregated Customer Personal Information; and/​or
         6. combine Customer Personal Information CompanyCam receives from Customer with other Personal Information CompanyCam receives from or on behalf of any third party or collects through CompanyCam’s independent interactions with Data Subjects.
      3. CompanyCam shall promptly inform Customer if CompanyCam can no longer comply with any material term of this DPA. Nothing in this DPA shall limit CompanyCam’s right to use Customer Personal Information on an anonymized and aggregated basis in accordance with the Agreement.]
3. Data Subject Requests
   1. Response to Data Subject Requests. If CompanyCam receives a Data Subject Request, as between the Parties:
      1. if such Data Subject Request identifies Customer as the Controller, CompanyCam shall notify Customer of such Data Subject Request and shall not respond to the individual making the Data Subject Request; and
         
      2. if such Data Subject Request does not identify Customer as the Controller, CompanyCam shall advise the individual making the Data Subject Request to identify and contact the relevant Controller(s).
   2. Assistance. If Customer is unable to fulfill a Data Subject Request using the controls provided to Customer in the Licensed Application, upon Customer’s written request, CompanyCam shall provide reasonable assistance to Customer to fulfill Customer’s obligations to respond to the Data Subject Request to the extent required under the appliable Data Protection Laws. Customer shall provide CompanyCam with all information relevant to the Data Subject Request and the actions Customer requests of CompanyCam.
4. Processor Personnel
   1. Confidentiality. CompanyCam shall ensure that its Personnel engaged in Processing Customer Personal Information are committed to confidentiality and are aware of the privacy and security requirements in this DPA.
   2. Limitation of Access. CompanyCam shall ensure that access to Customer Personal Information is limited to those Personnel who have a need to access Customer Personal Information to fulfill their job duties.
5. Sub-Processors
   
   1. Notice Period and Objections. Customer provides an express, general authorization for the engagement of all Sub-Processors listed in Appendix 3. CompanyCam may update the list in Appendix 3 at least 10 days in advance of the Sub-Processor Processing Customer Personal Information (“Notice Period”).
      
      If Customer has a good-faith basis to object to CompanyCam’s engagement of a new Sub-Processor, Customer may object to CompanyCam’s engagement of a new Sub-Processor by sending a written notice to CompanyCam specifically describing its objection. Customer will have authorized CompanyCam’s engagement of a new Sub-Processor should Customer fail to provide CompanyCam a written objection in compliance with this section within the Notice Period.
      
      Upon receipt of Customer’s written objection, the Parties will work together in good faith to seek a mutually agreeable solution.
   2. Engagement. CompanyCam’s use of a Sub-Processor to assist in the Processing of Customer Personal Information shall be governed by a written agreement that requires each Sub-Processor to protect such Customer Personal Information in the same manner as required of CompanyCam under this DPA.
6. Restricted Transfers
   
   1. Restrictions on Transfer. The Parties agree that CompanyCam shall engage in a Restricted Transfer of Customer Personal Information of residents of the European Economic Area (“EEA” includes all EU member states, plus Iceland, Liechtenstein, and Norway), the United Kingdom, or Switzerland (as applicable) pursuant to the Agreement and this DPA.
      
   2. Incorporation of Standard Contractual Clauses. Transfers of Customer Personal Information of residents of the EEA, the United Kingdom or Switzerland to the United States shall take place pursuant to Module 2 of the Standard Contractual Clauses (Controller to Processor), which is incorporated by reference in a format which is mutually agreeable to the Parties and in compliance with applicable Data Protection Laws.
   3. In addition, the Parties agree that the following optional clauses are incorporated into the EU Standard Contractual Clauses:
      1. Clause 9 option (2): general written authorization for Sub-Processors and the Parties agree that the timeframe for requesting the specific authorization shall be 30 days;
      2. Clause 17 (Governing law): the clauses shall be governed by the laws of Ireland;
      3. Clause 18 (Choice of forum and jurisdiction): the courts of Ireland shall have jurisdiction.
   4. Transfers of UK Personal Information. In respect of transfers of Customer Personal Information of residents of the UK, the Parties agree to comply with the obligations set out in the EU Standard Contractual Clauses as amended by the UK Addendum, which is incorporated by reference, as though they were set out in full in this Agreement, with Customer as the ​“exporter” and CompanyCam as the ​“importer”.
7. Response to Complaints and Requests.CompanyCam will notify Customer in the event it receives a complaint, notice, inquiry or communication from a Supervisory Authority that relates to the Processing of Customer Personal Information or the Parties’ compliance with the Data Protection Laws.
8. Security Measures. CompanyCam implements and maintains appropriate technical and organizational measures to protect Customer Personal Information that are at least as protective as those listed in Appendix 2 (“Security Measures”). CompanyCam aligns its data protection policies and practices with the American Institute of Certified Public Accountants Service Organization Control 2 (“SOC2”). CompanyCam may modify or update the Security Measures at our discretion provided that such modification or update does not result in a lesser standard of security.
9. Audits
   
   1. Audits. Upon written request by Customer, CompanyCam will respond to Customer’s data security questionnaire on an annual basis. Upon Customer’s request, CompanyCam’s most recent SOC2 Type II report shall be made available to Customer subject to the confidentiality obligations set forth in the Agreement.
      
      Should Customer identify any unauthorized Processing of Customer Personal Information, Customer shall provide written notice to CompanyCam. The Parties agree to work together in good faith to remediate such Processing. 
      
   2. Data Protection Impact Assessment. To the extent a data protection impact assessment or similar assessment is required under applicable Data Protection Laws, CompanyCam shall provide Customer with reasonable assistance needed to carry out such an assessment related to Customer’s use of the Licensed Application, if Customer does not otherwise have access to the relevant information and to the extent such information is available to CompanyCam.
10. Security Incident.CompanyCam shall notify Customer without undue delay after becoming aware of a Security Incident and provide a description of the Security Incident. CompanyCam shall make reasonable efforts to identify the cause of such a Security Incident and take steps as CompanyCam deems necessary and reasonable to remediate the cause of such a Security Incident to the extent remediation is within CompanyCam’s reasonable control. The obligations herein shall not apply to Security Incidents caused by Customer or Customer’s Authorized Users.
11. Deletion of Customer Personal Information. Within 30 days after the expiration or termination of the Agreement, Customer may request in writing for CompanyCam to delete Customer Personal Information Processed in the provision of the Licensed Application. Upon Customer’s request, CompanyCam shall provide a written confirmation to Customer that CompanyCam has complied with such obligations. CompanyCam shall retain Customer Personal Information to the extent needed to comply with its business and legal obligations as allowed under applicable Data Protection Laws.
12. Limitation of Liability. Each Party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ​‘Limitation of Liability’ section of the Agreement.
13. Additional Terms
    
    1. Term; Survival. This DPA shall be effective as of the Effective Date of the Agreement and shall continue in full force and effect until the expiration or termination of the Agreement.
       
    2. Relationship to Agreement. The requirements set forth in this DPA are in addition to, and not in place of, any similar requirements set forth in the Agreement. Notwithstanding anything contrary to the Agreement, to the extent any conflict or inconsistency between the terms of this DPA and the Agreement, this DPA shall govern.

Appendix 1

ANNEX I.A. – LIST OF PARTIES

Data exporter: Customer

• Contact person’s name, position and contact details: As set forth in Agreement
• Activities relevant to the data transferred under these Clauses: Use of the Services
• Role: Controller

Data importer: CompanyCam, Inc.

• Address: 350 Canopy Street, Suite 230, Lincoln, NE 68508
• Contact person’s name, position and contact details: David Stamm, davidstamm@​companycam.​com
• Role: Processor

ANNEX I.B. – DESCRIPTION OF TRANSFER

1. Categories of Data Subjects whose Personal Data is transferred
   • Customer’s Authorized Users of the Licensed Application including Customer employees, contractors, collaborators, customers, prospects, vendors, suppliers and subcontractors.
   • Customer’s clients and contacts as may be captured in project descriptions and project progress photos.
2. Categories of personal data transferred: Personal Data required to provide the Services, including: Contact Information, subscription records, contents of in-app messages, internet activity, analytic data, targeted advertising data, device information, photos taken using the Licensed Application, Authorized Users’ professional or employment information.
3. Special categories of data transferred: Precise geolocation
4. Frequency of the transfer: Continuous during the Term of the Agreement
5. Nature of Processing: Provision of the Services under the Agreement.
6. Purpose of the data transfer and further Processing: The Services will consist of providing an application for the Customer to facilitate the management of construction projects including the ability to upload photos, videos, notes, tasks, and other documentation as determined by the customer.
7. The period for which the Personal Data will be retained: Duration of the Agreement, unless otherwise instructed by the Customer and as needed to comply with CompanyCam’s business and legal obligations to the extent allowed under the applicable Data Protection Laws.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the Processing: Subprocessors Process Personal Data in support of the provision of the Services

ANNEX I.C. – COMPETENT SUPERVISORY AUTHORITY

• For EU Personal Data: the Supervisory Authority of Ireland;
• For Swiss Personal Data: the Swiss Federal Data Protection and Information Commissioner.
• For UK Personal Data: United Kingdom

Appendix 2

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

We currently observe the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

a) Access Control

b) Transmission Control

In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on every one of our Service login interfaces. Our HTTPS implementation uses industry-standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest. 

c) Input Control

Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel are responsive to known incidents.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to You will be in accordance with the terms of the Agreement and DPA.

d) Availability Control

Infrastructure availability: Our infrastructure providers use commercially reasonable efforts to ensure industry-standard uptime as set forth in the Agreement. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Backup and recovery: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer Data is backed up to multiple durable data stores and replicated across multiple availability zones. Recovery strategies are tested at least annually.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry-standard methods.

Appendix 3

LIST OF SUB-PROCESSORS