For the purpose of this DPA:

“Applicable Data Protection Laws” means all applicable privacy and data protection laws, including without limitation:

“Personal Data” means any information relating to an identified or identifiable natural person processed by the Company on behalf of the Customer.

“Processing”, “Controller”, “Processor”, “Service Provider” “Data Subject”, “Personal Data Breach”, “Aggregated Data”, “Business Purpose”, and “Supervisory Authority”, shall have the meanings given in the Applicable Data Protection Laws.

“Sub-Processor” means any third party engaged by the Company to process Personal Data on behalf of the Customer.

“Services Data” means all data collected through the Company's agent and platform, including telemetry, screenshots, URLs, application usage, and productivity metrics.

“Anonymized Data” means data that has been irreversibly de-identified so that no individual can be identified, directly or indirectly.

The Customer and the Company shall comply with their respective obligations under Applicable Data Protection Laws.

The Customer determines the purposes and means of the Processing of Personal Data and shall ensure that it has obtained all necessary consents and authorizations from Data Subjects which are necessary under Applicable Data Protection Laws or otherwise secure the required lawful bases for processing, as necessary for the Company to process Personal Data on Customer's behalf, including for purposes that qualify as ‘business purposes’ under the CCPA.

The Company shall process Personal Data solely on documented instructions from the Customer and only for the purposes of providing the Services, and as otherwise required by Applicable Data Protection Laws or necessary for internal administrative, compliance, or billing purposes, provided such processing does not materially deviate from the Customer's instructions. The Parties agree that the processing operations to be carried out in the performance of this DPA conform to the description set out under Schedule 1 hereunder.

The Company shall not process Personal Data for its own purposes, except for the creation of aggregated, anonymized insights that cannot reasonably identify any individual.

The Company shall ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.

The Company shall assist the Customer, to the extent reasonably possible, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including a request to opt-out of the sale of Personal data, or the right not to be discriminated against for exercising any CCPA Consumer rights.

The Company shall promptly notify the Customer if it receives a request directly from a Data Subject and shall not respond except with the Customer's written instructions. The Company shall not be liable in respect of any claim regarding Data Subject rights.

Where assistance requires disproportionate effort, the Company may charge reasonable administrative costs, subject to prior notice to the Customer.

The Company shall implement and maintain appropriate technical and organizational measures to ensure a level of security of the Customer Personal Data appropriate to the risk, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The Customer is responsible for ensuring the security of its own systems and credentials used to access the Services.

The Company shall notify the Customer without undue delay, and in any case within seventy-two (72) hours, upon becoming aware or having strong reasons to believe of a Personal Data Breach affecting the Customer's data, providing the Customer with reasonably sufficient information to allow the Customer to meet its obligations to report or inform Data Subjects of the Personal Data Breach under Applicable Data Protection Laws.

The Customer shall be responsible for determining whether to notify supervisory authorities or affected Data Subjects.

Subject to confidentiality obligations towards the Company, the Parties shall coordinate with each other to investigate the Personal Data Breach.

The Customer authorizes the Company to engage Sub-Processors for the provision of the Services, including hosting, analytics, and infrastructure providers, as detailed under Schedule 2.

The Company shall ensure that each Sub-Processor is bound by a written agreement imposing data protection obligations no less protective than those set forth in this DPA.

The Company shall notify the Customer of any intended changes to the list of Sub-Processors and provide the Customer an opportunity to object within fourteen (14) days.

If the Customer objects on reasonable grounds, the Parties shall discuss in good faith to find a resolution to make available a change in the Services that avoids the use of the objected Sub-Processor; if no resolution is found, the Customer may terminate the affected Services.

The Company may process and store Personal Data in the United States, and other jurisdictions where its Sub-Processors operate, provided that such transfers comply with Applicable Data Protection Laws.

Transfers from the EEA or UK shall be made pursuant to an adequacy decision or the Standard Contractual Clauses (SCCs) approved by the European Commission.

The Company shall retain Personal Data only for as long as necessary to fulfill the purposes of processing or as required by applicable law.

Upon termination or expiration of this DPA, the Company shall, at the Customer's written request, delete or return all Personal Data and certify such deletion, except where retention is required by law or for legal proceeding purposes.

The Company may retain Anonymized Data for internal analytics, product improvement, and statistical purposes, provided that such data is in an anonymized form and cannot reasonably identify any individual.

The Company shall make available to the Customer all information necessary to demonstrate compliance with this DPA.

The Customer may, upon reasonable notice (no less than thirty (30) days) and not more than once per year, conduct an audit or inspection, subject to confidentiality obligations and minimal disruption to the Company's operations during the Company business hours.

The Company may satisfy audit obligations by providing third-party certifications or audit reports (e.g., SOC 2, ISO 27001).

Each Party shall be liable for damages arising from its own breach of this DPA or Applicable Data Protection Laws.

Neither Party shall be liable for indirect, consequential, or punitive damages, regardless of the form of action, whether in contract, tort (including negligence), strict liability, or otherwise, and even if foreseeable.

The Company's total aggregate liability under this DPA shall not exceed the total fees paid by the Customer under the Agreement during the twelve (12) months preceding the event giving rise to the claim.

Each Party shall treat all Personal Data and any related information as confidential and shall not disclose it to any third party except as permitted under this DPA or required by applicable law.

The Company shall ensure that its employees and Sub-Processors are subject to confidentiality obligations consistent with this Section.

This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, and the competent state and federal courts located in Delaware shall have exclusive jurisdiction over any dispute arising hereunder.

This DPA shall enter into force on the date the Customer accepts it through the Company's official website, and shall remain in effect for as long as the Company processes Personal Data on behalf of the Customer.

Termination of this DPA shall not affect the rights or obligations of the Parties accrued prior to termination.

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

This DPA may be amended only by a written instrument signed by both Parties.

In the event of any conflict between this DPA and any other agreement between the Parties, this DPA shall prevail with respect to the processing of Personal Data.

This Schedule 1 includes certain details of the Processing of the Customer Personal Data as required by Article 28(3) of the GDPR, as applicable.

Processing of employee and user activity data through Company's productivity analytics platform, for the purpose of generating insights and workflow optimization. Processing continues for the term of the engagement and as required by law.

To provide, operate, and improve the Services; deliver analytics and reports; offer technical support; ensure system security and compliance; and meet legal or regulatory obligations.

Name, username, email, role, device and system identifiers, IP address, application usage, URLs visited, keyboard and mouse activity, screenshots (if enabled), and performance metrics.

Employees, contractors, and authorized users of the Customer's organization.