DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) is incorporated into the Platform Services Agreement, or other similar master agreement (the “Agreement”) made by and between Customer and Barndoor, to reflect the parties’ agreement about the Processing of Personal Data in connection with Customer’s access and use of the Platform. References to the Agreement will be construed as including without limitation this DPA.

1. Definitions.  In this DPA, the following terms have the meanings given:

1. “Controller” means the entity that determines the purpose and means of the Processing of Personal Data.
2. “Customer Personal Data” means Personal Data provided by or on behalf of Customer to Barndoor in connection with Customer’s access and use of the Platform but excluding Service Management Data.
3. “Data Protection Laws” means: all applicable laws and other binding legal requirements relating to privacy, data security; and the Processing of Personal Data by Barndoor under the Agreement, including General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and U.S. Privacy Laws.
4. “Data Subject” means an identified or identifiable natural person to whom the Personal Data relate, including a “Consumer” as defined in Schedule 1.
5.  “Data Subject Request” means a communication from a Data Subject requesting to exercise the Data Subject’s individual privacy rights under Data Protection Laws.
6. “Personal Data” means information relating to an identified or identifiable natural person that is governed by Data Protection Laws, including “Personal Information” as defined in the CCPA.
7. “Process” (and its variants) means any operation or set of operations performed on Personal Data, whether or not by automatic means.
8. “Processor” means the entity that Processes Personal Data on behalf of the Controller, including a “service provider” and “contractor” as defined in the CCPA.
9. “Sub-Processor” means a Processor used by Barndoor to Process Personal Data under the Agreement.
10. “U.S. Privacy Laws” means applicable U.S. federal and/or state privacy and data security laws, regulations, and binding legal requirements that are applicable to Barndoor’s Processing of Personal Data under the Agreement, including the California Privacy Rights Act of 2020 (“CCPA”).

Any capitalized term used but not defined in this DPA has the meaning given in the Agreement.

2. Processing of Personal Data.

1. Roles of the Parties. Except as set forth in Section 2.i., the parties agree that Customer is the Controller of Customer Personal Data and Barndoor is a Processor of the Processing of Customer Personal Data under the Agreement.
2. Cross-Border Transfers of Personal Data.

Customer authorizes Barndoor and its Sub-Processors to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.

3. EEA, Swiss, and UK Standard Contractual

Clauses. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred to Barndoor in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by Module Two’s obligations in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“Standard Contractual Clauses”) as supplemented by Exhibit A attached hereto and incorporated herein by reference. Each party’s signature to this DPA shall be considered a signature to the Standard Contractual Clauses to the extent that the Standard Contractual Clauses apply hereunder.

4. Customer’s Right to Issue Instructions. Barndoor shall only Process Customer Personal Data in accordance with Customer’s written instructions. Subject to the terms of this DPA and with mutual agreement of the parties, Customer may issue written instructions concerning the type, extent and procedure of Processing of Customer Personal Data. Customer is responsible for ensuring that all individuals who provide written instructions to Barndoor are authorized by Customer to issue instructions to Barndoor and that all of Customer’s instructions comply with applicable Data Protection Laws. Customer’s initial instructions for the Processing of Customer Personal Data are defined by the Agreement, Exhibit B to this DPA, and any applicable Order. Any changes to Processing shall be agreed upon by the parties in advance and in writing.
5. Details of Processing. The nature and purpose of the Processing, duration of the Processing, categories of Data Subjects, and types of Customer Personal Data are set forth on Exhibit B.
6. U.S. Privacy Laws.  Each party shall comply with U.S. Privacy Laws as set forth in Schedule 1.
7. Barndoor Sub-Processors. Customer agrees that Barndoor may engage Sub-Processors to Process Customer Personal Data in accordance with the DPA. The list of Barndoor’s Sub-Processors is available in Exhibit A. Barndoor shall enter into agreements with the Sub-Processors to bind them to obligations which are materially as stringent as those set out in this DPA. Customer will not directly communicate with Barndoor’s Sub-Processors in connection with the Platform, unless agreed to by Barndoor in Barndoor’s sole discretion. Barndoor will notify Customer in advance of any changes to Sub-Processors using regular communication means such as email, websites, and portals. If Customer reasonably objects to the addition of a new Sub-Processor (e.g., the proposed Sub-Processor causes Customer to violate Data Protection Laws), Customer shall notify Barndoor in writing of its specific objections within thirty (30) days after receiving Barndoor’s notification. If Customer does not object within the 30-day period, Customer shall be deemed to agree to the addition of the new Sub-Processor and, if applicable, the accession to this DPA. If Customer does object to the addition of a new Sub-Processor and, after good-faith efforts, Barndoor cannot accommodate Customer’s objection, Customer may terminate the portion of the Agreement that relates to impacted features of the Platform and Customer may effectuate such partial termination in writing within sixty (60) days after  receiving Barndoor’s notification.  
8. Barndoor Processing for Service Management Purposes. Barndoor is a Controller under Data Protection Laws (i) when Processing Customer Personal Data to analyze, measure the effectiveness of and improve the Platform, to identify and track and record support, to ensure the security and integrity of the Platform, for billing and account management and similar operational purposes as well as when Processing the Personal Data that is generated or derived incidental to providing the Platform; (ii) as set forth in the Barndoor Privacy Policy (for those users of the Platform who agree to it); (iii) when Processing Personal Data that is generated or derived incidental to providing the Platform, and (iv) as permitted or required by Data Protection Laws (collectively, the “Service Management Purposes”).  Customer acknowledges and agrees that Barndoor owns all right, title and interest in and to the Personal Data and other data (and derivatives thereof) that are created or derived by Barndoor for Service Management Purposes (“Service Management Data”).  

9. Return or Deletion of Customer Personal

Data. Unless otherwise required by applicable Data Protection Laws, Barndoor will destroy or return to Customer (as Customer instructs in writing)  Customer Personal Data upon termination or expiration of the Agreement within a reasonable period, unless Barndoor is required to store Customer Personal Data by applicable law and excluding Customer Personal Data stored in backup locations, which may be deleted pursuant to the ordinary course backup and retention schedules.  Barndoor will Process all retained Customer Personal Data in compliance with the terms of this Addendum until such time as Barndoor irretrievably deletes or destroys it.  Barndoor shall have no obligation to return Customer Personal Data that is available to Customer or Service Management Data.  

3. Representations and Warranties. Customer represents, warrants, and covenants that (a) Customer Personal Data has been collected and transferred to Barndoor in accordance with the Data Protection Laws; (b) prior to its transfer to Barndoor, Customer  Personal Data has been maintained, retained, secured and protected in accordance with the Data Protection Laws; (c) Customer will respond to Data Subject Requests and other inquiries from Data Subjects and applicable regulatory authorities concerning the Processing of Customer  Personal Data, and will alert Barndoor of Data Subject Requests and other  inquiries from Data Subjects or regulatory authorities that relate to Barndoor’s Processing of Personal Data; (d) prior to the collection of Customer Personal Data, Customer has obtained all necessary consents from  Data Subjects to allow Barndoor’ to Process Personal Data as set forth in the Agreement; (e) Customer will make available a copy of this Agreement to any Data Subject or regulatory authorities as required by Data Protection Laws; (f) Customer shall be solely responsible and liable for its compliance with Data Protection Laws; and (g) Customer will only provide Barndoor with Customer Personal Data required and requested by Barndoor in writing to utilize the Platform.
4. Data Subject Requests. Barndoor shall, to the extent legally permitted, promptly notify Customer if it receives a  Data Subject Request related to Customer Personal Data and, to the extent applicable, provide Customer with commercially reasonable cooperation and assistance in responding to a Data Subject Request. If Data Protection Laws require Barndoor to take any corrective actions related to Customer Personal Data without the involvement of Customer, Barndoor shall take such corrective actions and promptly inform Customer.  To the extent legally permitted, Customer shall be responsible for reasonable costs and expenses arising from Barndoor’s provision of assistance under this Section 4.
5. Barndoor Personnel. Barndoor shall provide training for Barndoor’s personnel engaged in the Processing of Customer Personal Data that Barndoor deems appropriate based on their responsibilities. Barndoor shall execute written agreements with its personnel to maintain the confidentiality of Customer Personal Data. Barndoor shall use commercially reasonable efforts to limit access to Customer Personal Data to personnel who require such access to perform the Agreement. If required by Data Protection Laws, Barndoor shall appoint a data protection officer and provide the contact details of the appointed person.
6. Security. Barndoor will implement reasonable and appropriate technical and organizational measures that are designed to ensure a level of security appropriate to the risk posed by the Processing of Customer Personal Data as set forth in Exhibit C of this DPA.
7. Audit.

1. Audit Requests. Subject to Section 7(c), upon Customer’s written request, Barndoor will provide Customer with the most recent summary audit report(s) concerning the compliance and undertakings in this Agreement related to Customer Personal Data. Barndoor's policy is to share methodology, and executive summary information, not raw data or private information. Barndoor will reasonably cooperate with Customer by providing available additional information to help Customer better understand such compliance and undertakings. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable Data Protection Laws and subject to Section 7(c), only the legally mandated entity (such as a governmental regulatory agency having oversight of Customer’s operations) may conduct an onsite visit of the facilities used to provide the Services. Unless mandated by Data Protection Laws, no audits are allowed within a data center for security and compliance reasons. After conducting an audit under this Section 7 or after receiving a Barndoor report under this Section 7, Customer must notify Barndoor of the specific manner, if any, in which Barndoor does not comply with any of the security, confidentiality, or data protection obligations in this DPA, if applicable. Any such information will be deemed Confidential Information of Barndoor.
2. Sub-Processors.        Customer shall not audit Barndoor’s Sub-Processors without Barndoor’s and Barndoor’s Sub-Processor’s prior written agreement. Customer agrees its requests to audit Sub-Processors may be satisfied by Barndoor or Barndoor’s Sub-Processors presenting up-to-date attestations, reports or extracts from independent bodies, such as reports of external or internal auditors, Barndoor’s data protection officer, CISO, IT security department, or other mutually agreed to third parties or certification by way of an IT security or data protection audit. Customer agrees that onsite audits at a Sub-Processor’s premises shall be performed by Barndoor acting on behalf of Controller.

3. Audit Process. Unless required by Data Protection Laws, Customer may request a summary audit report(s) or audit Barndoor no more than once annually. Customer must provide at least four (4) weeks’ prior written notice to Barndoor of a request for a summary audit report (or request to audit. The scope of any audit will be limited to Barndoor’s policies, procedures and controls relevant to the protection of Customer Personal Data. Subject to Section 7(b), all audits will be conducted during normal business hours, at Barndoor's principal place of business or other Barndoor location(s) where Customer Personal Data is accessed, processed or administered, and will not unreasonably interfere with Barndoor's day-to-day operations. An audit will be conducted at Customer‘s sole cost and by a mutually agreed upon third party who is engaged and paid by Customer and is bound by a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement, obligating it to maintain the confidentiality of all Barndoor Confidential Information and all audit findings, and to comply with all of Barndoor’s security and confidentiality policies and procedures. Customer agrees to pay the costs of any support provided by Barndoor (including internal resources) based on Barndoor’s then-current rates. Before the commencement of an on-site audit, Barndoor and Customer shall mutually agree upon the timing, and duration of the audit. Barndoor will reasonably cooperate with the audit, including providing auditor the right to review but not to copy Barndoor security information or materials during normal business hours. Customer shall, at no charge, provide to Barndoor a full copy of all findings of the audit. The results of the audit will be considered “Confidential Information” of Barndoor.  Nothing in this DPA shall require Barndoor to provide information related to other customers or to trade secrets or information for which Barndoor is bound by a third-party obligation of confidentiality or non-disclosure.

8. Limitation of Liability. To the extent permitted under law, each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement including this DPA. For the avoidance of doubt, Barndoor’s and its affiliates’ total liability for all claims from the Customer arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under the Agreement including this DPA.
9. Governing Law. The parties agree that (1) governing law of this DPA, and (2) the forum for all disputes in respect of this DPA, shall be the same as set out in the Agreement, unless otherwise required by applicable Data Protection Laws.  If and to the extent any of the Data Protection Laws are modified or supplemented to require provisions that are different from or additional to the terms of this DPA, the parties shall cooperate to promptly execute any required amendments to this DPA.

Exhibit A

Supplemental Terms for the Standard Contractual Clauses

This Exhibit A forms part of the DPA and supplements the Standard Contractual Clauses. Capitalized terms not defined in this Exhibit A have the meaning set forth in the DPA.

The parties agree that the following terms shall supplement the Standard Contractual Clauses:

1. Supplemental Terms. The parties agree that: (i) a new Clause 1(e) is added the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.”; (ii) a new Clause 1(f) is added to the Standard Contractual Clauses which shall read: “To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to UK Data Protection Laws (as defined in Annex III).”; (iii) the optional text in Clause 7 is deleted; (iv) Option 1 in Clause 9 is struck and Option 2 is kept, and data importer must notify data exporter of any new subprocessors in accordance with Section 2.h of the DPA; (v) the optional text in Clause 11 is deleted; and (vi) in Clauses 17 and 18, the governing law and the competent courts are those of Ireland (for EEA transfers), Switzerland (for Swiss transfers), or England and Wales (for UK transfers).
2. Annex I. Annex I to the Standard Contractual Clauses shall read as follows:

1. List of Parties

Data Exporter: Customer.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement. Activities relevant to the data transferred under these Clauses: The Services. Role: Controller.

Data Importer: Barndoor AI, Inc.

Address: As set forth in the Notices section of the Agreement.

Contact person’s name, position, and contact details: As set forth in the Notices section of the Agreement. Activities relevant to the data transferred under these Clauses: The Services. Role: Processor.

2. Description of the Transfer:

Categories of data subjects whose personal data is transferred: As set forth in Exhibit B.

Categories of personal data transferred: As set forth in Exhibit B.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: To the parties’ knowledge, no sensitive data is transferred.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Personal data is transferred in accordance with the standard functionality of the Services, or as otherwise agreed upon by the parties.

Nature of the processing: The Services.

Purpose(s) of the data transfer and further processing: The Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Data importer will retain personal data in accordance with the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

Subprocessor	Type of Data Processed	Location
Cloudflare	DNS, web security and performance processor	California, USA
Google Analytics	Web analytics processor	Washington, USA
Docusign	Agreement and signature processor	California, USA
Github	Version control and code storage	California, USA
Google Cloud Platform	Broad cloud platform activities	California, USA
Google Workspace	Identity provider and email processor	California, USA
Grafana Labs	Telemetry and logging	New York, USA
Hubspot	Customer relationship management	Massachusetts, USA
Mailgun	Transactional email processor	Texas, USA
Plain	Customer support platform	California, USA
PostHog	Product analytics platform	California, USA
Salesforce	Customer relationship management	California, USA
Vanta	Compliance framework processor	California, USA
Warpbuild	Managed CI/CD processor	California, USA

3. Competent Supervisory Authority: The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Irish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
4. Clarifying Terms: The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Clauses will be provided upon data exporter’s written request; (ii) the measures data importer is required to take under Clause 8.6(c) of the Clauses will only cover data importer’s impacted systems; (iii) the audit described in Clause 8.9 of the Clauses shall be carried out in accordance with Section 7 of the DPA; (iv) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Clauses will be limited to the termination of the Clauses; (v) unless otherwise stated by data importer, data exporter will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Clauses; (vi) the information required under Clause 15.1(c) of the Clauses will be provided upon data exporter’s written request; and (vii) notwithstanding anything to the contrary, data exporter will reimburse data importer for all costs and expenses incurred by data importer in connection with the performance of data importer’s obligations under Clause 15.1(b) and Clause 15.2 of the Clauses without regard for any limitation of liability set forth in the Agreement.

3. Annex II. Annex II of the Standard Contractual Clauses shall read as follows:

Data importer shall implement and maintain technical and organisational measures designed to protect personal data in accordance with the DPA.

Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the DPA.

4. Annex III. A new Annex III shall be added to the Standard Contractual Clauses and shall read as follows:

The UK Information Commissioner’s Office International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”) is incorporated herein by reference.

Table 1: The start date in Table 1 is the effective date of the DPA. All other information required by Table 1 is set forth in Annex I, Section A of the Clauses.

Table 2: The UK Addendum forms part of the version of the Approved EU SCCs which this UK Addendum is appended to including the Appendix Information, effective as of the effective date of the DPA.

Table 3: The information required by Table 3 is set forth in Annex I and II to the Clauses.

Table 4: The parties agree that Importer may end the UK Addendum as set out in Section 19.

---

Exhibit B

Processing Details and Instructions

This Exhibit B forms part of the DPA. Capitalized terms not defined in this Exhibit B have the meaning set forth in the DPA.

Data Exporter: is the applicable “Customer” described in the DPA

Data Importer: is Barndoor AI, Inc., 1216 Broadway Floor 2. New York, NY 10001

Data Subjects

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

1. Customers, prospects and business partners
2. Employees and their respective dependents, beneficiaries, and emergency contacts
3. Contractors (including contingent workers)
4. Volunteers, interns, temporary, and casual workers
5. Suppliers and vendors
6. Commercial representatives
7. Freelancers, agents, consultants, and other professional respondents, and their respective dependents, beneficiaries, and emergency contacts
8. Prospective employees and temporary staff
9. Advisors, consultants, and other professionals

Categories of Personal Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and may include, but is not limited to, the following categories of Personal Data:

1. First and last name
2. Business contact information
3. Personal contact information
4. Employment data
5. Identity & Demographic data
6. Sensitive & Special Category data
7. Financial & Transaction data
8. Connection & Communication data
9. Location data
10. Technical & Digital data
11. User Generated Content & Prompt data

Processing Operations

Barndoor may process personal data upon the instruction of Customer in accordance with the terms of the DPA and the Agreement. Customer instructs Barndoor to Process Personal Data: (i) necessary for the provision of the Services and access to the Platform; and (ii) as part of any Processing initiated by Customer.

Duration of Processing and Retention of Data

Barndoor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing. Barndoor will retain Personal Data in accordance with the DPA or as long as required under law, unless otherwise agreed to in writing.

Exhibit C

Security Measures

The following technical and organizational security measures apply to Customer Personal Data Processed by Barndoor pursuant to the Agreement.

Description of Security Measure
Encryption	Barndoor: stores Customer Personal Data  using encryption techniques with a minimum of Advanced Encryption Standard with a 256-bit key size (AES-256) encrypts Customer Personal Data prior to moving and/or using encrypted connections (HTTPS, TLS, FTPS, etc.) to protect the information in transit
Measures for confidentiality, integrity, availability and resilience of Processing systems and services	Barndoor implements and maintains a comprehensive written information security and compliance program that includes administrative, physical, and technical controls based on ongoing risk assessment (the “Information Security Program”).  Barndoor’s Information Security Program is aligned to recognized security standards.   Barndoor conducts periodic risk assessments and reviews at least annually its Information Security Program or whenever a material change in Barndoor’s business practices may affect the security, confidentiality or integrity of Customer Personal Data.  Barndoor adjusts controls and revises its Information Security Program to address risks identified.
Measures for ensuring the ability to restore the availability and access to Customer Personal Data	Barndoor implements appropriate back-up, disaster recovery and business resumption plans to enable recovery from events that impact Barndoor’s ability to perform in accordance with the Agreement.  Barndoor regularly (and no less than annually) tests these plans and makes changes as needed based on its risk assessments and testing to ensure that they are up to date and effective.
Testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing	Barndoor performs at least annual penetration tests on Barndoor’s systems, infrastructure and facilities in accordance with Barndoor’s policies and industry practices.   Barndoor performs periodic scanning of operating systems, databases, server applications and network devices for vulnerability and configuration compliance.   Barndoor reviews the security of applications that are Processing Customer Personal Data including automated and manual testing for common vulnerabilities.   Barndoor maintains a policy for its mobile devices containing Customer Personal Data.
User identification and authorization	Barndoor has access control, identification and lockout procedures.   Barndoor has an established process to review user access to Customer Personal Data, including clearly defined user roles and procedures to approve and justify roles.   Barndoor enforces access and confidentiality restrictions through disciplinary measures.   Barndoor has documented password management practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed; monitor repeated attempts to gain access to its information systems using an invalid password; deactivate authentication credentials upon notification that access is no longer needed (e.g. employee termination, project reassignment, etc.); deactivate passwords that are corrupted or inadvertently disclosed; ensure that de-activated or expired identifiers and/or passwords are not granted to other individuals; deactivate authentication credentials when not used; and ensure that where more than one individual has access to its systems containing Customer Personal Data, the individuals have unique identifiers/log-ins (i.e. no shared IDs).   Barndoor enforces “least privilege” by restricting access to Customer Personal Data to those individuals who require access to perform their job functions.
Protection of Customer Personal Data during transmission	Barndoor transmits Customer Personal Data using the following secure protocols and methods:, TLS, SSH, SFTP, Site-to-Site VPN with IPSec.
Physical security of locations at which Customer Personal Data are processed	Barndoor maintains commercially-reasonable security systems and processes at all Barndoor facilities at which information systems that use or store Customer Personal Data are located, such as allowing only authorized individuals to access its facilities.
Event logging	Barndoor maintains logs and records of all processing of Customer Personal Data and records all user activity and actions related to Customer Personal Data.
System configuration, including default configuration	Barndoor ensures that, for as long as Barndoor holds Customer Personal Data, Barndoor does not and will not purposefully create any process (e.g., “back doors” or similar programming) that does or could permit or facilitate unauthorized access to Customer Personal Data.
Internal IT and IT security governance and management	Barndoor has a dedicated security officer who is responsible for coordinating and monitoring the Information Security Program. Barndoor incorporates security-by-design principles in software development.   Barndoor has a risk management program in place to identify, assess and take appropriate actions with respect to risks related to the processing of Customer Personal Data in connection with the Agreement.   Barndoor promptly take actions to mitigate any actual or potential harm caused by an unauthorized or unlawful Processing of Customer Personal Data.   Barndoor maintains (and requires that sub-contractors each maintain) a record of actual and suspected security incidents (including personal information breaches), which contains at least a description of the incident, the time period, the consequences of the incident, the name of the reporter and to whom the incident was reported, and the process for recovering data, and otherwise complies with the requirements of the Agreement.
Data minimization	Barndoor limits access to Customer Personal Data in its systems to only that data minimally necessary to perform the services.   Barndoor conducts privacy impact assessments to ensure that the Customer Personal Data collected by or on behalf of Customer is limited to what is necessary in relation to the purposes for Processing. Barndoor’s data minimization measures are accompanied by technical measures to ensure that Customer Personal Data is not subject to unauthorized access.
Data quality	Barndoor system interfaces go through input validation testing which prevents improperly formed data from entering an information system.
Accountability	Barndoor trains Barndoor Personnel about privacy and security principles, policies and procedures and their respective roles and possible consequences of breaching the principles, policies and procedures and applicable laws.  Barndoor maintains records of training attendance.
Data portability, processing restrictions, erasure and consent	Barndoor maintains commercially reasonable and documented procedures for complying with Data Subjects’ exercise of their privacy rights, including ensuring that privacy rights requests are timely and effectively addressed.   Barndoor maintains records of the date and time of requests, involvement of Sub-Processors (if applicable), Barndoor’s response to the request (whether requests are denied) and evidence of when Customer was informed and Customer’s review and approval.   Barndoor posts a privacy notice for Personal Data collected from Data Subjects.

 

 

 

---

Schedule 1: U.S. Privacy Laws Addendum

This U.S. Privacy Laws (“Addendum”) shall apply to Customer Personal Data subject to U.S. Privacy Laws.  If this Addendum and any other provision of the Agreement conflict, this Addendum shall apply to Personal Data subject to U.S. Privacy Laws.

1. ROLES. Solely with respect to Customer Personal Data subject to U.S. Privacy Laws and solely in connection with Barndoor’s role as Processor pursuant to the Agreement, the parties shall comply with the obligations set forth in this Addendum.

2. DEFINITIONS.  For the purpose of this Addendum, the following capitalized terms shall have the same meanings ascribed to terms under U.S. Privacy Laws: “Business Purpose”, “Consumer,” “Sell” (and its variants), and “Share” (and its variants).  All other capitalized terms used and not defined in this Addendum shall have the meanings assigned to them in the Agreement.  

3.        PROCESSING OF PERSONAL INFORMATION

3.1        Each Party shall comply, and shall cause its Affiliates to comply, with U.S. Privacy Laws in connection with the provision and receipt of the Services.

3.2        When acting as a Processor of Customer Personal Data in connection with the Services, Barndoor shall:

(a)        Process the Customer Personal Data for the specific Business Purpose of performing the Services, other Business Purposes permitted by the CCPA, or as otherwise permitted by the U.S. Privacy Laws (the “Purpose”);

(b)        (i) not Sell or Share the Customer Personal Data; (ii) not use, retain, or disclose the Customer Personal Data outside of the direct relationship between the parties or for any purpose other than the Purpose, unless otherwise permitted by U.S. Privacy Laws; (iii) not combine or update Customer Personal Data with Personal Data received from another source, unless authorized by Customer or permitted by U.S. Privacy Law; (iv) allow Customer, upon reasonable written notice, to take reasonable and appropriate steps to remediate or stop any unauthorized Processing of Customer Personal Data; (v) allow Customer to take reasonable and appropriate steps to ensure that Barndoor’s Processing of the Customer Personal Data is consistent with its obligations as a Business under the CCPA;

(c)        notify Customer in writing when it becomes aware or makes a determination that it cannot meet its obligations under this Addendum;

(d)        notify Customer in writing of any Data Subject Request received by or on behalf of Barndoor from a Consumer with respect to Customer Personal Data, act on the Consumer’s request only after receiving Customer’s written instructions (unless action is required by the U.S. Privacy Laws or other applicable law), and provide information and assistance reasonably requested by Customer to enable Customer to comply with the Consumer’s request;

(e)        Process the Customer Personal Data with the level of privacy protection as required under U.S. Privacy Laws, and grant Customer the right to stop, mitigate, or remedy any unauthorized Processing of Customer Personal Data; and

(f)        to the extent that it, in providing the Services, subcontracts with a Sub-Processor that has access to Customer Personal Data (a “Permitted Subcontractor”), it will conduct reasonable due diligence on each such Permitted Subcontractor and enter into a contract with such Permitted Subcontractor that complies with the U.S. Privacy Laws and is no less protective of Customer Personal Data than the terms of this Addendum and the Agreement and, upon request, provide to Customer the name of each Permitted Subcontractor and reasonable written documentation demonstrating the existence of its contract with the Permitted Subcontractor.

3.3        Barndoor will notify in writing Customer without unreasonable delay, promptly upon becoming aware, and in any event within 72 hours after becoming aware of an actual any unauthorized or unlawful access to or use, viewing, loss, unavailability, disclosure or destruction of Customer Personal Data (“Security Incident”).  Barndoor will cooperate with Customer in the investigation and remediation of any Security Incident, including by providing periodic written updates and such reasonable assistance as may be requested from time to time.