This Data Processing Addendum (“Addendum”) is incorporated into the Master License and Services Agreement or other written or electronic agreement (the “Agreement”) between the Customer identified below (“Customer”), and ExamFX, Inc. (“Vendor”), each a “Party” and collectively the “Parties.” This Addendum takes precedence over the Agreement, to the extent of any conflict. 

Customer and Vendor agree as follows:

1. Definitions. For purposes of this Addendum:
   1. “Customer” means the person or entity that executed the Order Form (as defined in the Agreement) or the Agreement with Vendor.
   2. “Data Protection Laws” means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), as such laws may be amended from time to time.  For the avoidance of doubt, if Vendor’s Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this Addendum.
   3. “Data Subject” means an identified or identifiable natural person about whom Personal Data relates.
   4. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Protection Laws.
      
   5. “Privacy Policy” means that certain privacy policy available at https://auth.examfx.com/policy.html.
   6. “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
   7. “Security Breach” means any accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
2. Scope and Purposes of Processing.
   1. This Addendum applies to the Personal Data that Vendor receives from Customer, or otherwise Processes on Customer’s behalf, in connection with the services provided by Vendor to Customer pursuant to the Agreement.
   2. Vendor will Process Personal Data: (1) to fulfill its obligations to Customer under the Agreement, including this Addendum; (2) on Customer’s behalf; and (3) in compliance with Data Protection Laws and in accordance with the Privacy Policy.  Vendor will not sell Personal Data or otherwise Process Personal Data for any purpose other than as set forth herein.
   3. Vendor will not transfer Personal Data to any country or terriroty outside of the United States without the prior written consent of Customer.
   4. Vendor will promptly and appropriately respond to a data subjects’ request to exerceise their data subject rights as may be available under certain Data Protection laws.
   5. If a Data Protection Law to which Vendor is subject requires Vendor to Process Personal Data in a manner that conflicts with the terms of the Agreement or this Addendum, Vendor will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information on important grounds of public interest within the meaning of Data Protection Laws.
3. Personal Data Processing Requirements. Vendor will:
   1. Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
   2. Assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their lawful representatives) for exercising their rights under applicable Data Protection Laws (such as rights to access or delete Personal Data).  Customer shall be responsible for reasonable out of pocket costs that are agreed to in writing in advance.
   3. Promptly notify Customer of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any requests by Data Subjects (or their lawful representatives) for exercising their rights under Data Protection Laws; or (iii) any government request for access to or information about Vendor’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Protection Laws. 
4. Data Security. Vendor will implement appropriate administrative, technical, physical, and organizational measures to protect Personal Data, as set forth in Exhibit A.
   
5. Security Breach. Vendor will notify Customer promptly of any known Security Breach and will assist Customer in Customer’s compliance with its Security Breach-related obligations, including without limitation, by:
   1. Taking steps to mitigate the effects of the Security Breach and reduce the risk to Data Subjects whose Personal Data was involved; and
   2. Providing Customer with the following information, to the extent known:
      1. The nature of the Security Breach, including, where possible, how the Security Breach occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
      2. The likely consequences of the Security Breach; and
      3. Measures taken or proposed to be taken by Vendor to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. Subcontractors. Customer acknowledges and agrees that Vendor may use Vendor affiliates and other subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Data Protection Laws. Where Vendor sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, Vendor will take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with applicable Data Protection Laws.
   
7. Return or Destruction of Personal Data. Except to the extent required by applicable laws or regulations, or permitted otherwise by Data Protection Laws, Vendor will, at the choice of Customer, return to Customer and/or securely destroy all Personal Data upon (a) written request of Customer or (b) termination of the Agreement. Except to the extent prohibited by Data Protection Laws, Vendor will inform Customer if it is not able to return or delete the Personal Data.
   
8. Survival. The provisions of this Addendum survive the termination or expiration of the Agreement for so long as Vendor or its subprocessors Process the Personal Data.
   

Exhibit A

VENDOR DATA SECURITY MEASURES

Vendor will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Vendor’s Information Security Program includes specific security requirements for its personnel and all subcontractors or agents who have access to Personal Data (“Data Personnel”). Vendor’s security requirements cover the following areas:

1. Information Security Policies and Standards. Vendor will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
2. Physical Security. Vendor will maintain commercially reasonable security systems at all Vendor sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. Vendor will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
4. Network Security. Vendor maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control.  Vendor agrees that: (1) only authorized Vendor staff can grant, modify or revoke access to an information system that Processes Personal Data; and (2) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Vendor protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
7. Personnel.  Vendor has implemented and maintains a security awareness program to train employees about their security obligations.  Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
8. Subcontractor security.  Vendor shall only select and contract with subcontractors that are capable of maintaining appropriate security safeguards that are no less onerous than those contained in the Addendum and this Exhibit.
9. Business Continuity. Vendor implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Vendor also adjusts its Information Security Program in light of new laws and circumstances, including as Vendor’s business and Processing change.