DATA PROCESSING ADDENDUM

Exhibit B to the CurrentWare Master Terms of Service

RECITALS

1. CurrentWare Inc., a corporation existing under the laws of Ontario, Canada (“CurrentWare“), provides the CurrentWare workforce analytics, security, and data-loss-prevention platform, including the modules BrowseReporter, BrowseControl, AccessPatrol, and enPowerManager, the Console, and the Endpoint Agents, whether deployed on-premises, through CurrentWare Cloud, or under a hybrid model (collectively, the “Service“); 
2. The customer identified on the applicable Order Form (“Customer“) has entered into the CurrentWare Master Terms of Service (the “Agreement“) and desires to use the Service to monitor and manage its endpoints and personnel in accordance with the Agreement; 
3. In the course of providing the Service, CurrentWare will Process Personal Data on behalf of Customer, and the Parties wish to ensure that such Processing complies with all applicable Data Protection Laws; 
4. This Data Processing Addendum (“DPA“) is incorporated by reference into, and forms an integral part of, the Agreement and states the Parties’ rights and obligations with respect to the Processing of Personal Data in connection with the Service; 

1. DEFINITIONS

1.1 Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. In this DPA, the following terms have the following meanings:

1. “Applicable Data Protection Laws” means all laws and regulations relating to the Processing of Personal Data that apply to a Party’s performance under this DPA, including, as applicable: (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR“); (ii) the United Kingdom General Data Protection Regulation as retained by Section 3 of the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (collectively, “UK GDPR“); (iii) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA“) and applicable provincial privacy legislation, including Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Law 25” / Bill 64); (iv) the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA“), the Virginia Consumer Data Protection Act (“VCDPA“), the Colorado Privacy Act (“CPA“), the Connecticut Data Privacy Act (“CTDPA“), the Utah Consumer Privacy Act (“UCPA“), the Texas Data Privacy and Security Act (“TDPSA“), and any other applicable U.S. state privacy law; and (v) the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs“), in each case as amended, supplemented, or replaced from time to time. 
2. “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. Under this DPA, the Customer is the Controller (or “business” under the CCPA/CPRA, or equivalent designation under other Applicable Data Protection Laws) with respect to Employee Personal Data. 
3. “Data Subject” means the identified or identifiable individual to whom Personal Data relates, including Monitored Personnel.
4. “Employee Personal Data” means personal data relating to Customer’s personnel (including employees, contractors, and other workers) that is Processed through the Service, including web activity, application usage, idle time, file-transfer events, USB and peripheral device activity, productivity scores, and related telemetry. 
5. “EU SCCs” means the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914, as may be amended, superseded, or replaced from time to time.
6. “Monitored Personnel” means the employees, contractors, and other workers whose endpoint activity is collected through the Service at the direction of a Customer. 
7. “Personal Data” (also referred to as “Personal Information”) means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual. 
8. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by CurrentWare in connection with the Service.
9. “Processing” (including “Process” and “Processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. 
10. “Processor” means the entity that Processes Personal Data on behalf of and under the instructions of a Controller. CurrentWare acts as a Processor (or “service provider” under the CCPA/CPRA, or equivalent designation under other Applicable Data Protection Laws) when it Processes Employee Personal Data through the Service. 
11. “Subprocessor” means any third party engaged by CurrentWare to Process Personal Data on behalf of Customer in connection with the Service.
12. “UK IDTA” means the International Data Transfer Agreement issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.
13. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office under Section 119A of the Data Protection Act 2018.

2. SCOPE AND ROLES OF THE PARTIES

2.1 Scope. This DPA applies to all Processing of Personal Data by CurrentWare on behalf of Customer in connection with the Service, regardless of the Deployment Model (on-premises, CurrentWare Cloud, or hybrid) selected on the applicable Order Form. 

2.2 Customer as Controller. Customer is the Controller with respect to Employee Personal Data and other Personal Data that Customer or its Authorized Users transmit to, store in, or generate through the Service. Customer determines the purposes and means of Processing and is responsible for establishing and maintaining a lawful basis for such Processing under Applicable Data Protection Laws. 

2.3 CurrentWare as Processor. CurrentWare is the Processor with respect to Employee Personal Data and other Customer Personal Data Processed through the Service. CurrentWare will Process Personal Data only on behalf of and in accordance with Customer’s documented instructions, as stated in Section 3, and will not Process Personal Data for any independent purpose except as expressly permitted in this DPA or required by Applicable Data Protection Laws. 

2.4 U.S. State Privacy Law Designations. To the extent the CCPA/CPRA or other U.S. state privacy laws apply, Customer is the “business” (or equivalent) and CurrentWare is the “service provider” (or equivalent). CurrentWare will not sell or share Personal Data, and will not retain, use, or disclose Personal Data outside the business purpose for which it was provided or other purposes permitted by the applicable U.S. state privacy law. 

2.5 Canadian Law Designations. To the extent PIPEDA, Law 25, or other applicable Canadian provincial privacy legislation applies, Customer is the organization responsible for Personal Data under its custody or control, and CurrentWare Processes Personal Data as a service provider acting on Customer’s behalf and in accordance with Customer’s instructions. 

2.6 Australian Law Designations. To the extent the Australian Privacy Act 1988 and the APPs apply, Customer is the APP entity responsible for Personal Data, and CurrentWare Processes Personal Data on Customer’s behalf and in accordance with Customer’s instructions and the APPs. 

3. PERMITTED PURPOSES AND INSTRUCTIONS FOR PROCESSING

3.1 Documented Instructions. CurrentWare will Process Personal Data only in accordance with Customer’s documented instructions. The Parties agree that the Agreement (including this DPA), the applicable Order Form, and Customer’s configuration of the Service through the Console constitute Customer’s complete and final documented instructions to CurrentWare at the time of execution. Customer may issue additional reasonable written instructions consistent with this DPA, provided that if any instruction requires CurrentWare to incur material additional cost, the Parties will negotiate in good faith an equitable adjustment to Fees. 
3.2 Permitted Purposes. CurrentWare will Process Personal Data solely for the following purposes: (a) providing, operating, and maintaining the Service, including hosting the Console, transmitting and storing telemetry data, generating reports and dashboards, enforcing web-filtering and device-control policies, and administering Customer accounts; (b) providing technical support and professional services; (c) detecting and addressing security threats and incidents; (d) generating aggregated, anonymized, or de-identified data in accordance with Section 3.3; and (e) complying with Applicable Data Protection Laws. 
3.3 Aggregated and De-Identified Data. CurrentWare may generate aggregated, anonymized, or de-identified data from Customer Data and may use such data for any lawful business purpose, including improving the Service, developing new features, security analysis, and producing benchmarks, provided that such data does not identify Customer or any individual and that such de-identification is performed in accordance with Applicable Data Protection Laws. CurrentWare will not attempt to re-identify de-identified data except to the extent strictly necessary for security testing, legal compliance, verification of the effectiveness of de-identification measures, or as otherwise required by applicable law, and in each case subject to appropriate technical and organizational controls.
3.4 Unlawful Instructions. If CurrentWare reasonably believes that a Customer instruction infringes Applicable Data Protection Laws, CurrentWare will promptly notify Customer and may suspend performance of the relevant instruction until Customer modifies or confirms the instruction.

4. CONFIDENTIALITY

4.1 Confidentiality of Personal Data. CurrentWare will ensure that all persons authorized to Process Personal Data on its behalf are subject to binding obligations of confidentiality, whether by contract or by operation of law.
4.2 Access Restrictions. CurrentWare will limit access to Personal Data to those of its personnel and Subprocessors who have a need to access the data in order to perform CurrentWare’s obligations under the Agreement and this DPA.
4.3 Relationship to Agreement. The confidentiality obligations in Section 14 of the Agreement apply to Personal Data in addition to (and without limiting) the obligations set forth in this Section 4. 

5. SECURITY MEASURES

5.1 Technical and Organizational Measures. CurrentWare will implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects. 
5.2 Minimum Measures. Without limiting the generality of Section 5.1, CurrentWare’s security measures will include, at a minimum: (a) access controls and authentication mechanisms; (b) encryption of data in transit; (c) logging and monitoring of administrative access; (d) segregation of customer environments; (e) vulnerability management and patch deployment; and (f) business continuity and disaster recovery procedures. 
5.3 Updates to Security Measures. CurrentWare may update its security measures from time to time, provided that any update does not materially diminish the overall level of protection afforded to Personal Data.

6. PERSONAL DATA BREACH NOTIFICATION

6.1 Notification to Customer. CurrentWare will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. To the extent required by Applicable Data Protection Laws, CurrentWare’s notification will include: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects; and (d) the name and contact details of CurrentWare’s contact point for further information. 
6.2 Cooperation. CurrentWare will cooperate with Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of a Personal Data Breach, including by providing information necessary for Customer to comply with any breach notification obligations under Applicable Data Protection Laws.
6.3 Customer Notification Obligations. Customer is responsible for determining whether a Personal Data Breach triggers notification obligations to Data Subjects or supervisory authorities under Applicable Data Protection Laws and for making any required notifications.
6.4 Quebec Law 25 Confidentiality Incidents. Where Law 25 applies, CurrentWare will notify Customer of any confidentiality incident involving Personal Data that presents a risk of serious injury and will cooperate with Customer’s regulatory reporting obligations. 
6.5 Australia Notifiable Data Breaches. Where the Australian Privacy Act applies, CurrentWare will notify Customer of any eligible data breach (as defined under Part IIIC of the Privacy Act) and will cooperate with Customer’s obligations under the Notifiable Data Breaches scheme. 
6.6 Quebec Confidentiality Incident Records. Where Law 25 applies, CurrentWare maintains internal processes for documenting confidentiality incidents in accordance with applicable legal requirements and will provide reasonable cooperation to Customer in connection with Customer’s own incident reporting and recordkeeping obligations.

7. SUBPROCESSOR MANAGEMENT

7.1 Authorized Subprocessors. Customer provides general authorization for CurrentWare to engage Subprocessors to Process Personal Data in connection with the Service. The Subprocessors engaged by CurrentWare as of the effective date of this DPA are listed in Schedule 3 (Approved Subprocessors).
7.2 Obligations on Subprocessors. CurrentWare will: (a) enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set forth in this DPA; (b) remain responsible to Customer for the acts and omissions of its Subprocessors; and (c) conduct appropriate due diligence on Subprocessors before engagement. 
7.3 Notification of New Subprocessors. For Customers subject to EU GDPR or UK GDPR, CurrentWare will notify Customer at least thirty (30) days in advance of engaging any new Subprocessor or replacing an existing Subprocessor, and CurrentWare will provide such notice by email to the Customer contact designated on the Order Form, or through a mechanism made available through the Service or CurrentWare’s website (such as a Subprocessor update notification list). For all other Customers, CurrentWare will provide Customer with an updated list of Subprocessors within thirty (30) days of receiving a request to support@currentware.com.  
7.4 Objection Right. Customer may object to a new or replacement Subprocessor by providing written notice to CurrentWare within fifteen (15) days of receiving notice under Section 7.3, provided that such objection is based on reasonable data protection grounds. Upon receipt of an objection, CurrentWare will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable alternative. If CurrentWare is unable to accommodate the objection within a reasonable period (not to exceed thirty (30) days), Customer may, as its sole remedy, terminate the affected Order Form (or the portion of the Service that requires the use of the objected-to Subprocessor) upon written notice, and CurrentWare will refund any prepaid Fees for the unused portion of the Subscription Term following the effective date of termination.
7.5 Emergency Subprocessor Engagement. CurrentWare may engage a new Subprocessor without complying with the advance notice period in Section 7.3 if such engagement is reasonably necessary to address a security incident, service outage, or other emergency, provided that CurrentWare notifies Customer as soon as practicable and complies with the objection process in Section 7.4 promptly thereafter.

8. DATA SUBJECT RIGHTS AND ASSISTANCE

8.1 Assistance with Data Subject Requests. Taking into account the nature of the Processing, CurrentWare’s role as a Processor, and the information available to CurrentWare, CurrentWare will provide reasonable assistance to Customer to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection. 
8.2 Forwarding of Requests. If CurrentWare receives a request directly from a Data Subject regarding Personal Data Processed on behalf of Customer, CurrentWare will promptly notify Customer and, except where required by Applicable Data Protection Laws, will not respond to the request directly without Customer’s prior written authorization. 
8.3 Costs. If Customer’s requests for assistance under this Section 8 require effort that is materially beyond the scope of CurrentWare’s standard service obligations, CurrentWare may charge Customer reasonable fees for such assistance on a time-and-materials basis at CurrentWare’s then-current professional services rates, provided that CurrentWare notifies Customer of any such fees in advance.

9. DATA RETENTION AND DELETION / RETURN

9.1 Retention During the Term. During the Subscription Term, CurrentWare will retain Personal Data in accordance with: (a) the default retention periods made available in the Documentation or applicable product settings; and (b) any shorter or longer retention settings configured by Customer through the Service, where such settings are available.
9.2 Default Retention Information. Upon Customer’s written request, CurrentWare will make available a current description of the default retention settings applicable to major categories of Personal Data processed through the Service, including workforce telemetry, administrative logs, and backup-related retention practices, subject to reasonable confidentiality and security restrictions.
9.3 Post-Termination Return or Deletion. Upon expiration or termination of the Agreement, CurrentWare will, at Customer’s election communicated in writing within thirty (30) days following termination, either: (a) return Customer Personal Data in a commonly used, machine-readable format; or (b) securely delete such Personal Data, except to the extent retention is required by applicable law.
9.4 Deletion from Backup Systems. Unless otherwise agreed in writing, CurrentWare will complete deletion of Customer Personal Data from active systems within ninety (90) days following the applicable deletion trigger under this Section 9. Data retained in backup or disaster recovery systems will be overwritten or deleted in the ordinary course in accordance with CurrentWare’s backup retention practices and will remain subject to the confidentiality and security obligations of this DPA until deletion occurs.
9.5 Exceptions. Notwithstanding Sections 9.3 and 9.4, CurrentWare may retain Personal Data (or copies thereof) to the extent required by Applicable Data Protection Laws, provided that CurrentWare will: (a) limit such retention to the minimum extent and duration required; (b) continue to protect such retained data in accordance with this DPA; and (c) Process such data only for the purpose of compliance with the applicable legal requirement.
9.6 Aggregated Data. For clarity, the obligations in this Section 9 do not apply to aggregated, anonymized, or de-identified data that does not constitute Personal Data.

10. AUDIT AND COMPLIANCE

10.1 Audit Information. Upon written request, CurrentWare will make available to Customer, subject to reasonable confidentiality restrictions, information reasonably necessary to demonstrate CurrentWare’s compliance with the security and confidentiality obligations set forth in this DPA, which may include (as applicable) CurrentWare’s written security overview, responses to security questionnaires, and summaries of its security policies and procedures. The Parties agree that provision of such information constitutes sufficient information to demonstrate CurrentWare’s compliance with the security and confidentiality obligations set forth in this DPA, unless Customer demonstrates a reasonable basis to believe that such information is insufficient for a specific compliance concern.
10.2 Right to Audit.  To the extent required by Applicable Data Protection Laws and where Customer has identified a reasonable concern regarding CurrentWare’s compliance with this DPA that is not adequately addressed by the information provided under Section 10.1, Customer may conduct an audit in accordance with this Section 10.2. Any such audit will be subject to the following conditions:

1. at least thirty (30) days’ prior written notice;
2. no more than once per twelve (12)–month period, unless required by a supervisory authority or following a Personal Data Breach or other material security incident;
3. conducted during normal business hours and in a manner that minimizes disruption;
4. performed by a qualified independent auditor bound by confidentiality obligations;
5. limited in scope to matters reasonably related to the identified compliance concern; and
6. limited to a review of documents and information made available by CurrentWare (including remote interviews of personnel, if reasonably requested); and conducted primarily through document review, written responses, remote interviews, or other reasonably efficient means, except where a broader form of audit is strictly required by Applicable Data Protection Laws or a competent supervisory authority.
7. does not include any onsite inspection of CurrentWare facilities or access to CurrentWare systems, except to the extent strictly required by Applicable Data Protection Laws or a competent supervisory authority.

10.3 Cooperation. CurrentWare will reasonably cooperate with any audit conducted under Section 10.2 by making available the documents and information described in Section 10.1 that are reasonably relevant to the identified compliance concern, and by participating in reasonable remote discussions.

10.4 Supervisory Authority Audits. CurrentWare will cooperate with and provide reasonable assistance to Customer in connection with any audit, inquiry, or investigation by a data protection supervisory authority, employment regulator, or other competent authority relating to CurrentWare’s Processing of Personal Data under this DPA. 

10.5 Costs. Unless an audit reveals a material breach of this DPA by CurrentWare, Customer will bear the costs of any audit conducted under Section 10.2. If an audit reveals a material breach by CurrentWare, CurrentWare will bear the reasonable costs of such audit.

11. INTERNATIONAL DATA TRANSFERS

11.1 General. Customer acknowledges that CurrentWare is headquartered in Ontario, Canada, and that Personal Data may be transferred to, stored in, and Processed in Canada, the United States, or other countries where CurrentWare or its Subprocessors operate. 

11.2 Customer Obligation. Customer is responsible for determining whether, and for obtaining and documenting, a lawful basis for any cross-border transfer of Personal Data through the Service. 

11.3 Transfer Mechanisms EU/EEA. To the extent that Customer’s use of the Service involves a transfer of Personal Data from the European Economic Area to a country that has not been recognized by the European Commission as providing an adequate level of data protection, the Parties agree that the EU SCCs will apply to such transfer, as further set forth in Schedule 4 (Standard Contractual Clauses / International Data Transfer Mechanisms). The Parties agree that: (a) Module Two (Controller to Processor) of the EU SCCs applies where Customer is the Controller and CurrentWare is the Processor; (b) the optional clauses and annexes of the EU SCCs are completed as set forth in Schedule 4; and (c) where required following a transfer impact assessment, CurrentWare will implement supplementary technical or organizational measures. 

11.4 Transfer Mechanisms UK. To the extent that Customer’s use of the Service involves a transfer of Personal Data from the United Kingdom to a country that has not been recognized by the UK Secretary of State as providing adequate data protection, the Parties agree that the UK IDTA or the UK Addendum to the EU SCCs (as applicable) will apply to such transfer, as further set forth in Schedule 4. 

11.5 Transfer Mechanisms Canada and Quebec. To the extent that Law 25 or other applicable Canadian provincial privacy legislation requires safeguards for cross-border transfers, CurrentWare will implement contractual or other safeguards designed to ensure a level of protection equivalent to that required by applicable law. Where required by Quebec law, CurrentWare will support the assessment of relevant factors relating to cross-border disclosures, including the sensitivity of the information, the purposes for which it is to be used, the safeguards applicable to it, and the legal framework of the destination jurisdiction.

11.6 Transfer Mechanisms Australia. Before disclosing Personal Data to recipients located outside Australia, CurrentWare will take reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs, including by entering into enforceable contractual arrangements. 

11.7 Adequacy Decisions. Where an adequacy decision (or equivalent recognition) has been issued by a competent authority with respect to a recipient country, such decision may serve as a lawful transfer mechanism in lieu of the EU SCCs, UK IDTA, or UK Addendum, to the extent permitted under Applicable Data Protection Laws. 

11.8 Data Residency. CurrentWare will Process and store Personal Data in its default hosting region(s). Where commercially viable and subject to agreement on the applicable Order Form, CurrentWare may offer EU, UK, or Australian data residency options. 

12. DATA PROTECTION IMPACT ASSESSMENTS AND CONSULTATIONS

12.1 DPIA Assistance. Where Applicable Data Protection Laws require Customer to conduct a data protection impact assessment or prior consultation with a supervisory authority in connection with the Processing contemplated by this DPA, CurrentWare will provide reasonable assistance to Customer, taking into account the nature of the Processing and the information available to CurrentWare.

12.2 Quebec Privacy Impact Assessments. Where Law 25 applies, CurrentWare will provide reasonable cooperation and information to assist Customer in conducting privacy impact assessments for projects involving the collection, use, or disclosure of Personal Data through the Service. 

13. LIABILITY AND INDEMNIFICATION

13.1 Governed by Agreement. Except as otherwise set forth in this Section 13 or required by Applicable Data Protection Laws, each Party’s liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set forth in Section 20 of the Agreement. 

14. TERM AND TERMINATION

14.1 Term. This DPA commences on the effective date of the Agreement and continues in force until the earlier of: (a) the expiration or termination of the Agreement; or (b) CurrentWare ceases to Process Personal Data on behalf of Customer.

14.2 Survival. Sections 4 (Confidentiality), 6 (Personal Data Breach Notification), 9 (Data Retention and Deletion / Return), 10 (Audit and Compliance), 11 (International Data Transfers), 13 (Liability and Indemnification), and 14.2 (Survival) will survive the expiration or termination of this DPA to the extent necessary to give effect to their purposes. 

15. GENERAL

15.1 Order of Precedence. In the event of any conflict between this DPA and the Agreement (including any Order Form), this DPA will prevail with respect to matters relating to data protection and the Processing of Personal Data. 

15.2 Amendments. This DPA may be amended only by a written instrument signed by both Parties, except that CurrentWare may update the Schedules to this DPA (including the Subprocessor list) in accordance with the procedures set forth herein.

15.3 Governing Law. This DPA is governed by the governing law and dispute resolution provisions of the Agreement, except to the extent that Applicable Data Protection Laws require a different governing law for specific provisions (including the EU SCCs or UK IDTA, which are governed by the law specified therein).

15.4 Severability. If any provision of this DPA is held invalid or unenforceable, such provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will remain in full force and effect. 

15.5 Entire Agreement. This DPA, together with the Agreement, the applicable Order Forms, and the Schedules hereto, constitutes the entire agreement of the Parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous agreements, representations, and understandings relating thereto. 

SCHEDULE 1 DETAILS OF PROCESSING

The following details of Processing apply to the Processing of Personal Data under this DPA:

Subject Matter and Duration of Processing: CurrentWare Processes Personal Data for the duration of the Subscription Term, as necessary to provide the Service (including workforce analytics, security, and data-loss prevention) in accordance with the Agreement and this DPA. 

Nature and Purpose of Processing: Hosting the Console; transmitting and storing telemetry data collected by Endpoint Agents; generating reports and dashboards; enforcing web-filtering and device-control policies; administering Customer accounts; providing technical support; detecting security threats; and generating aggregated, anonymized, or de-identified data for Service improvement. 

Categories of Data Subjects: Monitored Personnel of Customer (employees, contractors, and other workers whose endpoint activity is collected through the Service); Authorized Users of the Service. 

Categories of Personal Data:

Category	Description
Web activity	Websites visited, URLs accessed, website categories, and time spent on each site
Application usage	Applications opened, time spent in each application, and application categories
Idle time and productivity data	Active versus inactive work patterns, productivity scores, and time-wasting pattern detection
File-transfer events	Records of file transfers to or from Endpoints, including file names and destinations
USB and peripheral device activity	Connection, disconnection, and usage of USB storage devices, Bluetooth adapters, Wi-Fi adapters, and other peripherals
Screenshot capture status	Whether screenshot capture is enabled or disabled on a per-device basis (on/off flag only)
User account data	Internal user ID, work email address, role, department, account status
Authentication and security logs	Login/logout timestamps, IP address, device type, operating system, browser, MFA status, administrative actions

Sensitive Data (if any): The Service is not designed to process special categories of Personal Data (as defined under the EU GDPR) or sensitive personal information (as defined under the CCPA/CPRA), except to the extent that account login credentials (username and password) may constitute sensitive personal information under applicable law. 

Data Exporter (Controller): Customer, as identified on the applicable Order Form.

Data Importer (Processor): CurrentWare Inc., 199 Bay Street, Suite 5300, Toronto, Ontario M5L 1B9, Canada. 

SCHEDULE 2 TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

CurrentWare implements and maintains the following technical and organizational security measures to protect Personal Data: 

The Service is hosted on Amazon Web Services, Inc. and its affiliates (“AWS“) using AWS managed services. Security is implemented under a shared responsibility model: AWS is responsible for the security of the underlying cloud infrastructure, and CurrentWare is responsible for securely configuring and operating the Service and the AWS services it uses, including identity and access management, application security, encryption configuration, monitoring, and incident response.

1. Access Controls and Authentication CurrentWare limits access to Production systems and Personal Data to authorized personnel on a need-to-know basis and uses role-based access controls for administrative functions within the Service. Administrative access to cloud resources is managed using AWS identity and access management capabilities (e.g., least-privilege roles and policies) and, where applicable, multi-factor authentication for privileged access. CurrentWare maintains processes for provisioning, changing, and revoking access in a timely manner.
2. Encryption CurrentWare uses industry-standard encryption to protect Personal Data in transit (e.g., TLS) between endpoints, the Service, and administrative interfaces. Personal Data stored by the Service is encrypted at rest using encryption capabilities provided by AWS managed services (e.g., storage- and database-level encryption), as applicable to the services in use. Where encryption keys are used, CurrentWare relies on AWS key management capabilities and/or managed key controls as applicable, and restricts access to keys and key-management functions to authorized personnel.
3. Network Security CurrentWare uses AWS network security capabilities to protect the Service, including network isolation and traffic controls (for example, use of virtual private cloud constructs, security groups, and network access control mechanisms), and limits inbound administrative access. Where applicable, CurrentWare leverages AWS managed protections for denial-of-service and perimeter threats and maintains processes to review and update network rules as the Service evolves.
4. Segregation of Customer Environments CurrentWare maintains logical segregation of Customer environments within the Service designed to prevent one customer from accessing another customer’s data. Segregation is implemented through a combination of application-layer access controls and underlying AWS service configuration and account/resource isolation mechanisms, as applicable to the deployment architecture.
5. Logging and Monitoring CurrentWare maintains administrative access logs within the Console that record administrative access and material configuration or policy changes made by Authorized Users with administrative privileges. CurrentWare uses logging and monitoring controls appropriate to the Service, including logs for administrative actions and access to Production systems. CurrentWare may leverage AWS logging and monitoring capabilities available for the managed services in use to collect and review relevant security events. Log retention periods are determined based on operational needs and risk and may be updated from time to time.
6. Vulnerability Management and Patch Deployment CurrentWare maintains a vulnerability management program designed to identify, assess, and remediate vulnerabilities in the Service. CurrentWare applies security patches and updates to Service components in a timely manner based on risk and operational impact. Where AWS managed services are used, CurrentWare relies on AWS to operate and patch the underlying infrastructure and managed service components within AWS’s responsibility boundaries, while CurrentWare remains responsible for configuration, application code, and dependencies under its control.
7. Business Continuity and Disaster RecoveryCurrentWare maintains business continuity and disaster recovery measures appropriate to the Service, which may include data backups, redundancy, and restore processes. CurrentWare leverages availability, redundancy, and backup features provided by AWS managed services where applicable. CurrentWare tests restoration and recovery procedures on a periodic basis consistent with its internal practices.
8. Personnel Security CurrentWare maintains personnel security measures designed to ensure that personnel with access to systems that Process Personal Data are subject to confidentiality obligations and receive security awareness training appropriate to their roles. CurrentWare maintains internal policies regarding acceptable use and access to systems and data.
9. Physical Security The Production environment for the Service is hosted in AWS data centers. AWS is responsible for physical and environmental security of its data centers and the underlying infrastructure, including controls designed to prevent unauthorized physical access. Upon request and subject to applicable restrictions, CurrentWare may provide Customer with publicly available AWS security/compliance documentation or guidance on where to obtain it.
10. Incident Response CurrentWare maintains an incident response process designed to assess, respond to, and remediate security incidents affecting the Service, including escalation and internal communication procedures. Where an incident relates to AWS services within AWS’s responsibility boundaries, CurrentWare will coordinate with AWS through applicable support channels. CurrentWare’s breach-notification obligations are set forth in Section 6 of this DPA.

Additional Security Governance Commitments. Without limiting the generality of Schedule 2, CurrentWare maintains security practices that include, where applicable to the relevant systems and roles: multi-factor authentication for privileged administrative access; encryption of Personal Data in transit using industry-standard cryptographic protocols and encryption at rest for production storage systems supporting the Service; periodic review of privileged-access assignments and timely revocation of access upon role change or separation; logging of administrative and other relevant security events with retention periods determined by operational and security requirements; backup and recovery procedures designed to support restoration of production data and services; and incident response procedures that are periodically reviewed and tested in accordance with CurrentWare’s internal security practices.

SCHEDULE 3 APPROVED SUBPROCESSORS

The subprocessors listed in this Schedule are authorized by Customer as of the effective date of this DPA. CurrentWare will maintain this Schedule in an accurate and up-to-date manner and will provide notice of additions or replacements, in each case as required by and in accordance with Section 7 of this DPA.

Changes to the Subprocessor list will be managed in accordance with Section 7 of this DPA. CurrentWare will not publish this DPA until this Schedule is complete.

SCHEDULE 4 STANDARD CONTRACTUAL CLAUSES / INTERNATIONAL DATA TRANSFER MECHANISMS

Part A EU Standard Contractual Clauses (SCCs)

A.1 Applicability. Where Customer’s use of the Service involves a Restricted Transfer (as defined below) of Personal Data from the European Economic Area, the EU SCCs (Module Two: Controller to Processor) are incorporated by reference into this DPA and will apply to such transfer. “Restricted Transfer” means a transfer of Personal Data from the EEA to a country outside the EEA that is not subject to an adequacy decision by the European Commission.

A.2 Completion of the SCCs. The EU SCCs are deemed completed as follows:

(a) Module Two (Controller to Processor) applies.

(b) Clause 7 (Docking Clause): The optional docking clause is included, allowing additional parties to accede to the SCCs.

(c) Clause 9(a) (Use of Sub-processors): Option 2 (General written authorization) applies. CurrentWare will inform Customer of any intended changes to the list of Subprocessors in accordance with Section 7 of this DPA.

(d) Clause 11 (Redress): The optional language permitting Data Subjects to lodge a complaint with an independent dispute resolution body is not included.

(e) Clause 13(a) (Supervision): The competent supervisory authority is the supervisory authority of the EU member state in which Customer is established, or, if Customer is not established in the EU, the supervisory authority of the EU member state in which Customer’s EU representative is established, or, if no representative has been appointed, the supervisory authority of the EU member state in which the Data Subjects whose Personal Data is transferred are located.

(f) Clause 17 (Governing Law): The SCCs are governed by the law of the EU member state identified in Clause 13(a).

(g) Clause 18(b) (Choice of Forum): Disputes are resolved before the courts of the EU member state identified in Clause 13(a).

(h) Annex I is completed as set forth in Schedule 1 of this DPA.

(i) Annex II is completed as set forth in Schedule 2 of this DPA.

(j) Annex III (List of Sub-processors) is completed as set forth in Schedule 3 of this DPA.

A.3 Supplementary Measures. Where required following a transfer impact assessment, CurrentWare will implement supplementary technical or organizational measures as described in Schedule 2 or as otherwise agreed by the Parties in writing. 

Part B UK International Data Transfer Addendum (IDTA) / UK Addendum

B.1 Applicability. Where Customer’s use of the Service involves a Restricted Transfer of Personal Data from the United Kingdom to a country that is not subject to adequacy regulations by the UK Secretary of State, either: (a) the UK IDTA; or (b) the UK Addendum to the EU SCCs, as applicable, is incorporated by reference into this DPA and will apply to such transfer. 

B.2 UK Addendum. If the UK Addendum is used, the EU SCCs (as completed in Part A above) are amended and supplemented by the UK Addendum, with the following selections:

(a) Table 1: The Parties’ details and key contacts are as set forth in Schedule 1.

(b) Table 2: The version of the Approved EU SCCs referenced is Module Two (Controller to Processor), as set forth in Part A.

(c) Table 3: The Annex information is as set forth in Schedules 1, 2, and 3.

(d) Table 4: Either Party may end the UK Addendum as set out in Section 19 of the UK Addendum.

B.3 Competent Supervisory Authority (UK). The competent supervisory authority for UK transfers is the Information Commissioner’s Office (ICO). 

Part C Canadian Transfer Safeguards

C.1 Where Law 25 or other applicable Canadian provincial privacy legislation requires contractual safeguards for cross-border transfers of Personal Data, this DPA (including the security measures in Schedule 2 and the Subprocessor obligations in Section 7) constitutes the contractual framework for such transfers. 

Part D Australian Transfer Safeguards

D.1 Where the Australian Privacy Act and the APPs require CurrentWare to take reasonable steps to ensure that overseas recipients of Personal Data handle the information in accordance with the APPs, this DPA (including the security measures in Schedule 2 and the Subprocessor obligations in Section 7) constitutes the enforceable contractual arrangement for such transfers. 

Part E U.S. State Law Provisions

E.1 Service Provider Obligations. To the extent the CCPA/CPRA or other U.S. state privacy laws apply to the Processing of Personal Data under this DPA, CurrentWare will: (a) Process Personal Data only for the business purposes specified in this DPA; (b) not sell or share Personal Data; (c) not retain, use, or disclose Personal Data outside the direct business relationship between CurrentWare and Customer except as permitted by applicable law; (d) comply with applicable restrictions on combining Personal Data received from Customer with Personal Data received from other sources; and (e) grant Customer the right to take reasonable and appropriate steps to ensure that CurrentWare uses Personal Data in a manner consistent with Customer’s obligations under applicable U.S. state privacy laws. 

E.2 Certification. CurrentWare certifies that it understands and will comply with the restrictions set forth in this Part E.