Data Processing Addendum (GDPR)

This DPA, known as the Data Processing Addendum, forms part of the Principal Agreement between the Customer and Stimulus Software, as outlined in the Terms of Service. The Principal Agreement remains binding and in effect, with this DPA serving as an extension of its terms. Stimulus Software is the entity responsible for creating MailArchiva.

1. Definitions.

The following definitions apply to this DPA. Capitalized terms not otherwise defined have the same meaning as in the Principal Agreement.

(a) "Customer's Personal Data" refers to any personal data processed by Stimulus Software on behalf of the Customer to provide the Services under the Principal Agreement.

(b) "Applicable Data Protection Laws" refers to the GDPR, as implemented in the domestic legislation of each Member State (and the United Kingdom), and any amendments, replacements, or supplements to the GDPR, as well as any laws applicable to the collection, storage, processing, and use of Customer's Personal Data, including the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq.

(c) "GDPR" refers to the EU General Data Protection Regulation 2016/679.

(d) "Stimulus Software Infrastructure" refers to (i) Stimulus Software's physical facilities; (ii) hosted cloud infrastructure; (iii) Stimulus Software's corporate network and the non-public internal network, software, and hardware necessary to provide the Services and which is controlled by Stimulus Software; to the extent used to provide the Services.

(e) "Restricted Transfer" means the transfer of Customer's Personal Data from Stimulus Software to a sub-processor that would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements addressing the data transfer restrictions of Applicable Data Protection Laws) without appropriate safeguards required under Applicable Data Protection Laws.

(f) "Services" refers to the services provided to the Customer by Stimulus Software under the Principal Agreement.

(g) "Standard Contractual Clauses" refers to the latest version of the standard contractual clauses for the transfer of personal data to processors established in third countries under the GDPR (the current version as at the date of this DPA is as annexed to European Commission Decision 2021/914 (EU) of June 4, 2021).

(h) "UK Addendum" refers to the United Kingdom Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

(i) The terms "consent," "controller," "data subject," "Member State," "personal data," "personal data breach," "processor," "sub-processor," "processing," "supervisory authority," and "third party" have the meanings given to them in Article 4 of the GDPR.

2. Compliance with Applicable Data Protection Laws

(a) Stimulus Software and the Customer shall each comply with the provisions and obligations imposed on them by the Applicable Data Protection Laws and shall procure that their employees, agents and contractors observe the provisions of the Applicable Data Protection Laws.

3. Details and Scope of the Processing

The Agreement outlines the terms for processing the Customer's Personal Data in compliance with Article 28(3) of the GDPR. The parties may amend these terms as necessary to meet legal requirements. The scope and duration of the Personal Data processing is defined in the Principal Agreement, while the nature and purpose of processing involves Stimulus Software providing data archiving services to the Customer, which includes providing services, resolving technical issues, and responding to support requests. The Personal Data processed includes name, email, telephone numbers, physical addresses, IP address, calendar, contact, file and email content. The data subjects to whom the Personal Data relates are the senders and recipients of the email and file, calendar and contact entry owners.

Stimulus Software will process the Customer's Personal Data only to fulfill its obligations under the Principal Agreement and in accordance with the documented instructions in this DPA or as instructed by the Customer. If Stimulus Software finds that a Customer instruction contradicts the provisions of the Principal Agreement or the DPA or infringes GDPR or other data protection regulations, Stimulus Software will notify the Customer and may defer performing the instruction until it has been amended or agreed upon.

The Customer is solely responsible for managing and utilizing the Personal Data submitted or transmitted through the Services, including verifying recipient addresses, notifying recipients of email's insecure nature, limiting the disclosed information, and encrypting the Personal Data if required by law. If the Customer chooses not to configure mandatory encryption, the Services may transmit unencrypted email in plain text over public networks. The Stimulus Software Infrastructure stores the uploaded information in an encrypted format.

4. Controller and Processor

(a) Under this DPA, the Customer is the controller of their own Personal Data while Stimulus Software is the processor, except when the Customer themselves act as a processor, in which case Stimulus Software becomes a sub-processor.

(b) Stimulus Software is required to appoint an officer to assist the Customer in responding to Data Subject inquiries related to data processing and in completing all necessary legal information and disclosure requirements associated with the Data Processing. The Data Protection Officer can be directly contacted at privacy@stimulussoft.com.

(c) The Customer guarantees that:

(i) The processing of their Personal Data is legally grounded as required by Applicable Data Protection Laws and that they have obtained and will maintain all necessary rights, permissions, registrations, and consents in compliance with Applicable Data Protection Laws, related to Stimulus Software's processing of their Personal Data under this DPA and the Principal Agreement.

(ii) They are authorized to transfer their Personal Data to Stimulus Software and allow it to process their Personal Data, so that Stimulus Software can lawfully use, process, and transfer the Customer's Personal Data to provide the Services and fulfill other obligations under this DPA and the Principal Agreement.

(iii) They will notify their Data Subjects about their use of Processors in processing their Personal Data, to the extent required by Applicable Data Protection Laws.

(iv) They will respond to Data Subject inquiries about the processing of their Personal Data in a reasonable time and provide timely instructions to the Processor as appropriate.

5. Confidentiality

Stimulus Software is responsible for ensuring that all of its personnel, as well as any sub-processors it employs, who are authorized to process the Customer's Personal Data, are bound by confidentiality obligations or professional/statutory obligations of confidentiality. Additionally, they must receive appropriate training on the relevant security and data protection requirements.

6. Technical and Organizational Measures

(a) Stimulus Software is responsible for ensuring the security of the Customer's Personal Data. To fulfill this responsibility, Stimulus Software shall take reasonable measures in accordance with Article 32 of the GDPR to ensure the security of its infrastructure and platforms used to provide the Services. Stimulus Software shall document these measures as appropriate. Furthermore, Stimulus Software shall assist the Customer, at the Customer's expense, in ensuring compliance with the Customer's obligations under Article 32 of the GDPR upon reasonable request.

(b) Stimulus Software's internal operating procedures shall comply with the specific requirements of an effective Data Protection management to ensure the protection of the Customer's Personal Data.

7. Data Subject Requests

When customers use Stimulus Software's email and document archiving and discovery services, and a complaint, inquiry, or request related to the Customer’s Personal Data is received directly from data subjects, Stimulus Software will notify the Customer within fourteen (14) days. Stimulus Software will also assist the Customer, to the extent reasonably possible, in fulfilling their obligation to respond to requests for exercising data subjects' rights under Applicable Data Protection Laws. To ensure compliance with the nature of the processing, Stimulus Software will implement appropriate technical and organizational measures.

8. Personal Data Breaches

(a) If Stimulus Software becomes aware of a personal data breach that affects the Customer's Personal Data, Stimulus Software shall promptly notify the Customer. Stimulus Software shall make reasonable efforts, taking into account the nature of the processing and the information available to Stimulus Software, to provide the Customer with sufficient information to enable the Customer, at its own expense, to fulfill any obligations to report or inform regulatory authorities, data subjects, and other entities of the personal data breach to the extent required under Applicable Data Protection Laws.

9. Data Protection Impact Assessments

(a) Stimulus Software shall provide reasonable assistance to the Customer, at the Customer’s cost, with any necessary data protection impact assessments and prior consultations with supervisory authorities or other competent regulatory authorities, as required for the Customer to fulfill its obligations under Applicable Data Protection Laws. Stimulus Software shall take into account the nature of the processing and available information to provide such assistance.

10. Audits

(a) Upon reasonable request from the Customer, Stimulus Software shall provide necessary information to demonstrate compliance with this DPA.

11. Return or Destruction of the Customer’s Personal Data

(a) Upon written request, the Customer may require Stimulus Software to return or certify the deletion of all copies of the Customer's Personal Data held or controlled by Stimulus Software and its sub-processors. Stimulus Software shall provide the Controller's Data in a format that is readable and processable.

(b) Within ninety (90) days following termination of the account, the Processor shall delete and/or return all Personal Data processed pursuant to this DPA, except where statutory duties require retention for specified periods. Stimulus Software may keep electronic copies of files containing Customer's Personal Data created through automatic archiving or backup procedures which cannot be reasonably deleted. In such cases, Stimulus Software shall ensure that the Customer's Personal Data is not actively processed any further.

(c) Any additional costs associated with the return or deletion of Personal Data following the termination or expiration of the Agreement shall be the responsibility of the Customer.

12. Data Transfers

(a) The Standard Contractual Clauses and, if required, the UK Addendum, which designate Stimulus Software as the data importer and the Customer as the data exporter, are incorporated into this DPA. If Stimulus Software engages a sub-processor that involves a Restricted Transfer, Stimulus Software shall ensure that the onward transfer provisions of the Standard Contractual Clauses and/or UK Addendum are included in the Principal Agreement, or are otherwise entered into, between Stimulus Software and the sub-processor. The Customer agrees to exercise its audit right in the Standard Contractual Clauses by instructing Stimulus Software to conduct the audit set out in Paragraph 10.

(b) The Controller acknowledges and agrees that, in connection with the provision of Services under the Agreement, the Processor may transfer Personal Data within its company group. These transfers are necessary to provide the Services globally and are justified for internal administration purposes.

(c) For transfers of Personal Data from the European Union, the European Economic Area, and/or their member states, Switzerland, and the United Kingdom to countries that do not ensure an adequate level of Data Protection under Data Protection Laws of the foregoing territories, and to the extent that such transfers are subject to Data Protection Laws and Regulations and in order to implement appropriate safeguards, the following safeguards are taken: (i) Standard Contractual Clauses as per the European Commission’s Decision 2021/914/EU of June 4, 2021, (ii) UK Addendum, and (iii) additional safeguards with respect to security measures including data encryption, data aggregation, separation of access controls, and data minimization principles.

13. Sub-processing

(a) The customer authorizes Stimulus Software to engage sub-processors according to Annex 1 and subject to any restrictions in the Principal Agreement. Sub-processors will be bound by written agreements requiring them to provide data protection standards equal to those required by this DPA. Stimulus Software may continue to use sub-processors already engaged at the time of this DPA.

(b) Stimulus Software will notify the Customer in writing before appointing any new sub-processor. If the Customer objects to the proposed appointment with reasonable grounds within ten (10) business days of receiving the notice, Stimulus Software will not appoint the sub-processor until reasonable steps have been taken to address the objections and the Customer has been provided with a reasonable written explanation of the steps taken. If the parties cannot resolve the appointment of a sub-processor within a reasonable period, either party may terminate the Principal Agreement for cause.

(c) Stimulus Software is responsible for the acts and omissions of sub-processors in relation to the matters provided in this DPA.

14. Governing law and jurisdiction

(a) The parties agree to abide by the jurisdiction designated in the Principal Agreement for any disputes or claims arising under this DPA, including disputes concerning its validity, termination, or the effects of its invalidity.

(b) This DPA, along with any non-contractual or additional obligations arising out of or related to it, shall be governed by the laws of the country or territory specified in the Principal Agreement for such purposes.

15. Order of precedence

(a) In the event of any inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement, the provisions of this DPA shall prevail, except where explicitly agreed otherwise in writing and signed on behalf of the parties, even if such agreements are entered into or purported to be entered into after the date of this DPA, and regardless of the subject matter of such agreements.

16. Severance

If any provision of this DPA is deemed invalid or unenforceable, the rest of the DPA shall still remain valid and in effect. The invalid or unenforceable provision will either be (i) modified as necessary to make it valid and enforceable, while preserving the parties' intentions as closely as possible or, if modification is not possible, (ii) interpreted as if the invalid or unenforceable part had never been included in the DPA.

17. Termination

(a) The termination of the Principal Agreement shall result in the automatic and contemporaneous termination of this DPA and the Standard Contractual Clauses.

(b) No amendment or variation to this DPA shall be considered binding on the Parties unless it is in writing and signed by authorized representatives of each Party.

IN WITNESS WHEREOF, this DPA and the Annexes are entered into and becomes a binding part of the Principal Agreement with effect from the date first set out above.

Stimulus Software

Signature:

Name:

Title:

The Customer

Signature:

Name:

Title:

Date Signed:

ANNEX 1

STANDARD CONTRACTUAL CLAUSES

With regard to the Standard Contractual Clauses the Parties agree that:

(a) Module 2 (Controller-to-Processor) will apply where Stimulus Software acts as Customer’s data processor; Module 3 (Processor-to-Processor) will apply where Stimulus Software acts as Customer sub-processor. For each Module, where applicable:

(b) Clause 7 (Docking clause) is incorporated;

(c) For the purposes of Clause 9.a) (Use of sub-processors), Option 2: General written authorization shall apply. The data importer has the data exporter’s general authorization for the engagement of sub-processors from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) business days in advance;

(d) The optional wording in Clause 11 (Redress) on independent resolution bodies is not incorporated;

(e) For the purpose of Clause 13 (Supervision), the Irish Data Protection Commission shall act as a competent supervisory authority;(f) Option 1 of Clause 17 (Governing law) shall apply and the laws of Ireland shall govern the Standard Contractual Clauses;

ANNEX 2

INFORMATION SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES

Where personal data is processed or used automatically, Stimulus Software’s internal organization ensures that it meets specific requirements of data protection by utilizing security best practices. In particular, Stimulus Software implements the following measures to protect personal data or other sensitive data categories.

Physical Access Control

To ensure that personal data processing systems are not accessed by unauthorized individuals, Stimulus Software implements the following measures:

• Utilizing leading data center and cloud infrastructure providers, all of which have stringent access controls and 24/7 surveillance with biometric authentication systems. These providers possess industry-standard certifications.

• Data centers are equipped with N+1 redundancy for power, networking, and cooling infrastructure.

• Data processing is distributed across at least three distinct availability zones within a region to mitigate the impact of an availability zone failure and prevent disruption of services to customers.

System Access Control

To prevent unauthorized use of data processing systems:

• Stimulus Software adopts the principle of least privilege for administrative access to its systems and services, ensuring that access is granted based on job roles and responsibilities. Each user is assigned a unique username/identifier which cannot be shared or reassigned.

• Access to internal support tools and product infrastructure is secured through the use of VPN and multi-factor authentication.

• Network access control lists (ACLs) and security groups are utilized to restrict ingress and egress traffic from production infrastructure.

• Intrusion detection systems (IDS) are employed to identify any potential unauthorized access.

• Network protection is implemented to mitigate the impact of distributed denial of service (DDoS) attacks.

• Onboarding and offboarding processes are clearly defined and consistently followed to ensure proper management of access to internal and externally hosted tools and systems. Third-party services use single sign-on (SSO) functionality where possible to enable centralized management and enforce multi-factor authentication.

Data Access Control

To ensure that only authorized users have access to personal data and can perform actions on it, Stimulus Software has implemented the following security measures:

• User access is managed through a password management system that enforces password length, complexity, expiration, and usage policies.

• Employee workstations are configured to automatically lock after a certain period of inactivity, and systems log out users who have been inactive for too long.

• Logs are centrally stored and indexed, and security logs are retained for at least one year.

• A monthly patch management process ensures that all systems are patched, and routine vulnerability scanning and monitoring occurs.

• To protect internal assets against known viruses, industry-standard antivirus software is used and regularly updated.

• Firewall devices are used to segregate and filter unwanted traffic, and a DMZ is implemented using firewalls to further protect internal systems that handle sensitive data.

Data Transmission Control

To ensure the security and confidentiality of personal data during electronic transmission or transport, Stimulus Software has implemented the following measures:

• Personal data is encrypted-at-rest using AES-256 encryption to prevent unauthorized access.

• Customer backups are encrypted-in-transit and at rest with strong encryption to ensure data is protected from interception during transport and storage.

• The client application communicates with Stimulus Software infrastructure through a secure TLS 1.2 connection, which encrypts network traffic and provides an additional layer of protection against data interception.

• Stimulus Software conducts regular risk assessments and third-party penetration tests to identify and address encryption issues. Third-party penetration tests are performed annually, or as required due to changes in the business, to evaluate the effectiveness of security controls and identify potential vulnerabilities.

Input Control

To enable tracking and verification of personal data inputs, modifications, and removals in data processing systems:

• Stimulus Software constantly monitors systems for security events to guarantee fast resolution.

• Logs are stored centrally and indexed for easy access. Critical logs, including security logs, are kept for at least one year. Logs are time-stamped and can be traced back to individual unique usernames, allowing for investigations of nonconformities or security events.

Availability Control

To ensure the protection of personal data against accidental loss or destruction, Stimulus Software implements the following measures:

• Archived data is stored in third-party object storage, offering eleven nines (99.999999999%) durability of objects over a given year.

• Daily incremental backups of configuration and index data are performed. Backups are encrypted-in-transit and at rest using strong encryption.

• The patch management process of Stimulus Software ensures that systems are patched at least once every month, with monitoring, alerting, and routine vulnerability scanning to ensure consistent infrastructure patching.

• In the event of critical vulnerabilities, Stimulus Software promptly patches infrastructure to preserve system uptime.

• Customer environments are logically separated, and unauthorized access to other accounts is prevented.

ANNEX 3

ANNEX 3

AUTHORIZED SUB-PROCESSORS AS OF THE DPA EFFECTIVE DATE

Last revised 18 April 2023