This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the Sparrow agreement that governs the use of the Sparrow service (the “Agreement”) between TrySparrow.com, Inc. (“Sparrow” or “Company”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA applies where Company’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.

1. Definitions

1. 1.1 For the purposes of this DPA:
1. 1.1.1 “Controller” or “Business” means the entity which determines the purposes and means of the Processing of Personal Data;
2. 1.1.2 “Customer Personal Data” means the Personal Data described under Schedule 1 to this DPA;
3. 1.1.3 “CCPA” means the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and its implementing regulations;
4. 1.1.4 “Data Protection Laws” means U.S. and Canadian data protection and privacy laws, regulations, and binding obligations applicable to Company’s Processing of Customer Personal Data under this Agreement , each as amended, repealed, consolidated or replaced from time to time;
5. 1.1.5 “Data Subjects” means the individuals identified in Schedule 1.
6. 1.1.6 “Personal Data”, “Personal Data Breach”, “Processing” and “Process(es)” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws. The term “Personal Data Breach” includes equivalent terms as defined by the Data Protection Laws;
7. 1.1.7 “Processor” or “Service Provider” means the entity which Processes Personal Data on behalf of the Controller;
2. 1.2 Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement.

2. Processing of Customer Personal Data

1. 2.1 The parties acknowledge and agree that Customer is the Business or Controller of Customer Personal Data and Company is the Service Provider or Processor of Customer Personal Data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Service, unless required to do otherwise by applicable law. Company shall inform Customer of the legal requirement before processing Customer Personal Data other than in accordance with Customer's instructions, unless that same law prohibits Company from doing so on important grounds of public interest. Company is hereby instructed to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement. Without prejudice to the foregoing, Customer is responsible for determining whether the Service is appropriate for the storage and processing of Customer Personal Data under Data Protection Laws and for the accuracy, quality and legality of the Customer Personal Data and the means by which it acquired Customer Personal Data.
2. 2.2 Company will provide the same level of protection for Customer Personal Data as required of Customer under Data Protection Laws. Company will not (a) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (b) retain, use, or disclose any Customer Personal Data outside of the direct business relationship between Customer and Company unless permitted by Data Protection Laws, (c) retain, use or disclose Customer Personal Data for any purpose other than the business purposes specified in this DPA or otherwise permitted by Data Protection Laws, or (d) Sell or Share Customer Personal Data (as those terms are defined in the CCPA). Company shall comply with any applicable restrictions under Data Protection Laws on combining Customer Personal Data with personal data that Company receives from, or on behalf of, another person or persons, or that Company collects from any interaction between it and any individual.
3. 2.3 A description of Company’s Processing of Customer Personal Data is set forth in Schedule 1.
4. 2.4 If applicable laws preclude Company from complying with Customer’s instructions, Company will inform Customer of its inability to comply with the instructions, to the extent permitted by law.
5. 2.5 Each of Customer and Company will comply with their respective obligations under the Data Protection Laws.
6. 2.6 Company will cooperate with Customer in all reasonable measures pertaining to compliance with the Data Protection Laws. Customer will indemnify Company if Customer fails to comply with its obligations under Data Protection Laws according to the process set forth in the Agreement.
7. 2.7 Company will notify Customer if Company makes a determination that it can no longer meet its obligations under Data Protection Laws.
8. 2.8 Customer shall have the right, upon fourteen (14) business days’ notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Data by Company.
9. 2.9 Company hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them.

3. Confidentiality and Security

1. 3.1 Company will require Company’s personnel who access the Customer Personal Data to be under an obligation to protect the confidentiality of Customer Personal Data.
2. 3.2 Company will implement commercially reasonable technical and organizational measures, as further described in the Security Policy, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
3. 3.3 To the extent required by Data Protection Laws, Company will provide Customer with reasonable assistance as necessary for the fulfillment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data taking into account the nature of Processing and information available to Company.

4. Sub-Processing

1. 4.1 Customer agrees that Company may engage sub-Processors to Process Customer Personal Data on Customer's behalf. The agreed list of sub-Processors currently engaged by Company and authorized by Customer are available at trysparrow.com/subprocessors (the “__Authorized Sub-Processors__”). Company will inform Customer of any intended changes concerning the addition or replacement of any Authorized Sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within thirty days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. In the event Customer exercises its right of termination under this Section 4.1, Company will refund to Customer a pro rata portion of any prepaid fees for the remaining portion of the term from the date of termination. For avoidance of doubt, If Customer does not object in writing to a proposed new sub-Processor during such thirty day period, then the sub-Processor will be deemed approved by Customer.
2. 4.2 Company will impose on its Authorized Sub-Processors substantially the same obligations that apply to Company under this DPA. Where any of its Authorized Sub-Processors fails to fulfill its data protection obligations, Company will be liable to Customer for the performance of its Authorized Sub-Processors’ obligations.

5. Data Subject Rights

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Company receives any Requests during the term, Company will advise the Data Subject to submit the request directly to Customer. Company will provide Customer with reasonable assistance to permit Customer to respond to Requests. Where necessary, Customer shall inform Company of any other Requests that Company must comply with, and provide the information necessary for Company to comply with the request.

6. Personal Data Breaches

Company will notify Customer without undue delay after it becomes aware of any Personal Data Breach affecting any Customer Personal Data to the extent legally permissible. At Customer’s request, Company will promptly provide the Customer with reasonable assistance necessary to enable Customer to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Company’s notice of or response to a Personal Data Breach under this Section 6 will not be an acknowledgement or admission by Company or any fault or liability with respect to the Personal Data Breach.

7. Data Protection Impact Assessment and Consultation

Company will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if Customer is required to engage in such activities under applicable Data Protection Laws, and solely to the extent that such assistance is necessary and relates to the Processing by Company of the Customer Personal Data, taking into account the nature of the Processing and the information available to Company.

8. Deletion of Customer Personal Data

Customer may instruct Company to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. Notwithstanding the foregoing, Company may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Company maintains the confidentiality of all such Customer Personal Data and Processes such Company Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

9. Audits and Information

1. 9.1 Customer may audit Company’s compliance with its obligations under this DPA up to once per year. In addition, Customer may perform more frequent audits (including inspections) in the event: (1) Company suffers a Personal Data Breach affecting Customer Personal Data; (2) Customer has genuine, documented concerns regarding Company’s compliance with this DPA or the Data Protection Laws; or (3) where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Company will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Service.
2. 9.2 To request an audit, Customer must submit a detailed proposed audit plan to privacy@trysparrow.com at least one month in advance of the proposed audit start date. The proposed audit plan must describe the proposed scope, duration, start date of the audit, and the identity of any third party Customer intends to appoint to perform the audit. Company will review the proposed audit plan and provide Customer with any concerns or questions (for example, Company may object to the third party auditor as described in Section 9.3, provide an Audit Report as described in Section 9.4, or identify any requests for information that could compromise Company confidentiality obligations or security, privacy, employment or other relevant policies). The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date. Nothing in this Section 9 shall require Company to breach any duties of confidentiality.
3. 9.3 If a third party is to conduct the audit, Company may object to the auditor if the auditor is, in Company’s reasonable opinion, not suitably qualified or independent, a competitor of Company, or otherwise manifestly unsuitable. Such objection by Company will require Customer to appoint another auditor or conduct the audit itself.
4. 9.4 If the requested audit scope is addressed in an SSAE 18/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Company’s systems that Process Customer Personal Data (“__Audit Reports__”) within twelve (12) months of Customer’s audit request and Company confirms there are no known material changes in the controls audited, Customer agrees to accept the Audit Report in lieu of requesting an audit of the controls covered by the report.
5. 9.5 The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Company’s health and safety or other relevant policies and may not unreasonably interfere with Company business activities.
6. 9.6 Any audits are at Customer’s expense.
7. 9.7 Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws.
8. 9.8 Any written responses or audit described in this Section 9 are subject to the confidentiality provisions of the Agreement.

10. Analytics Data

Customer acknowledges and agrees that Company may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify Customer or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for Company’s other legitimate business purposes.

11. Liability

1. 11.1 Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party in accordance with the terms of the Agreement, including this DPA.
2. 11.2 Customer acknowledges that Company is reliant on Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, Company will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Company in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.

12. Cross-Border Transfers of Customer Personal Data

The Service to be performed by Company only applies to individuals located in the United States and Canada. The Service may be performed by Company to individuals outside of the United States and Canada only to the extent agreed upon by the parties in writing.

13. General Provisions

With regard to the subject matter of this DPA, in the event of a conflict between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. This DPA may not be modified except by an amendment signed by both parties. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Schedule 1

Details of Processing

1. Categories of Data Subjects. This DPA applies to the Processing of Customer Personal Data relating to Customer’s employees and other authorized users of the Service (“Data Subjects”).
2. Types of Personal Data. The extent of the Customer Personal Data Processed by Company is determined and controlled by the Customer in its sole discretion and includes names, email addresses, leave dates, phone numbers, Social Security Numbers, medical information, employment history, Personal Data contained on leave paperwork, and any other Personal Data that may be transmitted through the Service by Data Subjects.
3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Company is the provision of the Service to the Customer. Customer Personal Data will be subject to those Processing activities which Company needs to perform in order to provide the Service pursuant to the Agreement.
4. Purpose of the Processing. Customer Personal Data will be Processed by Company for purposes of providing the Service as set out in the Agreement.
5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 8 of the DPA.