SaaS Terms and Conditions

Person accepting terms and conditions on tablet

V1.22 Last updated: November 3, 2022

EXHIBIT A SAAS TERMS OF SERVICE

These SaaS Terms of Service (“SaaS Terms of Service”) are part of the Master Agreement. These SaaS Terms of Service set forth the terms and conditions under which Terryberry will provide and maintain the Subscription Services (as defined below) Products and the Walker Tracker Cloud Services Products (the “WT Cloud Services”) (collectively, the “SaaS Products”) to Customer, each Party’s responsibilities hereunder, and the fees related thereto. If there is a conflict between the terms of this Exhibit A and the General Terms, this Exhibit A shall govern with respect to the SaaS Products described herein. All capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the Master Agreement. If Customer is located in the United States of America, these SaaS Terms of Service and the General Terms as it applies to this Exhibit shall be construed to be contracted solely by and between Customer and Terryberry Company, LLC. If Customer is located in the UK or EEA, these SaaS Terms of Service and the General Terms as it applies to this Exhibit shall be construed to be contracted solely by and between Customer and Terryberry Company Ltd.

1. ACCESS AND USE

1.1. Subscription Service. Subject to the terms and conditions herein, Terryberry grants to Customer the right during the term of the General Terms and/or this Exhibit to access and use (i) the web-based the 360 Rewards Platform software-as-a-service platform(s) expressly set forth in the Order (“Subscription Service”) for use and/or (ii) the WT Cloud Services software-as-a-service platform(s) expressly set forth in the Order for Customer’s own internal business purposes. Customer may exercise its right set forth in this Section 1.1 via its Authorized Users. Where applicable, the number of Authorized Users authorized to use the Subscription Service will be set forth in the Order. If the number of Authorized Users exceeds the limit set forth in the Order, additional fees will apply.

1.2. Use Restrictions. Customer will not directly or indirectly through any Affiliate (defined below), User or other third party: (a) use the SaaS Product outside the permitted scope set forth in Section 1.1 of this Exhibit A or for any purpose other than its own internal business purposes; (b) exceed the subscribed quantities, Authorized Users or other entitlement measures of the SaaS Product as set forth in the applicable Order; (c) use or access the SaaS Product in violation of any Applicable Law; (d) copy or reproduce the SaaS Product or the Documentation except as permitted under the General Terms and/or this Exhibit (e) sell, resell, license, sublicense, rent, lease, transfer, time-share, distribute, redistribute, assign or otherwise commercially exploit or transfer the rights granted to Customer under the General Terms and/or this Exhibit, or otherwise make the SaaS Product available to any third party, except as expressly set forth herein; (f) send, store, submit or upload libelous, unlawful or tortious material on or to the SaaS Product; (g) send, store, submit or upload malicious or harmful code on or to the SaaS Product; (h) interfere with or disrupt the integrity or performance of the cloud environment where the SaaS Product is deployed or the SaaS Products themselves; (i) attempt to circumvent security restrictions or protocols for the cloud environment where the SaaS Product is deployed; (j) modify, disassemble, duplicate, or reverse engineer the SaaS Product, in whole or in part; (k) except to the limited extent applicable laws specifically prohibit such restriction, decompile, attempt to derive the source code or underlying ideas or algorithms of any part of the SaaS Product, attempt to recreate the SaaS Products or use SaaS Products for any competitive or benchmark purposes; (l) create, translate or otherwise prepare derivative works based upon the SaaS Products, Documentation or Terryberry Intellectual Property; (m) attempt to gain unauthorized access to the SaaS Products or its related systems or networks, or perform unauthorized penetrating testing on the SaaS Products; (n) use the SaaS Products in a manner that infringes on the Intellectual Property rights, publicity rights, or privacy rights of any third party, (o) disclose the results of any benchmarking test done by Terryberry or otherwise allowed by Terryberry; (p) remove or modify any proprietary markings or notices on Terryberry Services, Documentation, or other materials delivered by Terryberry in the performance of its obligations hereunder; (q) (k) store in or process with the SaaS Products any personal health data, credit card data, personal financial data or other such sensitive regulated data not required or allowed by the Documentation, or any Customer Data that is subject to the International Traffic in Arms Regulations maintained by the United States Department of State.

1.3. Use Verification. During the term of the General Terms and/or this Exhibit A, Terryberry will have the right, at its own expense, to monitor the use of the SaaS Product for purposes of measuring and reporting on usage, and Customer will respond to any reasonable inquiries from Terryberry to assess the actual scope of Customer’s use of the SaaS Product.

1.4. Subscription Service Updates. Customer acknowledges that Terryberry reserves the right at any time, or from time to time, with or without notice, to update, change or remove the content, functionality, or user interface of the SaaS Product at Terryberry’s sole discretion.

1.5. Documentation License. Subject to payment of all applicable fees set forth in the Order and the terms and conditions of the Master Agreement and this Exhibit, Terryberry grants Customer, during the Subscription Term, a non-exclusive, non-sublicensable, non-transferable license for Customer’s Authorized Users to use the

Documentation during the Subscription Term solely for Customer’s and its Affiliates’ internal business purposes in connection with use of the WT Cloud Services.

1.6. Third-Party Products. The WT Cloud Services may permit access to Third-Party Products. For purposes of the General Terms and/or this Exhibit, such Third-Party Products are subject to their own terms and conditions presented to you for acceptance within the WT Cloud Services by website link or otherwise. If you do not agree to abide by the applicable terms for any such Third-Party Products, then you should not install, access, or use such Third-Party Products.

2. PAYMENT OF FEES

2.1. Set Up Fee. There is a one-time set up fee to develop the personalized site for the Subscription Services, if Customer purchases the right to access any Terryberry Subscription Services, payable in advance. Terryberry reserves the right to modify set up fees to comply with Customer’s revised specifications to the site.

2.2. Recurring Fees. There are Recurring User fees if Customer purchases the right to access any Terryberry Subscription Services. Recurring user fees are based on employee head count or user head count as set forth in the Order. Enrollment in Terryberry’s automatic payment program is required for Customers who do not pay fees annually in advance. Customers enrolled in automatic payment program shall provide a payment method for Terryberry to maintain on file (either a credit card or banking information for ACH draws or Direct Debit), and authorization for Terryberry to collect fees when due automatically. Customer may incur usage, overage, or additional charges if the employee head count or user count is above the quantity originally quoted in the Order.

3. PROFESSIONAL SERVICES

3.1. Professional Services. Subject to the terms and conditions herein, during the term of the General Terms and/or this Exhibit, Terryberry agrees to perform the implementation and other professional services expressly set forth in the Order (“Professional Services”). The Subscription Service and Professional Services are, collectively, the “Terryberry Services.”

4. CUSTOMER OBLIGATIONS

4.1. User Accounts. Each Authorized User that accesses the SaaS Product must be issued a separate user account (with a unique ID and password) by Terryberry and/or Customer (“User Accounts”). Customer shall ensure that passwords associated with the User Accounts remain confidential and secure and to not allow multiple Authorized Users to utilize the same User Account. Customer shall not provide, or provide access to, a User Account to any third party without prior written consent of Terryberry. If any User becomes no longer authorized by Customer to have such access to the SaaS Product, then Customer shall immediately notify Terryberry.

4.2. Authorized Users. Customer is responsible for its Authorized Users' compliance with the General Terms and/or this Exhibit and for access to Customer Data (defined below) or the SaaS Products by other persons as a result of Customer’s failure to use reasonable precautions to secure its own systems or credentials for access to the SaaS Products. Customer will: (i) use its best efforts to prevent unauthorized access to or use of the SaaS Products and notify Terryberry immediately of any such unauthorized access or use; (ii) cooperate with any reasonable investigation by Terryberry of any outage, security problem or suspected breach of the General Terms and/or this Exhibit; and (iii) comply with all Terryberry instructions relating to Customer’s access to or use of the SaaS Products, including instructions specifying specific windows of time for certain types of Customer Data uploading. Customer shall be responsible for: (a) all acts that occur in connection with its Authorized Users’ SaaS Products accounts; (b) assuring that its employees receive adequate disclosures of the terms and conditions governing such its employees’ use of Terryberry Services; and (c) all transmissions initiated by Authorized Users during use of Terryberry Services. Customer will cause all Authorized Users to comply at all times with the terms and conditions set forth herein and any standard terms and conditions applicable to the use of the SaaS Products that may be made available to Authorized Users from time to time. Customer is responsible and liable for any breach by any Authorized User of any obligation, representation or warranty of Customer in the General Terms and/or this Exhibit or any standard terms and conditions applicable to the use of the SaaS Products.

4.3. Customer Personnel. Customer shall designate Customer personnel reasonably qualified by experience and expertise to interface with Terryberry personnel and to participate in and perform Customer’s obligations hereunder. Customer and its personnel shall, to the extent reasonably practicable, cooperate with Terryberry’s reasonable requests for assistance and information in order to facilitate the provision of Terryberry Services in accordance with the General Terms and/or this Exhibit.

4.4. Customer System. Customer, at its sole cost and expense, shall be responsible to purchase or otherwise obtain the computer systems, devices, telecommunications network, gateway and internet access equipment and services necessary for Customer to access the SaaS Products (“Customer System”). Customer is responsible for all maintenance and required upgrades of Customer System.

4.5. Customer Data. Customer is responsible for providing, in a timely manner, all data and information, including Customer Data, and assistance that Terryberry requires to provide SaaS Products. All data, including Customer Data, provided to Terryberry shall be delivered in the agreed format as required in the Order. Customer shall ensure

that all provided data and information, including Customer Data, is true, complete and not misleading. Customer acknowledges that the ability of Terryberry to provide SaaS Products in accordance with the General Terms and/or this Exhibit, including the agreed pricing and delivery models, are contingent upon the accuracy and completeness of information and data provided by Customer and all Customer Data, as well as Customer’s cooperation and timely performance of their obligations.

4.6. Employee Engagement. Customer shall provide to Terryberry a data feed of Customer’s employees’ email addresses. Terryberry shall email Customer’s employees at the email address provided to Terryberry, notifying them of the branded employee benefits and wellbeing platform on the Go Live Date or the Effective Date, whichever is later. For any of Customer’s employees that have not established an account on the branded employee benefits and wellbeing platform within 45 days of Terryberry’s initial email, Terryberry shall send a second email with log in credentials to such Customer employees. Thereafter, Terryberry shall be permitted to send via e-mail an automated reminder notice every forty-five (45) days, in substantially the same form as the initial notice, to every Customer employee who has not created an account on the Terryberry platform. Customer employees may opt out of receiving the reminder emails, but this shall not excuse Customer’s payment obligations for the license issued to or for that Customer employee.

4.7. Acceptable Use Policy. The WT Cloud Services may not be used for unlawful, fraudulent, offensive, or obscene activity, as further described and set forth in Walker Tracker’s Terms of Service (“Terms”) located at https://walkertracker.com/terms/, as may be amended from time to time, which are incorporated herein by reference.

5. CUSTOMER DATA.

5.1. Customer Data Content. As between Terryberry and Customer, Customer is solely responsible for: (i) the content, quality and accuracy of Customer Data as made available by Customer and by Authorized Users; (ii) providing notice to Authorized Users with regards to how Customer Data will be collected and used for the purpose of the SaaS Products; (iii) ensuring Customer has a valid legal basis for processing Customer Data and for sharing Customer Data with Terryberry (to the extent applicable); and (iv) ensuring that the Customer Data as made available by Customer complies with applicable laws and regulations including Applicable Data Protection Laws.

5.2. Data Protection Laws. The Parties shall comply with their respective obligations under the Applicable Data Protection Laws. In particular, if Customer is established in the European Economic Area (“EEA”), in the United Kingdom (“UK”) or in California, or will, in connection with the SaaS Products, provide Terryberry with personal data relating to an individual located within the EEA, the UK or California, the Parties shall comply with the terms and conditions of the Terryberry Data Processing Addendum attached hereto as Exhibit F and incorporated herein by reference (the “DPA”).

5.3. Security of Customer Data. Terryberry shall: (i) ensure that is has in place appropriate administrative, physical and technical measures designed to protect the security and confidentiality of Customer Data against any accidental or illicit destruction, alteration or unauthorized access or disclosure to third parties; (ii) have measures in place designed to protect the security and confidentiality of Customer Data; and (iii) access and use the Customer Data solely to perform its obligations in accordance with the terms of the General Terms and/or this Exhibit, and as otherwise expressly permitted in the General Terms and/or this Exhibit. Terryberry shall not materially diminish its security controls with respect to Customer Data during a particular SaaS Products term.

5.4. Customer Data. Customer owns all right, title and interest in all Customer Data. Nothing in this Exhibit A or the Master Agreement shall be construed to grant Terryberry any rights in Customer Data beyond those expressly provided herein. Customer grants Terryberry and its Affiliates the limited, non-exclusive, worldwide license to view and use the Customer Data solely for the purpose of providing the Services.

5.5. Usage Data. Terryberry shall be permitted to collect and use Usage Data for its reasonable business purposes and for Customer’s benefit. In the event Terryberry wishes to disclose the Usage Data or any part thereof to third parties (either during the Subscription Term or thereafter), such data shall be anonymized and/or presented in the aggregate so that it will not identify Customer or its Authorized Users. The foregoing shall not limit in any way Terryberry’s confidentiality obligations in Section 4 of the General Terms.

6. SUSPENSION

6.1. Suspension Generally. Terryberry may, on written notice, suspend access to the SaaS Product without liability if: (i) Terryberry reasonably believes that the SaaS Product is being used in violation of the General Terms and/or this Exhibit; (ii) Customer does not cooperate with reasonable investigation by Terryberry of any suspected violation of the General Terms and/or this Exhibit; (iii) the SaaS Product or Customer Data are accessed or manipulated by a third party without consent of either Party; (iv) Terryberry is required by Law to suspend access to the SaaS Product; (v) if any invoiced amounts remain unpaid by Customer for more than ten (10) calendar days past the due date; or (vi) there is another event for which Terryberry reasonably believes that the suspension of access to the SaaS Product is necessary to protect the cloud environment in which Customer’s instance of the SaaS Product is deployed.

6.2. Suspension for Non-Payment or Material Breach. Terryberry reserves the right to suspend any applicable Services or Customer’s access to the applicable Services upon 30 days’ written notice to Customer if: (a) an invoice is more than sixty (60) days past due; or (b) if there is an uncured material breach of the General Terms and/or this Exhibit.

6.3. Login ID Refusal. Terryberry reserves the right to refuse registration of, or to cancel, login IDs that it reasonably believes to violate the terms and conditions set forth in the General Terms and/or this Exhibit, in which case Terryberry will promptly inform Customer in writing of such refusal or cancellation.

6.4. Excessive Traffic. In addition to the rights set forth in the General Terms and/or this Exhibit, Terryberry may suspend Customer’s access and use of the SaaS Products if there is an unusual and material spike or increase in Customer’s use of the SaaS Products and Terryberry reasonably suspects or knows that such traffic or use is fraudulent or materially and negatively impacting the operating capability of the SaaS Products.

6.5. Notice. Terryberry will provide notice prior to any suspension if permitted by applicable law or unless Terryberry reasonably believes that providing such notice poses a risk to the security of the SaaS Products.

6.6. Reinstatement. Terryberry will promptly reinstate Customer’s access to and use of the SaaS Products once the issue has been resolved, provided that if Terryberry already terminated the General Terms and/or this Exhibit for uncured material breach in accordance with the General Terms and/or this Exhibit, Terryberry shall not be obligated to reinstate Customer’s access to and use of the SaaS Products.

7. TERM AND TERMINATION OF WT CLOUD SERVICES

7.1. Single Challenge Subscriptions. If Customer purchases a single challenge subscription, the WT Cloud Services will be available for no more than one hundred and twenty (120) days, with the first thirty (30) days allotted to setup and registration and the remaining ninety (90) days allotted to the challenge (the “Single Challenge Subscription”). The Single Challenge Subscription will automatically expire following one hundred and twenty (120) days from the Effective Date of the applicable Order.

8. WARRANTIES

8.1. Limited SaaS Products Warranty. During the applicable Subscription Term, Terryberry warrants that: (a) the SaaS Products will perform in substantial conformity with the Documentation; and (b) Terryberry will use industry standard measures designed to detect viruses, worms, Trojan horses or other unintended malicious or destructive code in the SaaS Products. The foregoing warranties are void if the failure of the SaaS Products has resulted from negligence, error, or misuse of the SaaS Products (including use not in accordance with the Documentation) by Customer, the User or by anyone other than Terryberry. Customer shall be required to report any breach of warranty to Terryberry within a period of thirty (30) days of the date on which the incident giving rise to the claim occurred. Terryberry’s sole and exclusive liability, and Customer’s sole and exclusive remedy, for breach of these warranties will be for Terryberry, at its expense, to use reasonable commercial efforts to correct such nonconformity within thirty (30) days of the date that notice of the breach was provided; and, if Terryberry fails to correct the breach within such cure period, Customer may terminate the affected Order and, in such event, Terryberry shall provide Customer with a pro-rata refund of any unused pre-paid fees paid for the period following termination as calculated on a monthly basis for the affected SaaS Products.

8.2. Customer Warranties. Without derogating from Terryberry’s obligations under the General Terms and/or this Exhibit, Customer warrants that it shall take and maintain appropriate steps within its control to protect the confidentiality, integrity, and security of its Confidential Information and Customer Data, including: (i) operating the SaaS Products in accordance with the Documentation and applicable law and; and (ii) dedicating reasonably adequate personnel and resources to implement and maintain the security controls set forth in the Documentation. Customer will be responsible for the acts and omissions of its Authorized Users.

8.3. Disclaimer. Any and all warranties, expressed, incorporated or implied, are limited to the extent and period mentioned in the General Terms and/or this Exhibit. To the maximum extent allowed by applicable law, Terryberry disclaims (and disclaims on behalf of its licensors and/or contributors to any Third-Party Materials) all other warranties, conditions and other terms, whether express or implied or incorporated into the General Terms and/or this Exhibit by statute, common law or otherwise, including the implied conditions and warranties of merchantability and fitness for a particular purpose. Terryberry will have no liability for delays, failures or losses attributable or related in any way to the use or implementation of third-party software or services not provided by Terryberry.

9. DEFINITIONS AND INTERPRETATION

9.1. Definitions. Capitalized terms shall have the meaning set forth below. Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Master Agreement. Defined terms stated in the singular may be used in the plural, and vice versa.

9.1.1. “Applicable Data Protection Laws” means the EU General Data Protection Regulation (2016/679) (“GDPR”), any applicable laws of EU member states implementing the GDPR (including the UK Data Protection Act 2018), the California Consumer Privacy Act, , and other state and federal privacy

and data protection laws that are or may in the future be applicable to the General Terms and/or this Exhibit, in each case as amended, consolidated, re-enacted or replaced from time to time and only if and insofar as they apply.

9.1.2. “Authorized User” means any individual to whom Customer grants access authorization in compliance with a license to use the Services that is an employee, agent, contractor or representative of (i) the Customer, (ii) Customer's Affiliates, and/or (iii) Customer’s and Customer’s Affiliates’ Business Partners.

9.1.3. “Business Partner” means a legal entity or individual that requires access to the Services in connection with Customer’s internal business operations, including, but not limited to, distributors and/or suppliers of Customer.

9.1.4. “Customer Data” means all electronic data, files and records which are provided or made available by Customer or any User and received, processed or stored by Terryberry, its contractors or the Subscription Service as part of the Terryberry Services provided to Customer.

9.1.5. “Subscription Term” means the period of time during which Customer is subscribed to the Subscription Services, as specified in an Order and which shall begin upon delivery of the Subscription Services.

9.1.6. "Third-Party Products" means any products, content, WT Cloud Services, information, websites, or other materials that are owned by third parties and are incorporated into or accessible through the Cloud WT Cloud Services.

9.1.7. “Usage Data” means data generated in connection with Customer’s access, use and configuration of the Services and data derived from it (e.g., types of applications or accounts utilized or interacting with the Services).

Exhibit A

EXHIBIT A: SaaS TERMS OF SERVICE

This Data Processing Addendum (“Addendum”) forms part of the SaaS Agreement (“Agreement”) entered into between Terryberry Company LLC (“Terryberry”) and Customer, as defined in the Agreement and/or the Binding Quote. This Addendum, together with all appendices, annexes, exhibits, attachments, and amendments hereto, reflects the parties’ agreement with regard to Terryberry’s Processing of Customer Personal Data in connection with providing Terryberry Services described in the Agreement. In the event of a conflict, the terms and conditions of this Addendum will prevail. In consideration of the mutual covenants and agreements in this Addendum and the Agreement, and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Terryberry and Customer agree as follows:

1. DEFINITIONS

In this Addendum, capitalized terms shall have the meaning set out below:

Applicable Laws: all laws (including laws relating to anti-bribery and anti-corruption), statutes, regulations, decisions, rulings, sanctions, governmental and regulatory policies, industry guidelines and/or codes of practice which may from time to time be in force in a relevant territory which is relevant to any rights and/or obligations under and/or the performance of this Addendum and/or the Binding Quote;

Customer Personal Data: means any information relating to an identified or identifiable natural person provided by Customer or accessed by Terryberry or processed by Terryberry on behalf of Customer as a result of, or in connection with, the provision of the services under the Binding Quote; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Customer Personal Data Breach: any actual misuse, compromise or breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed;

Data Protection Legislation: all applicable privacy and data protection laws in force from time to time in the United States and UK, including the California Consumer Privacy Act of 2018; EU General Data Protection Regulation 2016/679 (as the same forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and 2020 and as may be further amended, replaced or superseded from time to time.

Portal: Terryberry’s website hosted at such URL as Terryberry may elect from time to time and via which Customer can access the Site.

Restricted Transfer: means a transfer by either party of Customer Personal Data collected from any Data Subject in the European Economic Area (“EEA”) or UK to a country where where such transfer would be prohibited by Data Protection Legislation in the absence of appropriate safeguards being in place prior to said transfer, such as agreeing to the Standard Contractual Clauses with the recipient of such Customer Personal Data.

Standard Contractual Clauses: means the contractual clauses adopted by the European Commission as of June 4, 2021 governing Restricted Transfers, the text of which is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, including any updated, amended, or subsequent version thereof approved by the respective data protection authority.

Terryberry Services: the services supplied by Terryberry to Customer in connection with the operation of the Reward Program as set out in the Binding Quote;

Reward Program: the recognition and reward program developed by Terryberry and provided to Customer.

Binding Quote: the scope of the Terryberry Services required by Customer and to be delivered by Terryberry, the Binding Quote may also be referred to as the Agreement.

Site: a secure area of the Portal hosted by or on behalf of Terryberry designated for use by Customer to access the Reward Program.

The terms “personal data”, “data controller”, “controller”, “data processor”, “processor”, “process”, “data subject”, “data protection impact assessment”, “third country” and “international organization” shall each have the applicable meaning set out in the Data Protection Legislation.

References to paragraphs and the Appendix are to paragraphs of and the appendix to this Addendum, unless stated otherwise. The Appendix and any annexes form a part of this Addendum.

Unless the context otherwise requires, words imparting the singular shall include the plural and vice versa. References to “persons” include a natural person, any body corporate, unincorporated association, firm, body (statutory or otherwise) or authority, whether or not having separate legal personality.

A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate legislation made from time to time under that statute or statutory provision.

Any words following the terms “including”, “include”, “in particular”, “for example” or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

2. GENERAL

The parties acknowledge and agree that this Addendum: (a) sets out the basis on which Terryberry shall process the Customer Personal Data as a data processor on behalf of Customer for the purposes of hosting the Site and providing the Terryberry Services pursuant to the Binding Quote; and (b) amends and replaces any provisions previously agreed between the parties that relate expressly to the parties’ use of personal data, including any specific clauses relating to data protection, and any provisions in the Binding Quote that conflict with the terms of this Addendum.

This Addendum is supplemental to and subject to the terms of the Binding Quote and is incorporated into the Binding Quote. Interpretations and defined terms set forth in the Binding Quote apply to the interpretation of this Addendum. In the event of any conflict between the provisions of this Addendum and the provisions of the Binding Quote, the provisions of this Addendum shall take precedence.

In addition to the Customer Personal Data which Terryberry processes on behalf of Customer, Terryberry may also process personal data in connection with the Binding Quote in Terryberry's own capacity as a data controller (where Terryberry will determine the purposes and means of the processing, including for example when processing payment for rewards). The provisions of this Addendum shall not apply to such processing where Terryberry is the data controller, but Terryberry shall undertake such processing in accordance with Terryberry's legal obligations to data subjects under the Data Protection Legislation.

Each party agrees that in respect of its processing of the Customer Personal Data in connection with the licensing of the Site and provision and receipt of the benefit of the other Terryberry Services pursuant to the Binding Quote and this Addendum, it shall comply with its obligations under the Data Protection Legislation, together with the provisions of this Addendum.

3. CUSTOMER'S OBLIGATIONS

As a data controller, it is Customer's responsibility to ensure that Customer is entitled to process and to authorize Terryberry to process the Customer Personal Data in the manner and for the duration envisaged by this Addendum. If at any time Customer has reason to believe that the processing of any Customer Personal Data under this Addendum is in breach of Data Protection Legislation, Customer shall immediately notify Terryberry, together with an explanation of the concern.

Prior to sharing any Customer Personal Data with Terryberry, Customer shall:

(a) identify the lawful basis on which the parties can rely under Data Protection Legislation to process such Customer Personal Data. Unless the lawful basis Customer wishes to rely on is performance of a contract or the data subject's consent, Customer shall inform Terryberry of the lawful basis for processing such Customer Personal Data (prior to sharing such personal data with Terryberry) and if the lawful basis for processing changes, Customer shall notify Terryberry as soon as practicable, but in any event no later than 14 days after such change occurs;

(b) provide the following information to data subjects: "The technology we use to provide you with the reward scheme is licensed to us and hosted by Terryberry Company LLC ("Terryberry"). Terryberry will have access to your personal data as a result. Such data will be processed by Terryberry in accordance with a Data Processing Addendum. If you have any queries regarding the use of your personal data, please contact Privacy Officer at privacy@terryberry.com; together with all other necessary fair processing information required under Data Protection Legislation about the processing of the Customer Personal Data; and

(c) obtain the data subject’s consent to processing their personal data (where the lawful basis Customer is relying on to process the Customer Personal Data is consent).

Customer shall ensure at all times that Customer's instructions to Terryberry for the processing of the Customer Personal Data under this Addendum comply with Data Protection Legislation and that compliance with such instructions would not cause Terryberry to breach any Data Protection Legislation.

Customer shall be responsible for the provision of the corresponding fair processing information to relevant data subjects and for obtaining any consents that may be required (in each case to the extent necessary in order to comply with Data Protection Legislation) from that data subject. Customer shall ensure that such fair processing notices are accurate and complete, and that any consents are sufficient in order for Terryberry to lawfully process the Customer Personal Data in the manner set out in this Addendum.

If Customer requires Terryberry to transfer any Customer Personal Data to a third-party provider engaged by Customer, Customer shall be solely responsible for identifying the lawful basis under the Data Protection Legislation on which the parties can rely under the Data Protection Legislation to transfer such Customer Personal Data to the relevant third party provider (and Customer shall notify Terryberry of the same). A written data processing addendum must be in place between Customer and such provider. Customer acknowledges and agrees that Terryberry has no control over and shall have no liability in respect of how any personal data is processed by such third party provider engaged by Customer.

If Customer has requested integration of the services provided by Terryberry with any third-party applications, including social media platforms, it shall be Customer’s sole responsibility to ensure such third party integration complies with Data Protection Legislation. Such third parties shall either be data controllers or data processors on behalf of Customer and shall have no direct relationship with Terryberry. Terryberry shall not be responsible or liable for the way in which other data controllers and/or Customer’s other data processors process the Customer Personal Data.

4. TERRYBERRY'S OBLIGATIONS WHEN ACTING AS A DATA PROCESSOR

In respect of the Customer Personal Data processed by Terryberry on behalf of Customer, Terryberry shall: (a) only process the Customer Personal Data to the extent and in such a manner, as is necessary to provide the services in accordance with the terms of the Binding Quote and this Addendum, and only on written instructions issued by Customer from time to time (provided that such instructions are within the scope of Terryberry's obligations under this Addendum), unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body. If an instruction infringes any Applicable Law, including any Data Protection Legislation, or if any Applicable Law to which Terryberry is subject requires Terryberry to process Customer Personal Data in a manner contrary to the Customer’s instructions or beyond the purpose of fulfilling its obligations under the SOW, Terryberry shall inform the Customer in advance of any relevant processing of the affected Customer Personal Data, unless the relevant Applicable Law prohibits this on important grounds of public interest. The Customer may then, in its sole discretion, either immediately suspend transfer of Customer Personal Data to Terryberry or terminate part or all of the SOW without penalty or payment of termination charges; (b) comply with any request from Customer requiring Terryberry to amend, transfer or delete the Customer Personal Data; (c) maintain the confidentiality of all Customer Personal Data and ensure that personnel who have access to and/or process the Customer Personal Data are obliged to keep the same confidential; (d) process the Customer Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to Customer or as is required by law or any regulatory body including but not limited to the UK Information Commissioner’s Office (“ICO”); (e) Without limiting Terryberry’s security-related obligations under the SOW, Terryberry shall at all times have implemented and maintain a comprehensive information security program that (i) complies with all applicable Data Protection Legislation, and (ii) contains reasonable and appropriate administrative, operational, technical, physical and organizational measures that are designed to preserve and protect the security, integrity and confidentiality of Customer Personal Data and protect Customer Personal Data against Customer Personal Data Breaches. Such measures shall (a) include, as appropriate, measures required pursuant to applicable Data Protection Legislation, including but not limited to Article 32 of the GDPR, and ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, (b) require that all Customer Personal Data stored on any of Terryberry’s onsite storage devices be accessible via a secured network, (c) require that Terryberry encrypt all other transmissions of Customer Personal Data, including over public networks or wireless networks, and (d) require that Terryberry encrypt all Customer Personal Data stored on any removable or portable devices or media. Such encryption shall meet or exceed the accepted industry standards of data encryption used for Customer Personal Data and what is required by Applicable Laws. All personal data will be encrypted at rest and in transit. Terryberry shall reasonably assist the Customer in ensuring compliance with the Customer’s obligations pursuant to applicable Data Protection Legislation, taking into account the nature of the processing and the information available to Terryberry.

(f) implement appropriate technical and organisational measures appropriate to the nature of the Customer Personal Data being protected, taking into account the nature and purposes of the processing, for the protection of the security of the Customer Personal Data to protect against unauthorised or unlawful processing and against accidental loss or destruction, damage, alteration or disclosure, details of which shall be supplied to Customer upon request and which measures Customer shall have the opportunity to review and assess in accordance with Customer's own obligations under Data Protection Legislation. Terryberry reserves the right to revise the technical and organisational measures at any time, without notice, provided that such revisions shall not reduce the level of security provided for the Customer Personal Data that Terryberry processes on behalf of Customer;

(g) maintain records and information in writing regarding all categories of Terryberry’s processing activities in respect of the Customer Personal Data to demonstrate Terryberry’s compliance with this Addendum and shall make such records available to the Customer or a supervisory authority or other competent regulatory authority upon request. Such record shall, at a minimum, contain the information required by applicable Data Protection Legislation, including but not limited to Article 30(2) of the GDPR;

(h) not transfer the Customer Personal Data outside of the EEA or UK without complying with the provisions of paragraph 6 below and the Data Protection Legislation in respect of such transfer, save that if Customer requires Terryberry to transfer any Customer Personal Data outside the EEA or UK pursuant to Customer's instructions, it shall be Customer's responsibility to ensure that any such transfer complies with the provisions of the Data Protection Legislation and to notify Terryberry of any specific instructions or restrictions in respect of the same;

(i) promptly notify Customer if it receives: (1) a request from a data subject to have access to that person’s personal data; or (2) a complaint or request relating to the processing of the personal data or to either party’s compliance with the Data Protection Legislation;

(j) upon Customer’s request and insofar as is reasonably possible, provide commercially reasonable assistance, at Customer’s cost, to facilitate such a data subject request;

(k) reasonably assist Customer, at Customer's cost, in ensuring compliance with Customer's obligations under the Data Protection Legislation with respect to consultations with the ICO;

(l) ensure that Terryberry does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which Terryberry is subject, in which case Terryberry shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before Terryberry responds to the request;

(m) provide Customer with reasonable cooperation and assistance, at Customer's cost, as may be required to fulfil Customer's obligation under the Data Protection Legislation to carry out a data protection impact assessment related to Customer's use of the Site, to the extent that Customer does not otherwise have access to the relevant information and to the extent that such information is available to Terryberry;

(n) inform Customer without undue delay if Terryberry becomes aware of any Customer Personal Data Breach with respect to any Customer Personal Data processed on behalf of Customer providing Customer with sufficient information to allow Customer to meet any obligations to report or inform supervisory authorities, data subjects and/or other entities of the Customer Personal Data Breach under the Data Protection Legislation. Such notification shall as a minimum: i. describe the nature of the Customer Personal Data Breach, the categories and numbers of data subjects concerned, and the categories and numbers of Customer Personal Data records concerned; ii. communicate the name and contact details of Terryberry’s data protection officer or other relevant contact from whom more information may be obtained; iii. describe the likely consequences of the Customer Personal Data Breach; and iv. describe the measures taken or proposed to be taken to address the Customer Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

i. Terryberry shall take prompt steps to remedy the Customer Personal Data Breach and mitigate any harmful effects, and shall take reasonable efforts to ensure that Subprocessors co-operate with Customer.

ii. Terryberry shall co-operate with Customer and take such reasonable commercial steps as to assist in the investigation, mitigation and remediation of each such Customer Personal Data Breach.

(o) maintain records and information regarding Terryberry's processing activities in respect of Customer Personal Data to demonstrate Terryberry's compliance with this Addendum;

(p) allow for audits by Customer or Customer's designated auditor of Terryberry's systems and procedures relevant to the processing of the Customer Personal Data, provided that in the case of any audit: (i) Customer shall comply with any reasonable requirements or security restrictions that Terryberry may impose to safeguard Terryberry's systems, personal data Terryberry holds on behalf of other customers and Terryberry's own confidential or commercially sensitive information and to avoid unreasonable disruption to Terryberry's business and operations; (ii) except in the case of an audit due to a security breach, Customer shall reimburse Terryberry for any time expended by Terryberry for any such audit, at Terryberry's then current professional services rates, which shall be made available to Customer upon request, which costs shall be reasonable, taking into account the resources expended by Terryberry; and (iii) before the commencement of any audit, the parties shall mutually agree on the scope, timing, and duration of the audit (which agreement shall not be unreasonably withheld or delayed);

(q) not collect, retain, use, process or disclose the Customer Personal Data (a) for any purpose other than for the specific purpose of providing the Services specified in the Binding Quote to the Customer or (b) outside of the direct business relationship between Terryberry and the Customer. In addition, Terryberry shall not sell any Customer Personal Data. Terryberry acknowledges and agrees that that (i) the Customer disclose Customer Personal Data to Terryberry solely for the business purpose of Terryberry providing the Services to the Customer and (ii) it has not and will not receive any monetary or other valuable consideration in exchange for its receipt of the Customer Personal Data. Terryberry hereby agrees and certifies that it understands and will comply with the restrictions in this Agreement, including this Section, and that it has no reason to believe that it will not be able to comply.

5. SUBPROCESSORS

Terryberry may use the following types of subprocessors who may process the Customer Personal Data in connection with hosting the Site and providing the Terryberry Services: logistics providers; third parties involved in the manufacture and distribution of personalized, monogrammed or customized rewards; distributors and retailers of Rewards who Terryberry engages to send rewards directly to Customer and/or data subjects; providers of penetration testing services; providers of cloud storage; providers of hosted Site; and data centers; details of which are available to Customer upon request. Terryberry may update the list of its processors from time to time. Customer acknowledges that such information is confidential.

Customer hereby consents to Terryberry appointing the processors set out in paragraph 5.1 above as processors of the Customer Personal Data under this Addendum. Terryberry shall have in place a written contract with such processors in respect of such processing of the Customer Personal Data.

Terryberry shall maintain an updated list of sub-processors at https://www.terryberry.com/subprocessor/.

Customer authorizes Terryberry to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the SOW.

If, Customer notifies Terryberry in writing of any objections (on reasonable grounds) to the list of sub-processors at https://www.terryberry.com/subprocessor/: (a) Terryberry shall work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (b) where such a change cannot be made within ten (10) days from Terryberry’s receipt of Customer’s notice, notwithstanding anything in the Binding Quote, Customer may by written notice to Terryberry with immediate effect terminate the Binding Quote to the extent that it relates to the Services which require the use of the proposed Subprocessor.

With respect to each Subprocessor, Terryberry shall: (a) before the Subprocessor first Processes Customer Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Binding Quote; and (b) ensure that the arrangement between on the one hand (i) Terryberry, or (ii) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms that offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and the Principal Agreement and, without limiting the foregoing, meet any contractual requirements set forth under Data Protection Legislation, including Article 28(3) of the GDPR.

Terryberry shall remain fully responsible and liable for all acts, omissions, and work performed by any of its Subprocessors, including its Subprocessors’ compliance with the terms and conditions of the Binding Quote (including this Agreement) and applicable Data Protection Legislation.

INTERNATIONAL TRANSFERS

6.1 Customer hereby agrees and acknowledges that: (a) some of Terryberry's servers are based outside of the EEA and UK, primarily in the U.S. where Terryberry's affiliated companies are based; (b) from time to time, Terryberry's subprocessors may conduct processing outside of the EEA and UK, and (c) Customer hereby consents to such processing of the Customer Personal Data outside of the EEA or UK in accordance with this Addendum and in accordance with Data Protection Legislation.

5.2 With respect to any Restricted Transfer, Terryberry shall put in place prior to such transfer: (a) appropriate safeguards detailed in paragraph 6.3 below to protect such Customer Personal Data; and (b) enforceable data subject rights and effective legal remedies for data subjects as required by Data Protection Legislation.

5.3 Whenever Customer Personal Data (of which Customer is the data controller under Data Protection Legislation) is transferred outside of the EEA or UK by or on behalf of Terryberry, Terryberry shall ensure a similar degree of protection is afforded to such Customer Personal Data by ensuring the following safeguards are implemented: (a) Terryberry shall transfer Customer Personal Data to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission and/or the ICO; or (b) If applicable because a Restricted Transfer must take place, the parties shall enter into the Standard Contractual Clauses, which are permitted under applicable Data Protection Legislation and which provides Customer Personal Data a similar degree of protection as received within the EEA or UK.

5.4 With respect to the Standard Contractual Clauses, the following shall apply: Module 2 for controller-to-processor transfers; Annexes I and II attached hereto; Clause 7; In Clause 9, option 2 for general written authorization with a time period of thirty days; In Clause 11, the optional language will not apply; in Clause 13(a), the option where the data exporter is established in an EU Member State; in Clause 17, option 1; and; in Clauses 17 and 18, specifying the Member State where the data exporter is established for transfers from the EEA or UK.

SEVERANCE

If any provision (or part of a provision) of this Addendum is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

TERM AND TERMINATION

8.1 This Addendum will remain in full force and effect so long as: (a) the Binding Quote remains in effect; or (b) Terryberry retains any Customer Personal Data related to the Binding Quote in its possession or control (Term).

8.2 Any provision of this Addendum that expressly or by implication should come into or continue in force on or after termination of the Binding Quote in order to protect Personal Data will remain in full force and effect.

8.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Binding Quote obligations, the parties will suspend the processing of Customer Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Personal Data processing into compliance with the Data Protection Legislation within 90 days, they may terminate the Binding Quote on written notice to the other party.

GOVERNING LAW; JURISDICTION

This Addendum shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by Data Protection Legislation or the SCCs.

ANNEX I

A. LIST OF PARTIES

Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union/UK

Name: Customer name listed in the Agreement and/or the Binding Quote

Address: Address listed in the Agreement and/or the Binding Quote

Contact person’s name, position and contact details: Contact person for Customer listed in the Agreement and/or the Binding Quote

Activities relevant to the data transferred under these Clauses: Obtaining the Terryberry Services

Role (controller/processor): Controller

Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection

Name: Terryberry Company LLC

Address: 2033 Oak Industrial Drive, Grand Rapids, Michigan 49505

Contact person’s name, position and contact details: Contact person for Terryberry listed in the Agreement and/or the Binding Quote

Activities relevant to the data transferred under these Clauses:

Processing data related to Customer’s reward program

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The data subjects to whom the Customer Personal Data relates will be primarily individual employees employed by Customer and who are entitled to participate in and benefit from the Reward Program.

Categories of personal data transferred

The types of Customer Personal Data which Terryberry may process when hosting the Site and providing the Terryberry Services will include: name, including preferred name; job title; email address; date of birth/birthday; start date; award qualification date; cost center name; department; home address; business address; address for delivery of Rewards; telephone number; line manager name; line manager address; employee number/ID; length of service; Reward Points; award value; profile picture; payment data, including billing address; such other personal data as may be collected by Customer from the data subject and provided to Terryberry from time to time or which is otherwise uploaded, inputted, stored, transmitted and/or otherwise communicated to or via the Site.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Data will be transferred throughout the term of the Binding Quote.

Nature of the processing and purpose(s) of the data transfer and further processing

Terryberry shall process the Customer Personal Data on behalf of Customer as a data processor for the purpose of hosting the Site and otherwise providing the Terryberry Services as outlined in this Addendum and the Binding Quote.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Terryberry shall not process the Customer Personal Data on behalf of Customer for any longer than is required for the purposes of providing the services of the Binding Quote. Following termination of the Binding Quote, Terryberry shall cease processing and delete all Customer Personal Data, save to the extent: (a) required by Applicable Law; (b) as a result of Terryberry's automatic archiving and backup procedures; and/or (c) to comply with bona fide internal compliance and audit policies and procedures. Terryberry shall not be liable to Customer for any such deletion of the Customer Personal Data.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Transfers to sub-processors will contain data of the same subject matter, for the same nature and duration of processing.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13:

Information Commissioner’s Office

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Domain	Practices
Information Security Management and Governance	Ownership for Security and Data Protection. Terryberry has appointed a risk & security officer responsible for coordinating and monitoring the security rules and procedures as well as data protection compliance. Security Roles and Responsibilities. Security responsibilities of personnel are formally documented and published in information security policies. Risk Management Program. Terryberry executes periodical risk assessments based on a formal risk management methodology.
Human Resources Security	Confidentiality obligations. Terryberry personnel with access to Customer Personal Data are subject to confidentiality obligations, and these are formally integrated into employment contracts. Termination. Terryberry ensures according to formal security administration procedures to ensure that access rights are timely revoked upon termination.
Asset Management	Asset Inventory. Terryberry maintains an inventory of all computing equipment and media used. Access to the inventories is restricted to authorized Terryberry personnel. Asset Handling a. Customer Personal Data on portable devices are encrypted. b. Terryberry has procedures for securely disposing of media and printed materials that contain Personal Data.
Information Access Control	Access Policy. Terryberry enforces an access control policy based on need-to-know and least privileges principles. Access Authorization Terryberry has implemented and maintains an authorization management system that controls access to systems containing Customer Personal Data. Every individual accessing systems containing Customer Personal Data has a separate, unique identifier/username. Terryberry restricts access to Customer Personal Data to only those individuals who require such access to perform their job function. Technical support personnel are only permitted to have access to Customer Personal Data when needed. Authentication Terryberry uses industry standard practices to identify and authenticate users who attempt to access Terryberry network or information systems, including strong authentication. Where authentication mechanisms are based on passwords, Terryberry requires that the passwords are renewed periodically and that they are at least eight characters long and sufficiently complex. De-activated or expired identifiers/usernames are not granted to other individuals. Accounts will be locked out in case of repeated attempts to gain access to the information system using an invalid password. Terryberry maintains practices designed to ensure the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
Physical and Environmental Security	Physical Access to Facilities. Terryberry limits access to facilities where information systems that process Personal Data are located to identified authorized individuals. Physical access to data centers is only granted following a formal authorization procedure, and access rights are reviewed periodically Protection from Disruptions. Terryberry uses a variety of industry standard systems to protect its data centers against loss of data due to power supply failure and fire.
Operations Security	Data Recovery Procedures On an ongoing basis, but in no case less frequently than once a week (unless no data has been updated during that period), Terryberry maintains backup copies of Personal Data for recovery purposes. Terryberry stores copies of Personal Data and data recovery procedures in a different place from where the primary computer equipment processing the Personal Data is located. Malicious Software. Terryberry maintains anti-malware controls to help avoid malicious software gaining unauthorized access to Personal Data. Data Beyond Boundaries. Terryberry standardly encrypts, or provides the mechanisms to encrypt Personal Data that is transmitted over public networks.
Communications Security	Network Segregation. Terryberry has implemented a network segmentation policy and controls to avoid individuals gaining access to systems for which they have not been authorized. Information Transfer. Any transfer of Customer Personal Data to third parties is only performed following the execution of a formal written non-disclosure agreement.
System Acquisition, Development & Maintenance	Security Requirements. Requirements for protecting data and systems are analyzed and specified. Change Control. Terryberry has implemented a formal change management process to ensure changes to operational systems and applications are performed in a controlled way.
Vendor Relationships	Vendor Selection. Terryberry maintains a selection process by which it evaluates the security, privacy and confidentiality practices of a Sub-Processor in regard to data handling. Contractual Obligations. Vendors with access to Customer Personal Data are subject to data protection and information security obligations, and these are formally integrated into Terryberry contracts.
Information Security Incident Management	Terryberry maintains a record of security breaches with a description of the breach, the time, the consequences of the breach, the name of the reporter and to whom the breach was reported.
Business Continuity Management	Disaster Recovery. Terryberry maintains a disaster recovery plan for the facilities in which Terryberry information systems that process Customer Personal Data are located. Redundancy. Terryberry’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Personal Data in its original or last-replicated state from before the time it was lost or destroyed.
Compliance	Security Reviews. Information security controls are independently audited and reported to management on a periodical basis.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.

Transfers to subprocessors will substantially comply with the specifications listed above.

4873-7383-1685.4

Two Column Content Section

Left Column Title

Subheading section (if needed)

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Quis varius quam quisque id. Molestie a iaculis at erat. Aliquet nec ullamcorper sit amet risus nullam eget. Nec feugiat in fermentum posuere. Nunc scelerisque viverra mauris in aliquam sem. Erat velit scelerisque in dictum non consectetur a. Gravida quis blandit turpis cursus in. Tristique et egestas quis ipsum suspendisse ultrices gravida dictum fusce. Tellus pellentesque eu tincidunt tortor aliquam.

Donec et odio pellentesque diam volutpat commodo. At imperdiet dui accumsan sit. Ornare lectus sit amet est placerat in egestas erat. Suspendisse potenti nullam ac tortor vitae purus faucibus. Aliquam nulla facilisi cras fermentum odio eu feugiat. A scelerisque purus semper eget duis at tellus at. Enim nunc faucibus a pellentesque sit. Eget magna fermentum iaculis eu non diam. Rhoncus est pellentesque elit ullamcorper. Urna duis convallis convallis tellus id interdum velit laoreet. Vulputate odio ut enim blandit volutpat maecenas. Tempus urna et pharetra pharetra massa massa ultricies. Nunc pulvinar sapien et ligula ullamcorper malesuada. Dui nunc mattis enim ut.

Primary Button