This Data Processing Addendum ("DPA") forms part of the joinsolis Services Agreement or other written agreement between joinsolis, a brand of FUNDLAS LLC, and Customer for the purchase and use of the Services from joinsolis (the "Agreement") to reflect the parties' agreement with regard to the Processing of Personal Data.

By using the Services, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent joinsolis processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the terms "Customer", "You" and "Your" shall include Customer and Authorized Affiliates.

In the course of providing the Services to Customer pursuant to the Agreement, joinsolis may Process Personal Data on behalf of Customer. joinsolis agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and processed by or for Customer through the Services.

1. Definitions

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Authorized Affiliate" means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and joinsolis, but has not signed its own Agreement with joinsolis and is not a "Customer" as defined under the Agreement.

"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.

"Customer Data" means what is defined in the Agreement as "Customer Data" or "Your Data."

"Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement.

"Data Subject" means the identified or identifiable person to whom Personal Data relates.

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

"Personal Data" means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), where for each (i) or (ii), such data is Customer Data.

"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means the entity which Processes Personal Data on behalf of the Controller, including as applicable any "service provider" as that term is defined by the CCPA.

"Standard Contractual Clauses" means the agreement executed by and between Customer and joinsolis and attached hereto as Attachment 1 pursuant to the European Commission's decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

"Sub-processor" means any Processor engaged by joinsolis or a member of the joinsolis Group.

"Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. Processing of Personal Data

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, joinsolis is the Processor, and that joinsolis will engage Sub-processors pursuant to the requirements set forth in Section 5 "Sub-processors" below.

2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 joinsolis's Processing of Personal Data. joinsolis shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

2.4 Details of the Processing. The subject-matter of Processing of Personal Data by joinsolis is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Attachment 2 to this DPA.

3. Rights of Data Subjects

3.1 Data Subject Request. joinsolis shall, to the extent legally permitted, promptly notify Customer if joinsolis receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or its right not to be subject to an automated individual decision making ("Data Subject Request"). Taking into account the nature of the Processing, joinsolis shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, joinsolis shall upon Customer's request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent joinsolis is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from joinsolis's provision of such assistance.

4. joinsolis Personnel

4.1 Confidentiality. joinsolis shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. joinsolis shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2 Reliability. joinsolis shall take commercially reasonable steps to ensure the reliability of any joinsolis personnel engaged in the Processing of Personal Data.

4.3 Limitation of Access. joinsolis shall ensure that joinsolis's access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4.4 Data Protection Officer. joinsolis shall have appointed, or shall appoint, a data protection officer if and whereby such appointment is required by Data Protection Laws.

5. Sub-processors

5.1 Appointment of Sub-processors. Customer acknowledges and agrees that joinsolis may engage third-party Sub-processors in connection with the provision of the Services. joinsolis has or will enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in the Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.

5.2 List of Current Sub-processors and Notification of New Sub-processors. joinsolis shall make available to Customer the current list of Sub-processors for the Services identified in joinsolis's Subprocessor List. Such Sub-processor list shall include the identities of those Sub-processors and their country of location. joinsolis shall update the Sub-processor list at least 30 days prior to the addition or replacement of a Sub-processor.

5.3 Objection Right for New Sub-processors. Customer may object to joinsolis's use of a new Sub-processor by notifying joinsolis promptly in writing within ten (10) business days after receipt of joinsolis's notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, joinsolis will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer's configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If joinsolis is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by joinsolis without the use of the objected-to new Sub-processor by providing written notice to joinsolis. joinsolis will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

5.4 Liability. joinsolis shall be liable for the acts and omissions of its Sub-processors to the same extent joinsolis would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

6. Security

6.1 Controls for the Protection of Customer Data. joinsolis shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. joinsolis regularly monitors compliance with these measures. joinsolis will not materially decrease the overall security of the Services during the term of the Agreement.

6.2 Third-Party Certifications and Audits. Upon Customer's written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, joinsolis shall make available to Customer that is not a competitor of joinsolis (or Customer's independent, third-party auditor that is not a competitor of joinsolis) a copy of joinsolis's then most recent third-party audits or certifications, as applicable, or any summary thereof, that joinsolis generally makes available to its customers at the time of such request.

7. Security Breach Management and Notification

joinsolis shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by joinsolis or its Sub-processors of which joinsolis becomes aware (a "Security Breach"). joinsolis shall make reasonable efforts to identify the cause of such Security Breach and take those steps as joinsolis deems necessary and reasonable in order to remediate the cause of such a Security Breach to the extent the remediation is within joinsolis's reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer's Users.

8. Return or Deletion of Customer Data

Upon termination of the Agreement and upon Customer's request, joinsolis shall either delete or return to Customer all Customer Data, including Personal Data in its possession. This requirement shall not apply to the extent that joinsolis is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data joinsolis shall securely isolate and protect from any further processing, except to the extent required by applicable law.

9. Authorized Affiliates

9.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between joinsolis and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 9 and Section 10. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.

9.2 Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with joinsolis under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

9.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with joinsolis, it shall to the extent required under applicable Data Protection Laws be entitled to exercise the rights and seek remedies under this DPA, subject to the following: 9.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against joinsolis directly by itself, the parties agree that (i) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Section 9.3.2, below). 9.3.2 The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on joinsolis and its Sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.

10. Limitation of Liability

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability set forth in the Agreement, and such limitations apply to the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.

11. California Consumer Privacy Act (CCPA)

For purposes of the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., if at such time joinsolis is deemed a "Service Provider" as such term is defined under the CCPA the parties further acknowledge and agree that:
(a) joinsolis shall not retain, use, or disclose Customer Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing Customer Data for a commercial purpose other than providing the Services or as otherwise permitted by the CCPA; and
(b) joinsolis shall not sell Customer Data.

12. GDPR Obligations

To the extent that joinsolis Processes Customer Personal Data that is protected by the GDPR, joinsolis acknowledges and agrees that it:

(a) shall Process Customer Personal Data only on lawful documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by EEA Laws to which joinsolis is subject; in such a case, joinsolis shall inform Customer of that legal requirement before Processing, unless EEA Laws prohibit such information on important grounds of public interest;

(b) shall ensure that persons authorised to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(d) shall respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;

(e) taking into account the nature of the Processing, shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;

(f) shall assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to joinsolis;

(g) at the choice of Customer, shall delete or return all the Customer Personal Data to Customer after the end of the provision of services relating to Processing, and delete existing copies unless EEA Laws requires storage of the Customer Personal Data;

(h) shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

joinsolis Data Processing Addendum