This Data Processing Addendum (including its appendices, “Addendum”) forms part of the agreement between Client (as defined below) and Maxio LLC, a Delaware limited liability company (together with its Affiliates, including, but not limited to, Chargify, LLC and SaaSOptics, LLC, collectively, “Maxio”) for the services described therein (the “Services”) (collectively, the “Agreement”), which Agreement is generally evidenced by an executed Subscription Services Order and all incorporated terms and conditions. This Addendum is incorporated into the Agreement and shall apply where Client acts as a business or the controller (as applicable) with respect to the processing of Personal Data and where Client has appointed Maxio to process Personal Data as a processor or service provider (as applicable) on its behalf in connection with the Services. Where this Addendum is applicable, it shall control over any conflicting terms in the Agreement (or any portion thereof).  This Addendum is intended to demonstrate the parties’ compliance with the Applicable Data Protection Laws (as defined below).

1. Definitions. For purposes of this Addendum, the terms below have the meanings set forth below.  Capitalized terms that are used but not defined in this Addendum have the meanings given in the Agreement.

1.1 Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.

1.2 Applicable Data Protection Laws means European Data Protection Laws, the UK GDPR and the US Data Protection Laws in each case as amended, consolidated, re-enacted or replaced from time to time, and to the extent applicable to the relevant Personal Data or processing thereof under the Agreement.

1.3 EEA means the European Economic Area.

1.4 EU means the European Union.

1.5 European Data Protection Laws means the GDPR, the UK GDPR and other data protection laws of the EU, its Member States, Switzerland, Iceland, Liechtenstein and Norway, in each case, to the extent it applies to the relevant Personal Data or processing thereof under the Agreement.

1.6 GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time.

1.7 Information Security Incident means a breach of the Security Measures causing the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Maxio’s possession, custody or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including routine, unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

1.8 Personal Data or Personal Information has the meaning assigned under the Applicable Data Protection Laws and refers only to Personal Data that is transmitted to or created by Maxio as part of providing the Services or the administration of the Agreement. For purposes of this Addendum, Personal Data does not include personal data of representatives of Client with whom Maxio has business relationships independent of the Services.

1.9 Security Measures has the meaning given in Section 5.1 (Security Measures).

1.10 Standard Contractual Clauses means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, with optional clauses applied (except for option 1 of Clause 9(a), the optional language in Clause 11(a), and option 2 of Clause 17), as officially published by the European Commission Implementing Decision 2021/914, dated 4 June 2021, and as updated or replaced by the European Commission from time to time; and (ii) where the UK GDPR applies, means the EU SCCs and the UK International Data Transfer Addendum as officially published at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/, with the option of Exporter only for Table 4 and the Alternative Part 2 Mandatory Clauses (“UK SCCs“).

1.11 Subprocessors means third parties authorised under this Addendum to process Personal Data in relation to the Services.

1.12 Third Party Subprocessors has the meaning given in Section 6 (Subprocessors) of this Addendum.

1.13 UK means the United Kingdom.

1.14 UK GDPR means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.

1.15 US Data Protection Laws means any relevant U.S. federal or state legal requirements, including the California Consumer Privacy Act of 2018, California Privacy Rights Act, Colorado Privacy Act, New York Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act, Washington Privacy Act, and Virginia Consumer Data Protection Act (as each is effective, and where applicable), and any implementing regulations, as amended, consolidated, re-enacted or replaced from time to time.

1.16 The terms controller, data subject, processing, processor and supervisory authority as used in this Addendum have the meanings given in the Applicable Data Protection Laws.

2. Duration and Scope of Addendum

2.1 This Addendum will, notwithstanding the expiration of the Agreement, remain in effect until, and automatically expire upon, Maxio’s deletion of all Personal Data.

2.2 Exhibit 1 (EU/UK Terms) to this Addendum applies to Personal Data or the processing thereof subject to European Data Protection Laws. Exhibit 2 (US Terms) to this Addendum, applies to Personal Data or the processing thereof subject to the US Data Protection Laws.

3. Processing Obligations

3.1 Maxio will process Personal Data only as necessary to provide the Services and in accordance with Client’s instructions or as required by law.  By entering into this Addendum, Client instructs Maxio to process Personal Data to provide the Services. Client acknowledges and agrees that such instructions authorize Maxio to process Personal Data (a) to perform its obligations and exercise its rights under the Agreement; (b) perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; (c) pursuant to any other written instructions given by Client that are consistent with the Services and acknowledged in writing by Maxio as constituting instructions for purposes of this Addendum, including any instructions regarding any transfers; and (d) as reasonably necessary for the proper management and administration of Maxio’s business.

3.2 Maxio will inform Client, if in Maxio’s opinion, an instruction infringes any provision under the Applicable Data Protection Laws, and Maxio will be under no obligation to follow such instruction until the matter is resolved in good faith between the parties.

3.3 Maxio is not responsible for determining the requirements of laws or regulations applicable to Client’s business, or that a product or service meets the requirements of any such applicable laws or regulations. As between the parties, Client is responsible for the lawfulness of the processing of the Client’s Personal Data and for taking appropriate steps in Client’s control to maintain appropriate security, protection and deletion of Client’s Personal Data. Client shall not use the Services in a manner that would violate Applicable Data Protection Laws. Client represents and warrants to Maxio that (a) Client has established or ensured that another party has established a legal basis for Maxio’s processing of Personal Data contemplated by this Addendum; (b) all notices have been given to, and consents and rights have been obtained from, the relevant data subjects and any other party as may be required by Applicable Data Protection Laws and any other laws for such processing; and (c) Personal Data does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), any biometric information, or any payment card information subject to the Payment Card Industry Data Security Standard (other than any Client payment card information used to pay for the Services).

3.4 Each of Maxio and Client will also comply with their respective obligations set forth in the Standard Contractual Clauses, if Client, Maxio or both are located outside of the EEA, the UK or Switzerland to a country not providing an adequate level of protection pursuant to the Applicable Data Protection Laws (“Non-Adequate Country”). If the Standard Contractual Clauses are not required because both parties are located in a country considered adequate by the Applicable Data Protection Laws, but during the Agreement the country where Client or Maxio is located becomes a Non-Adequate Country, then the Standard Contractual Clauses will apply to Personal Data that is transferred to such Non-Adequate Country.

4. Records. Maxio will maintain a written log of all processing of Personal Data performed on Client’s behalf as required by Applicable Data Protection Law. The written log, whose copy will be provided by Maxio at Client’s request, shall include at least the following information:

4.1 The name and contact details of any Subprocessors, and where applicable, of their data protection officers;

4.2 the categories of recipients to whom Client’s Personal Data have been or will be disclosed;

4.3 to the extent that Personal Data is transferred to a third party outside the EEA or the UK, a list of such third parties (including the name of the relevant non-EEA or UK country and organization), and documentation of the suitable safeguards in place for such transfers; and

4.4 a general description of the technical and organizational security measures referred to in this Addendum.

5. Security

5.1 Security Measures. Maxio will implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, all as described in Annex II to this Addendum (the “Security Measures”). Maxio agrees that it shall require each person processing Personal Data to be subject to a duty of confidentiality with respect to the Personal Data

5.2 Information Security Incidents.  If Maxio becomes aware of an Information Security Incident, Maxio will (a) notify Client of the Information Security Incident without undue delay after becoming aware of the Information Security Incident and in any event within forty-eight (48) hours of becoming aware of such Information Security Incident, and (b) and provide sufficient information to allow Client to report the Information Security Incident or notify data subjects as required by Applicable Data Protection Laws. Maxio’s notification of or response to an Information Security Incident under this Section 5.2 will not be construed as an acknowledgement by Maxio of any fault or liability with respect to the Information Security Incident.

5.3 Client’s Security Responsibilities and Assessment

5.3.1 Client’s Security Responsibilities. Client agrees that, without limitation of Maxio’s obligations under Section 5.1 (Security Measures) and Section 5.2 (Information Security Incidents), Client shall use reasonable security measures in connection with its use of the Services, including (a) securing the account authentication credentials, systems and devices Client uses to access the Services; (b)  securing Client’s systems and devices that Maxio uses to provide the Services; (c) backing up Personal Data; and (d) use of the Services in accordance with Applicable Data Protection Laws.

5.3.2 Client’s Security Assessment. Client is solely responsible for evaluating for itself whether the Services, the Security Measures and Maxio’s commitments under this Addendum will meet Client’s needs, including with respect to any security obligations of Client under Applicable Data Protection Laws or other laws. Client acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Maxio provide a level of security appropriate to the risk in respect of the Personal Data.

6. Subprocessors

6.1 Consent to Subprocessor Engagement. Client specifically authorizes the engagement of Maxio’s Affiliates as Subprocessors. In addition, Client generally authorizes the engagement of any other third parties as Subprocessors (“Third Party Sub Processors”).

6.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at https://www.maxio.com/subprocessors, as the same may be updated in accordance with this Section.

6.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Maxio will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum with respect to Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Maxio shall be liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

6.4 Opportunity to Object to Subprocessor Changes. When any new Third Party Subprocessor is engaged during the term of the Agreement, Maxio will notify Client of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by providing Client with notice at the same time as it notifies its other customers generally (but in any case, at least 30 days prior notice), using those notification means available customarily used by Maxio in its administrative control panel.  If Client objects to such engagement in a written notice to Maxio within such 30 day notice period on reasonable grounds relating to the protection of Personal Data, Client and Maxio will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Client may, as its sole and exclusive remedy, terminate the Agreement and cancel the Service by providing written notice to Maxio.

6.5 Subprocessor Agreements.  Upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand.

7. Data Subject Rights

7.1 Client’s Responsibility for Requests. If Maxio receives any request from a data subject in relation to the data subject’s Personal Data, Maxio will advise the data subject to submit the request to Client, and Client will be responsible for responding to any such request.

7.2 Request Assistance. Maxio will (taking into account the nature of the processing of Personal Data) provide Client with self-service functionality through the Service or other reasonable assistance as necessary for Client to perform its obligation under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws, including if applicable, Client’s obligation to respond to requests for exercising the data subject’s rights set out in Chapter III of the GDPR.  Client shall reimburse Maxio for any such assistance, beyond providing self-service features included as part of the Services, at Maxio’s then-current professional services rates, which shall be made available to Client upon request.

8. Audit

8.1 Upon Client’s reasonable request, Maxio will make available to Client information necessary to demonstrate its compliance with the obligations set forth in this Addendum; provided, however, that Maxio shall have no obligation to provide such information on more than annual basis, unless an Information Security Incident occurs, in which case Client shall one (1) additional information request right during the six (6) month period immediately following such Information Security Incident. Where the mandatory Applicable Data Protection Laws provides Client with a direct audit right, Maxio will allow for and operationally collaborate with audits, including inspections, conducted by Client or another auditor mandated designated by Client (provided such an auditor is not a competitor of Maxio and has duly executed a non-disclosure agreement with Maxio). In case of such audit, Client may contact Maxio to request an on-site audit with at least sixty (60) days prior notice, which shall be limited to the audit of the architecture, systems and procedures relevant to the protection of Personal Data at Maxio’s locations where Personal Data is stored. Before the commencement of any such on-site audit, Client and Maxio shall mutually agree upon the scope, timing, and duration of the audit, none of which shall adversely impact Maxio business activities. Client shall promptly notify Maxio of any non-compliance discovered during the course of an audit. Client shall bear the reasonable costs of all such audits, as well as of any follow-up requested by Client to Maxio; provided, however, that if the final results of such an audit reflect a material breach by Maxio of its obligations under this Addendum, Maxio will reimburse Client for its documented and reasonable out-of-pocket costs and expenses for such audit.

8.2 If the controls or measures to be assessed in the requested audit are addressed in an SOC 2 Type 2, ISO or similar audit report performed by a qualified third-party auditor within twelve (12) months of Client’s audit request and Maxio has confirmed there are no known material changes in the controls audited, Client agrees to accept such report lieu of requesting an audit of such controls or measures.

8.3 Nothing in this Addendum shall be construed to require Maxio to furnish more information about or provide onsite access to the facilities of its Third Party Subprocessors in a connection with such audits than such Third Party Subprocessors make generally available to their customers.

9. Deletion/Return of Data.  Client shall notify Maxio at least ten (10) days before the end of the Agreement for any reason of its intent to have the Personal Data returned to Client or deleted. Maxio shall make Client Data available for download in a commonly used format following the termination of the Agreement for any reason for a period of ten (10) days, unless otherwise specified by the parties in the Agreement. In any case, and provided that Client has not expressly requested the return of Client Data, Maxio shall delete Client Data including all the copies thereof following the termination of the Agreement for any reason within sixty (60) days, unless otherwise specified by the parties in the Agreement. The parties agree that Maxio may retain one copy of Client Data as necessary to comply with any of Maxio’s legal, regulatory, judicial, audit or internal compliance requirements.

10. Analytics. Client acknowledges and agrees that Maxio may create and derive from processing under the Agreement anonymized and/or aggregated data that does not identify Client or any data subject and use such data to improve Maxio’s products and services and for its other lawful business purposes. Maxio shall not publicize or share such data except in an anonymized form.

11. Notices. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Maxio to Client may be given in accordance with any notice clause of the Agreement.

12. Effect of this Addendum. Except as expressly modified by the Addendum, the terms of the Agreement remain in full force and effect. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum will govern, but only with respect to Maxio’s processing activities hereunder.  Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement.

Exhibit 1

EU/UK Terms

1. Processing of Data

1.1 Subject Matter and Details of Processing. The parties acknowledge and agree that (a) the subject matter of the processing under the Agreement is Maxio’s provision of the Services; (b) the duration of the processing begins upon Maxio’s receipt of Personal Data and continues until deletion of all Personal Data by Maxio in accordance with the Agreement; (c) the nature and purpose of the processing is to provide the Services; (d) the data subjects to whom the processing pertains are (i) Client’s employees and customers and their respective personnel, and (ii) individuals whose subscriber and payment data are transmitting to Maxio by Client for the purpose of using the Services; and (e) the categories of Personal Data as to (i) are contact details and device identification data, and as to (ii) are contact details, device identification data, subscription billing content, and other personal data that Client elects to process by means of the Service.

1.2 Roles and Regulatory Compliance; Authorization. The parties acknowledge and agree that (a) Maxio is a processor or sub-processor of that Personal Data under European Data Protection Laws; (b) Client is a controller or processor of that Personal Data under European Data Protection Laws; and (c) each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the processing of that Personal Data.

2. Data Security. Maxio will (taking into account the nature of the processing of Personal Data and the information available to Maxio ) provide Client with reasonable assistance necessary for Client to comply with its obligations in respect of Personal Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) complying with the terms of Section 5.2 (Information Security Incidents) of the Addendum; and (c) complying with this Exhibit 1.

3. Impact Assessments and Consultations. Maxio will (taking into account the nature of the processing and the information available to Maxio) reasonably assist Client in complying with its obligations under Articles 35 and 36 of the GDPR, by (a) making available documentation describing relevant aspects of Maxio’s information security program and the security measures applied in connection therewith; and (b) providing the other information contained in the Agreement including this Addendum.

4. Data Transfers

4.1 Transfers out of the EEA. If Client transfers Personal Data out of the EEA to Maxio in Non-Adequate Country, such transfer will be governed by Module 2 of Standard Contractual Clauses where Client is a controller and Maxio is a processor, which are incorporated into this Addendum by this reference.  In furtherance of the foregoing, the parties agree that:

(a) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Addendum;

(b) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Addendum; and

(c) With regards to (i) Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply; (ii) Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 6 (Subprocessing) of this Addendum; (iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply; (iv) in  Clause 13 of the EU Standard Contractual Clauses and as set forth in Annex I.C to this Addendum, the competent supervisory authority with responsibility for ensuring compliance with the GDPR as regards the Personal Data transferred under the EU Standard Contractual Clauses shall be the Data Protection Commission of Ireland; (v) in Clause 17 of the EU Standard Contractual Clauses, the parties agree that the EU Standard Contractual Clauses shall be governed by the laws of Ireland. With regards to Clause 18(b) of the EU Standard Contractual Clauses, the parties agree that the courts of Dublin, Ireland, shall resolve any dispute.

4.2 Transfers out of the UK. If Client transfers Personal Data out of the UK to Maxio in Non-Adequate Country, such transfer will be governed by the UK SCCs, the terms of which are hereby incorporated into this Addendum subject to the following:

4.2.1 For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between the Controller and the Processor on the following basis:

(a) Appendix 1 shall be completed with the relevant information set out in Annex I to this Addendum;

(b) Appendix 2 shall be completed with the relevant information set out in Annex II to this Addendum; and

(c) The optional illustrative indemnification Clause will not apply.

4.2.2 In the event Section 4.2.1 above does not apply, but the Controller and the Processor are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:

(a) The EU SCCs, completed as set out above in Section 4.1 of this Exhibit shall also apply to transfers of such Data, subject to sub-clause (B) below;

(b) The UK Addendum shall be deemed executed between the transferring Controller and the Processor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Controller Data.

4.2.3 In the event neither Section 4.2.1 or 4.2.2 applies, then the Controller and the Processor shall cooperate in good faith to implement appropriate safeguards for transfers of such Data as required or permitted by the UK GDPR without undue delay.

Exhibit 2

US Terms

This Exhibit 2 (the “US Terms”) reflects the legal requirements and guidelines from governmental authorities relating to the processing of Personal Information (defined below), privacy, data security, data protection, sending solicited or unsolicited electronic mail and text messages, cookies, trackers transfer, sharing, and the security of Personal Information, under applicable US Data Protection Laws.

The parties agree as follows:

1. Definitions:

1.1 “Business,” “Controller,” or any equivalent defined by US Data Protection Laws, means a legal entity that, during a calendar year, controls or processes Personal Information, and which determines the purpose and means of processing Personal Information.

1.2 “Consumer” means a natural person who is subject to and protected by the US Data Protection Laws, as defined by those laws.

1.3 “Personal Information” means any data or information relating to an identified or identifiable natural person; and shall also mean “personal information,” “personal identifiable information,” “personal data,” “personal health information,” “personal financial information,” or any functional equivalent of these terms as defined under any US Data Protection Laws, including any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with any individual, device, or household, in each case to the extent transferred to or created by Maxio as part of providing its services or administering the Agreement.

1.4 “Service Provider” or “Processor” means a person that processes Personal Information on behalf of a Business and which receives from or on behalf of the Business a Consumer’s Personal Information for a business purpose pursuant to a written contract.

2. Scope and Applicability of this Addendum

2.1 These US Terms apply to the collection, retention, use, disclosure and/or other processing of the Personal Information for Maxio to provide Services to Client pursuant to the Agreement for at least the duration of the Agreement, unless retention of Personal Information is required by law.

2.2 In the context of operating as a Business, Client appoints Maxio as a Service Provider to process the Personal Information on behalf of Client.  Client and Maxio are each responsible for compliance with the requirements of the US Data Protection Laws applicable to their respective roles as a Business and a Service Provider, respectively.

2.3 In case of any amendments of the US Data Protection Laws, adoption of a new regulation or in case of issuance of any new or updated guidelines, recommendation, opinion or decision by an authority, having an impact on (i) the conditions of performance of these US Terms, (ii) the transfer described herein, or (iii) the status of the Parties, including without limitation their qualification, the Parties shall discuss in good faith an amendment to these US Terms taking into account such evolutions.

3. Restrictions on Processing.

3.1 Maxio is prohibited from retaining, using, selling, collecting, disclosing, or otherwise processing the Personal Information for any purpose other than for the specific purposes specified in the Agreement for Client, as set out in the Addendum and this Annex, or as otherwise permitted by the US Data Protection Laws.

3.2 Notwithstanding any provision to the contrary of the Agreement, the DPA, or these US Terms, Maxio may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate international, federal, state, or local law.

4. Consumer Rights.

4.1 Maxio shall provide reasonable assistance to Client in facilitating compliance with US Data Protection Laws, including (i) responding to Consumer rights requests and (ii) notifying Client promptly if it receives any complaint, notice, request, or communication that relates to Client’s compliance with the US Data Protection Laws.

4.2 Upon direction by Client or termination of Services, and within a commercially reasonable amount of time, Maxio shall delete the Personal Information, unless retention of Personal Information is required by law.

4.3 Maxio shall not be required to delete any of the Personal Information to comply with a Consumer’s request directed by Client if it is necessary to maintain such information in accordance with US Data Protection Laws, in which case Maxio shall promptly inform Client of the exceptions relied upon under US Data Protection Laws and Maxio shall not use the Personal Information retained for any other purpose than provided for by that exception.

5. Mergers, Sale, or Other Asset Transfer.  In the event that either Party transfers to a Third Party the Personal Information of a Consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the Third Party assumes control of all or part of such Party to the Agreement, that information shall be used or shared consistently with applicable US Data Protection Laws.  If a Third Party materially alters how it uses or shares the Personal Information of a Consumer, the Third Party shall provide prior notice of the new or changed practice to the Consumer in accordance with applicable US Data Protection Laws, and to the other Party.

6. No Sale of Personal Information. The Parties acknowledge and agree that the exchange of Personal Information between the Parties does not constitute a sale of Personal Information under any US Data Protection Laws and does not form part of any monetary or other valuable consideration exchange between the Parties with respect to the Agreement, the Addendum, or these US Terms.

ANNEX I

A. List of Parties

1. Data Exporter(s)

Name: The data exporter is Client.

Address: As set out in the Agreement.

Contact person’s name, position and contact details: As set out in the Agreement or as otherwise notified in writing to Maxio by Client.

Activities relevant to the data transferred under these Clauses: As set out in the Agreement.

Signature and date: By entering into the Agreement, Client is entering into these Clauses and deemed to have signed this Annex I on the effective date of the Agreement.

Role (controller/processor): Client is Controller or Processor or both. The role of Client as Controller, Processor, or both is determined by the circumstances of each case and Client is responsible for determining the correct role undertaken in order to fulfil the appropriate obligations under the applicable module.

2. Data Importer(s)

Name: The data importer is Maxio acting as a Processor or Subprocessor, as applicable, if located in a Non-Adequate Country.

Address: As set out in the Agreement.

Contact person’s name, position and contact details: As set out in the Agreement.

Activities relevant to the data transferred under these Clauses: As set out in the Agreement.

Signature and date: By entering into the Agreement, Maxio is entering into these Clauses in such cases where Maxio is located in a Non-Adequate Country and deemed to have signed this Annex I on the effective date of the Agreement.

Role (controller/processor): Maxio as Processor.

B. Description of Transfer

1. Categories of Data Subjects whose Personal Data is transferred

Data exporter may submit Personal Data to data importer the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

• Employees or other personnel of data exporter
• Individuals whose subscriber and payment data are transmitted to data importer by data exporter for the purpose of using the Services.
• Employees or contact persons of data exporter’s customers, business partners and vendors

2. Categories of Personal Data transferred

Data exporter may submit Personal Data to Processor the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

•   First and last name
•   Employment information (such as title, position, employer)
•   Contact information (such as email, phone, physical address)
•   IP address, online identifier or other ID data

Utility credential and endpoint data – Personal Data that might be included in utility endpoint data is generally limited to service addresses along with other non-Personal Data such as utility financial and operational data, services areas, baseline areas (territories), services offered, tariff rate plans, incentives, and rebates, definitions of seasons, calendars and times of use; definitions of billing demand formulas and other quantities; typical usage and cost profiles; and typical building usage and cost.

3. Special or sensitive categories of Personal Data transferred

None

4. Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)

Personal Data is transferred in accordance with Client’s instructions and at Client’s determination, but it is generally on a continuous basis.

5. Nature of the Processing

The Personal Data transferred may be subject to the following Processing activities: collecting, monitoring, supporting, operations, storing, hosting, backup, development and the other services as set forth in the Agreement.

6. Purposes(s) of the data transfer and further processing

The transfer and Processing of Personal Data is made for the following purposes:  To provide the Services and support as set forth in the Agreement.

7. Duration of Processing

The Processing of Personal Data will occur until the expiration or termination of the Agreement unless otherwise instructed in writing by the Client.

8. Transfers to Subprocessors

The subject matter, nature and duration of Processing are as set forth in the above sections.

C. Competent Supervisory Authority

The competent supervisory authority for Maxio is the Data Protection Commission of Ireland in accordance with Clause 13 of the EU Standard Contractual Clauses.

D. Maxio Privacy Contact

The Maxio privacy contact can be contacted at privacy@maxio.com.

Annex II

Security Measures

This Annex describes the technical and organizational security measures and procedures that Maxio shall, at a minimum, maintain to protect the security of personal data created, collected, received, or otherwise obtained. Maxio will keep documentation of technical and organizational measures identified below to facilitate audits and for the conservation of evidence.

Information Security Management System

Maxio has implemented Information Security Management Systems policies and controls (“ISMS“) with physical, technical, and organizational measures and safeguards designed to protect data (including Personal Data) provided to Maxio directly or indirectly by its customers or a third party; or that Maxio directly or indirectly collects on behalf of a customer; or that Maxio otherwise has access to in connection with the provision of the Services to its customers (“Data“).

It is the purpose of the ISMS to ensure the security and availability of Data, and to protect against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosures, and against other unlawful forms of processing of the Data and to do so at a level of security appropriate to the risks presented by the processing of the Data, the nature of the Data, and the cost of the service that holds and manages the Data.

Maxio regularly reviews and, as appropriate, updates the ISMS to address changes in the nature of the Data and harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage of the Data; changes in state of technological development, including changes to relevant, industry-recognized information security standards; and new threats or vulnerabilities relevant to and affecting Maxio’s computing systems, applications, and Client’s Data.

Maxio has a designated security officer who is responsible for the development, implementation, and maintenance of the ISMS.

Governance

Maxio has an Information Security Steering Committee that is responsible for governing the implementation of and compliance with the Information Security Management System.  Committee Members are assigned by the executive management team and represent the primary owners and stakeholders of risk-based Information within the company.  The Information Security Steering Committee includes one executive management team member.

Compliance with Laws

It is Maxio stated policy to use best efforts to comply with all applicable privacy, data security, encryption, and other laws and rules, regulations, directives and requirements of government or regulatory agencies, as may be applicable to the use, unauthorized access, confidentiality, protection, and security of any Data (collectively, “Data Laws”).

Data Processing and Ownership

Parties to this policy acknowledge that in relation to any Data controlled and/or owned by a customer and Processed by Maxio in connection with a fully executed Subscription Agreement: (a) Maxio is acting solely as a Data Processor, and has no discretion regarding the purpose(s) for which such Data is Processed; and (b) Maxio will only access, use, disclose, retain or otherwise Process such Data in accordance with the provisions of the applicable Subscription Agreement. S Maxio will provide cooperation and assistance to its customers as may be reasonably required for purposes of compliance with the applicable Data Laws.

Each Maxio customer owns and retains all right, title, and interest in and to its Data, and Maxio will only use and possess Data for purposes of providing the applicable services.

Personally Identifiable Data

Maxio provides a subscription management system. While Maxio may have access to Cardholder data, banking, address information and any information related to payment methods (collectively, “Payment Data”), Maxio does not generally process Payment Data, and all Payment Data is stored in compliance with the Payment Card Industry Data Security Standard.

There are no functions in Maxio services that capture government issued personal information such as driver’s license, passport number, or social security number and storage of such information by a customer is expressly forbidden.

Aside from the business email address of properly licensed users of Maxio, the only information stored in the application related to natural persons are optional fields used to invoice the customers of the Maxio customers. These fields include a single billing contact name, the business addresses, business phone numbers, and email addresses for sending invoices. While this information is not generally regarded as personally identifiable, it likely is considered “Personal Information” within the context of GDPR and other Applicable Data Protection Laws.

ISO 27001

Maxio shall comply with the ISO 27001 standard and shall audit its compliance with ISO 27001 on at least an annual basis.

Payment Card Industry Data Security Standard (PCI DSS)

Chargify shall comply with the PCI DSS, version 3.2.1, Level 1.  Chargify shall obtain an annual audit of its compliance with PCI DSS by a Qualified Security Assessor Company and, on Client’s request, shall provide its most recent PCI DSS audit report.

SaaSoptics shall comply with the PCI DSS, version 3.2.1.  Maxio shall perform annual audits of its compliance with PCI DSS using the PCI DSS Self-Assessment Questionnaire (SAQ) appropriate for each payment processor used to fully outsource payment processing.

System and Organization Controls (SOC) Reports

Maxio shall implement and maintain the controls described in its Report on Controls that is part of an annual SSAE-18 SOC 1 audit report (the “SOC 1 Report”) and SOC 2 audit report (the “SOC 2 Report”; and together with the SOC 1 Report, collectively, the “SOC Reports”). On Client’s request, Maxio shall provide its most recent SOC Reports; such SOC Reports are protected as Maxio’s Confidential Information under the Agreement.  If a SOC Report describes any exceptions, Maxio shall provide a statement addressing its corrective action plan for each exception, including a timeline for the implementation of the corrective action plan.

Non-Disclosure

Maxio will not disclose Data to any person or entity except as required by Applicable Data Protection Laws or permitted by the applicable agreement, this Policy or with the affected Client’s written consent. Furthermore, Maxio will not sell, assign, lease, or otherwise make Data available to third parties except as necessary to provide the Service.

Personnel

All personnel with access to Data or systems processing Data undergo background checks that cover criminal, financial and work history.  Personnel are required to sign a Non-Disclosure Confidentiality Agreement and an Employee Handbook that addresses handling of Client Data. All personnel, including new employees, are required to attend security training provided by the Company. On an ongoing basis, which is not less than once per year, Maxio also delivers to all personnel content and communication for reinforcement of the ISMS policy.

Limitation of Access

Maxio limits access to the equipment, application code, application, and Data to personnel performing the Services and ensures that each person is properly authorized and is under appropriate written confidentiality and non-disclosure obligations. Maxio promptly disables or reduces access for personnel who should no longer need their current level of access (including individuals who are no longer employed by the Maxio).

Maxio sets permission levels at the minimum requirement for relevant personnel to fulfill his or her approved business role as part of the delivery of the Services.

Maxio has established technical and organizational measures to prevent personnel from making copies of or transmitting Data except as necessary to deliver the Services.

Authentication

Any system used to access or otherwise process Data shall use authentication methods which identify a unique user, utilize a strong password, and adequately protect the password. Maxio shall ensure that passwords are kept in a secure location and format and shall ensure that passwords are appropriately encrypted with an industry-tested and accepted algorithm.

Privileged Passwords

Privileged user passwords meet the following complexity requirements: Minimum 12 characters, including: 1 upper, 1 lower, 1 number, 1 special character.

Employee Workstations

Maxio provides workstation computers for all employees. Computers used by Maxio to access Data use the following or similar minimum-security controls:

• Hard drives are encrypted using Apple FileVault 2 (XTS-AES-128 encryption with a 256-bit key) or equivalent for non-Apple computers
• Centrally managed antivirus is installed and configured for automatic updates
• Automatic Operating System patching
• Password and screensaver controls are required with automatic lock of workstation upon idleness of 5 minutes

Network Transmissions

Transmissions of Data use industry standard TLS HTTPS.

E-mail Transmission

Unless precedent is set by Client by sending Data to Maxio by email, Data exchanged with Clients will not be sent by email. All such Data must be sent using a secured and encrypted file transfer mechanism.

Collaborative Tools

Collaborative tools such as email, document/file sharing, and calendars require two factor authentication to mitigate phishing attacks.

Portable Media

It is expressly prohibited to use any removable external storage other than Company issued backup devices.

Printed Documents

Printing of Data is rarely required and generally prohibited. If required, any hardcopy documents received or produced containing Data will be protected at all times using physical means and when no longer needed destroyed using a cross cut shredder or burn box.

Firewalls & Network Configuration

All network traffic in and out of Maxio computing systems passes through firewalls that are configured appropriately to maintain the security and integrity of communication with Clients and Data.

Hosting

Maxio operates a cloud-based Software as a Service platform. Production servers are provided by Amazon Web Services. Amazon Web Services maintains CSA, ISO, PCI, AIPCA SOC, and other compliance programs (aws.amazon.com/security).

Data Backups

Backups are taken regularly to facilitate business continuity and disaster recovery. Backups are stored locally at the cloud services provider as well as in a separate storage location in a different geographical region.

Physical Security 

For all Maxio locations where Data is processed or accessed, Maxio has the following minimum physical security:

• A clean desk policy requiring that personnel do not leave Data exposed.
• Access to the facility is controlled through key card and/or secured access.
• All personnel with access to the facility where Data is stored or accessed will be required to have appropriate identification.
• All personnel are required to lock computers with access to Data when not in use.

Roles and Responsibilities

Maxio maintains teams responsible for security, compliance, and audit operations:

• Governance – Maxio maintains an Information Security Steering Committee to govern its risk management and information security initiatives and policies
• Operational Security – operational security is the responsibility of the internal operations team
• Risk and Compliance – information security policy, audit, and compliance are the responsibility of the compliance team
• Operations – operation of production systems is the responsibility of the devops team
• Development – application development and quality assurance of the Maxio solution is performed by the development team

Application Security 

Maxio processes information from multiple customers in its Software as a Service platform:

• Each customer’s Data is logically separated into unique database schemas, separate subdirectories, and separate files, but all are centrally processed on shared infrastructure.
• An authorized user of the Maxio’s services can only access his/her company’s information.
• User passwords are encrypted with an industry-tested and accepted algorithm.
• Strong password management options are available in each Maxio Client Account.
• Two-factor authentication is available.
• All data is encrypted at rest.

Disclosure of Data

Maxio will not rent, sell, disclose, store, retain, use, or otherwise Process any Data except as necessary and proper to perform the Services under the applicable agreement.  Maxio will disclose Data to its personnel and any third parties who have a need to know such Data only to the extent as is necessary for the performance of Services under the applicable agreement so long as Maxio informs such personnel and third parties of their obligations under this Policy.

In addition, with respect to disclosure to third parties: (i) if required, Maxio  will obtain Client’s prior written consent to disclose Data; (ii) such disclosures will be made in properly secured and encrypted formats, as may be applicable given the nature of the transmission, disclosure, and Data at issue; and (iii) Maxio  will require any such third parties to agree in writing to assume the same obligations under this Policy as Maxio .

If Maxio is required to disclose Data by law, including Data Laws, or by mandatory order of a governmental authority having jurisdiction over Maxio, Maxio will notify the affected customer(s) in advance of such disclosure where permissible and reasonably cooperate with the affected customer(s)’ effort to minimize the extent of such disclosure and maintain the confidentiality of such Data.

Incident Reporting

Maxio shall notify Client of any confirmed security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data (“Data Breach”) without undue delay (and in any case, within 48 hours of becoming aware of such Data Breach), unless otherwise prohibited by state or federal law. Maxio will provide Client with regular updates with any new details regarding the Data Breach. A report about the Data Breach will be provided to Client as soon as reasonably practicable and after considering appropriate precautions or limitations such as attorney-client privilege.

Investigations.  Upon written notice to Maxio, Maxio shall assist and support Client in the event of an investigation by any regulator, including a data protection regulator, or similar authority, if and to the extent that such investigation relates to personal data handled by Maxio on behalf of Client.  Such assistance shall be at Client’s sole expense, except where such investigation was required due to Maxio’s gross negligence.

Data and Record Retention

Maxio will retain Data as required to comply with Applicable Data Protection Laws and the Agreement.  Upon termination or expiration of the Agreement with respect to Data not required by Maxio to perform its obligations under the Agreement, Maxio shall promptly and securely delete the Data from its application. Backup retention is a minimum of 90 days. Maxio  shall certify such removal, erasure and destruction of Data in writing to Client upon request.

Contractor and Supplier Security

Maxio maintains a comprehensive vendor management program that includes evaluating the security posture of suppliers and contractors before work is performed and then annually based on risk assessment by Maxio.

Systems Development Lifecycle

Maxio’s “Systems Development Lifecycle” process utilizes control standards related to various aspects of the development process such as securing the development environment, source code control, as well as standards around requirements definition, release and deployment, testing and training.

Technical Audits

While Maxio has over a decade of operating history with a solid record on security, application availability, processing integrity, confidentiality, and privacy, we appreciate the value of third-party audits.

Maxio shall implement and maintain the controls described in its Report on Controls that is part of an annual SSAE-18 SOC 2 audit report (the “SOC 2 Report”). On Clients’ request, Maxio shall provide its most recent SOC 2 Report under NDA.  If the SOC 2 Report describes any exceptions, Maxio shall provide a statement addressing its corrective action plan for each exception, including a timeline for the implementation of the corrective action plan.

Maxio shall implement the controls described in its Statement of Applicability that is part of an annual ISO 27001 audit. On customers’ request, Maxio shall provide its most recent ISO 27001 certificate.

Maxio maintains a vulnerability management program that includes systems hardening, patching, internal scanning, external scanning, and penetration testing.

Maxio performs code scanning as a normal part of application development, using a combination of automated and manual scanning tools.

Maxio performs scans, audits, and compliance checks of the application and the services throughout the year.

At least annually, Maxio will retain a third party to perform penetration testing against systems and Data.