Last updated April 22, 2025

In connection with that certain Master Services Agreement (the "Agreement") between Penrove, Inc. ("Penrove") and the applicable customer ("Customer"), Penrove may Process Customer Personal Data (as defined below) for and on behalf of Customer in accordance with the terms and conditions set forth in this Data Processing Addendum ("Addendum").  Unless otherwise defined in this Addendum or in the Agreement, all capitalized terms used in this Addendum will have the meanings given to them in Section 1 of this Addendum.

1. Definitions and Interpretation.

(a) “Account Data” means Personal Data relating to Customer’s relationship with Penrove, including: (i) Permitted Users’ account information (e.g. name, email address, organization information, job title/role and Penrove account ID); (ii) billing and contact information of individual(s) associated with Customer’s Penrove account (e.g. billing address, email address, and/or name); (iii) Permitted Users’ device and connection information (e.g. IP address); and (iv) content/description of technical support requests (e.g., chats and other communications, and other information provided by the Data Subject in the context of such requests).
(b) “Applicable Data Protection Law” means the Laws applicable to the Processing of Personal Data under the Agreement as provided in Schedule 2.
(c) “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this Addendum, the Controller also includes a "business" or other similar term under Applicable Data Protection Law.
(d) “Customer Personal Data'' means Personal Data contained in Customer Data that Penrove Processes under the Agreement solely on behalf of Customer.
(e) “Personal Data” means information relating to an identified or identifiable natural person ("Data Subject"), or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar term under Applicable Data Protection Law.
(f) “Personnel” means officers, directors, employees, Sub-processors, agents and representatives.
(g) “Processing” (and “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(h) “Processor” means the entity which Processes Personal Data on behalf of the Controller. For purposes of this Addendum, the Processor also includes a "service provider" or other similar term under Applicable Data Protection Law.
(i) “Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by Penrove and/or its Sub-processors.
(j) “Sell” means to sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means to a third party for monetary or other valuable consideration.
(k) "Share" means to share, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to a third party for cross-context behavioral advertising (as defined under Applicable Data Protection Law), whether or not for monetary or other valuable consideration.
(l) “Sub-processor” means any third party engaged by Penrove to Process Customer Personal Data.
(m) “Usage Data” means Personal Data relating to or obtained in connection with the use, performance, operation, support or use of the Services, including via their connection to Third-Party Services. Usage Data may include event name (i.e. what action Permitted Users performed), event timestamps, device, operating system and browser information, IP geolocation and address, diagnostic data, browsing activity, data types, file sizes, and similar information associated with data from the Service and Third-Party Services that Customer connects to the Service. For clarity, Usage Data does not include Customer Personal Data.

2. General.

(a) Penrove will Process Customer Personal Data as Customer’s Processor pursuant to the Agreement and in accordance with Customer’s instructions as provided in Section 3, and is authorized to Process Personal Data as set forth in Schedule 1 (Description of Processing).
(b) Penrove may Process Customer Personal Data as a Controller for the following purposes: (i) to provide, optimize, secure, and maintain the Service; (ii) to manage the Customer relationship (communicating with Customer and Permitted Users in accordance with their account preferences, responding to Customer inquiries and providing technical support, etc.), (iii) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and (iv) to carry out core business functions such as accounting, billing, and collecting/filing taxes.
(c) The term of this Addendum coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Penrove ceases Processing Customer Personal Data).
(d) Penrove may Process Account Data (excluding Personal Data) and Usage Data for its technological, business and operational purposes in its sole discretion; provided that in the context of such usage, Customer is not identified or reasonably identifiable from any such data made publicly available.
(e) This Addendum controls and supersedes the Agreement in all respects with respect to any inconsistent, contrary, or conflicting (directly or indirectly) provision or term, except to the extent the applicable provision or term of the Agreement expressly states that such provision or term supersedes this Addendum.

3. Processing of Personal Data.

(a) Penrove will Process Customer Personal Data in accordance with the documented lawful instructions of Customer as provided in the Agreement (including this Addendum) and respective Order Forms, as necessary to provide the Service and related support and enable the use of various features and functionalities in accordance with the Documentation, as well as to (i) investigate security incidents and enforce the Agreement and our Terms and Conditions, or (ii) comply with its legal obligations. Penrove will notify Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate Applicable Data Protection Law.
(b) Penrove, its Personnel, and others acting under the authority of Penrove will Process Customer Personal Data on the documented instructions from Customer, including as provided in Section 3(a), for the purposes of providing the Services, in accordance with the Agreement and this Addendum, and not for any other purpose (commercial or otherwise), or in any other manner, unless specifically instructed by Customer to do so, or unless required to do so by applicable law, in such case, Penrove will inform Customer in writing of that requirement, unless that law expressly prohibits such notification.
(c) Penrove will not Process Customer Personal Data outside of the direct business relationship between Customer and Penrove; and Penrove shall not combine any Customer Personal Data with any Personal Data it collects or acquires from any third party or its own direct interactions with any Data Subject and that is not Customer Personal Data, other than solely to provide the Service and support for the benefit of Customer as expressly permitted by the Agreement or this Addendum.
(d) Penrove will not Sell or Share any Customer Personal Data.
(e) To the extent required by Applicable Data Protection Law, Penrove will inform Customer if it determines that it can no longer meet its obligations under Applicable Data Protection Law or within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of such Customer Personal Data.

4. Assistance and Cooperation Obligations.
‍
(a) Taking into account the nature of the Processing, Penrove will provide reasonable and timely assistance to Customer, at Customer's expense, to enable Customer to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Customer Personal Data. Penrove will, without undue delay, notify Customer in writing of (i) any communication received from any Data Subject or governmental authority relating to Customer Personal Data or (ii) any access by any governmental authority to any Customer Personal Data.  Penrove will, at Customer's expense, comply with reasonable instructions of Customer in responding to any Data Subject or governmental authority communications or requests regarding Customer Personal Data (whether received by Penrove, Customer or otherwise) and will, at Customer's expense, assist Customer using appropriate technical and organizational measures (to the extent possible) to respond to such communications or requests.  
(b) Upon Customer’s reasonable request and at Customer's expense, and taking into account the nature of the Processing, Penrove will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), in the event that the Service does not permit Customer to reasonably fulfill such obligations independently.
(c) Unless prohibited by Law, Penrove will notify Customer without undue delay of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling Penrove to disclose Customer Personal Data. In the event that Penrove receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, Penrove will redirect such inquiries to Customer, and will not provide any information unless required to do so by applicable law.  

5. Deletion and Return of Customer Personal Data.

(a) During the term of the Agreement and any applicable Order Form, Customer and its Permitted Users may, through the features of the Service, access, retrieve or delete Customer Personal Data, subject to any retention of data permitted by Applicable Data Protection Law, including for project and system integrity.  
(b) Following expiration or termination of the Agreement, Penrove will, in accordance with the Documentation, delete the Customer Personal Data. Notwithstanding the foregoing, Penrove may retain Customer Personal Data (i) as required or permitted by any Applicable Data Protection Law; (ii) for the purposes provided in Section 2(b) or (iii) in accordance with its standard backup or record retention policies, provided that, in each case, Penrove will comply with the applicable provisions of this Addendum with respect to retained Customer Personal Data and not further Process it except as required by Applicable Data Protection Law.

‍6. Requirements of Applicable Data Protection Law and Data Localization. To the extent Penrove Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2, the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of Personal Data (directly or via onward transfer).

7. Sub-processing. By entering into this Addendum, Customer provides general authorization for Penrove to engage Sub-processors to Process Customer Personal Data. Penrove will: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this Addendum; and (ii) remain liable to Customer, to the extent of Penrove's liability under this Addendum for its own acts and subject to the limits in this Addendum and the Agreement, if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement.

‍8. Security.

(a) Security Measures. Penrove has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, integrity and availability of Customer Data and protect against Security Incidents. Customer is responsible for configuring the Services and using features and functionalities made available by Penrove to maintain appropriate security in light of the nature of Customer Data. Customer acknowledges that the security measures are subject to technical progress and development and that Penrove may update or modify the security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Services during the term of the applicable Order Form.
(b) Security Incidents. Penrove will notify Customer without undue delay after becoming aware of a Security Incident. Penrove will make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Penrove’s reasonable control, in each case at Customer's expense, unless and to the extent the Security Incident was caused by Penrove's breach of this Addendum or the Agreement. Upon Customer’s request and expense (except as provided in the preceding sentence) and taking into account the nature of the Processing and the information available to Penrove, Penrove will assist Customer by providing information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. Penrove’s notification of a Security Incident is not an acknowledgment by Penrove of its fault or liability.

9. Survival. The terms and conditions of this Addendum, and Penrove’s obligations with respect to Customer Personal Data, will survive the termination or expiration of this Addendum for so long as Penrove retains any Customer Personal Data.