Data Processing Addendum

4.1 General Restrictions

Obvious will not:

• Retain, use, disclose, sell, or share Customer Personal Data for any purpose other than to provide the Services or as otherwise authorized in the Agreement
• Retain, use or disclose Customer Personal Data for a commercial purpose beyond the context of the direct business relationship between Obvious and Customer
• Combine Customer Personal Data received from or on behalf of Customer with Personal Data received from or on behalf of another person, except as permitted by Applicable Data Protection Laws and in accordance with Customer’s documented instructions

4.2 Exceptions

The restrictions in Section 4.1 shall not apply: (a) if Obvious is required to perform such actions by any applicable law; or (b) to Obvious’s Processing of de-identified, anonymized or aggregated data, or to the use of internal analytics that do not involve Customer Personal Data.

4.3 Certification

Obvious certifies that it understands the restrictions of this Section 4 and will comply with all Applicable Data Protection Laws.

14.1 Authorization for Restricted Transfers

Customer authorizes Obvious to transfer Customer Personal Data outside the EEA, the United Kingdom, Switzerland, or other relevant jurisdictions as necessary to provide the Services, subject to the requirements of Applicable Data Protection Laws.

14.2 Transfer Mechanisms

If Obvious carries out a Restricted Transfer of Customer Personal Data, Obvious will implement appropriate safeguards consistent with Applicable Data Protection Laws. These safeguards may include:

• Entering into the SCCs
• Entering into the UK Addendum
• Entering into the Swiss Addendum set forth in Exhibit 3
• Entering into any other contractual provisions or frameworks approved by a competent regulator or authority for cross-border Personal Data transfers

14.3 Standard Contractual Clauses

The parties agree that to the extent that the Processing of Customer Personal Data involves a Restricted Transfer, the parties shall each comply with their respective obligations as set out in the SCCs and/or the UK Addendum, each incorporated herein by reference, and amended as follows:

• The optional docking clause in Clause 7 does not apply
• In Clause 9, Option 2 (general written authorization) applies; minimum time period for prior notice of Subprocessor changes is as specified in Section 9 of this DPA
• In Clause 11, the optional language does not apply
• Module Two (Controller to Processor) applies where Customer is a Controller; Module Three (Processor to Processor) applies where Customer is a Processor
• In Clause 13(a) and Annex I.C, Option 1 shall apply with the competent Supervisory Authority being the Irish Data Protection Commission
• In Clause 17 (Option 1), the SCCs will be governed by the laws of Ireland
• In Clause 18(b), disputes will be resolved in the courts of Ireland
• For the purposes of Annex I.A, the Customer shall be the data exporter and Obvious shall be the data importer
• For the purposes of Annex I.B, the description of transfer is set out at Exhibit 1
• For the purposes of Annex I.C, the technical and organizational measures are set out at Exhibit 2

14.4 Assistance and Cooperation

If required by Applicable Data Protection Laws, Obvious will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant Supervisory Authorities.

Categories of Data Subjects

• Customer’s Authorized Users (employees, contractors, agents)
• Customer’s end users or customers
• Any other Data Subjects included or referenced in Customer content, Artifacts, or data uploaded into the Service by Customer or its Authorized Users

Categories of Customer Personal Data

• Identification data: first and last name, username, email address, phone number
• Professional data: employer, title and position, business contact information
• Account data: login credentials, account settings, user preferences
• Content data: any Personal Data contained within Artifacts, documents, workbooks, presentations, Projects, or other content created or uploaded by Customer
• Usage data: connection and/or localization data, IP addresses, device information, activity logs
• Special category Personal Data (if uploaded by Customer): as defined in Article 9 of the GDPR and/or UK GDPR, including racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, and data regarding health, sex life, genetic data, or biometric data

Nature and Purpose of Processing

• Receiving Customer Personal Data: including collection, accessing, retrieval, recording, and data entry
• Holding Customer Personal Data: including storage, organization, and structuring
• Processing Customer Personal Data: including analysis, transformation, manipulation, and AI-assisted processing via the Agent
• Updating Customer Personal Data: including correcting, adaptation, alteration, alignment, and combination
• Sharing Customer Personal Data: including disclosure, dissemination, allowing access, or otherwise making available (within Customer’s organization or to Permitted Third Parties as authorized by Customer)
• Deleting Customer Personal Data: including erasure and destruction

Duration and Frequency

Obvious will Process Customer Personal Data as long as required to conduct the Processing activities instructed in this DPA or by applicable laws, and shall retain the Customer Personal Data as described in Section 5. Frequency of Transfer: Continuous.

1. Physical and Environmental Security

Obvious, or Obvious’s Subprocessors, implements measures designed to prevent unauthorized persons from gaining access to the Customer Personal Data Processing equipment. This includes following industry-standard guidelines provided by data centers, securing equipment via standard cloud data hosting providers with restricted access controls, and endpoint monitoring for all Obvious-owned devices with mobile device management.

2. Access Control

• Role-based access controls with centrally-managed, industry standard SSO providers
• Access to IT systems protected by authentication mechanisms including multi-factor authentication for privileged accounts
• All access to Customer Personal Data is logged, monitored, and tracked
• Privileged access rights granted only to individuals who reasonably need it (least-privilege principle)
• Access rights removed immediately upon termination of employment or contract

3. Availability Control

• Anti-malware solutions with industry-standard solutions built into all physical hardware
• Customer Personal Data stored in multiple availability zones to protect against environmental threats
• Regular (daily) backup snapshots that allow for point-in-time rollback
• IT systems and applications in non-production environments are logically or physically separated from production environments

4. Operations Security

• Information Security Framework maintained and reviewed at least quarterly
• Annual security awareness and data privacy training for all employees
• Security-relevant events logged (user management activities, failed logons, security configuration changes)
• All critical vulnerabilities identified must be remediated within seven (7) days of identification

5. Transmission Controls

• IT systems and applications administered using encrypted connections with TLS and SSH
• Content integrity during transmission protected by network protocols such as TLS 1.2 or greater
• Customer Personal Data transmitted over public networks is encrypted
• Secure Key Management Systems (KMS) used to store secret keys in the cloud

6. Security Incidents

Obvious maintains and implements an incident handling process including records of security breaches, notification processes according to legal standards, and an incident response scheme addressing roles, responsibilities, communication strategies, and specific procedures covering all critical system components.

7. Asset Management, System Acquisition, Development and Maintenance

• Information security requirements identified and documented prior to development and acquisition of new IT systems
• Formal process to control and perform changes to developed applications
• Security tests incorporated into the System Development Life Cycle

8. Human Resource Security

• Background check conducted for all employees and contractors who will Process Customer Personal Data, including criminal check and employment verification going back seven (7) years where permitted by applicable law
• Employees with access to Customer Personal Data are bound by confidentiality obligations
• Employees with access to Customer Personal Data are trained regularly regarding data protection laws, annually at minimum

9. Cryptography

• Digital certificates accepted and trusted only if issued by a trusted certification authority
• Certificates used and allocated to dedicated IT-systems and applications
• Process maintained for the management and implementation of cryptographic keys, including rules and requirements to generate, store, backup, distribute, and revoke cryptographic keys

1. Interpretation

Where this Addendum uses terms that are defined in the SCCs, those terms will have the same meaning as in the SCCs. In addition: (a) “Swiss FDPA” means the Swiss Federal Act on Data Protection of 25 September 2020 (in force as of 1 September 2023), and the Swiss Ordinance on Data Protection of 31 August 2022, as each may be amended from time to time; (b) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

This Addendum will be read and interpreted in light of the provisions of the Swiss FDPA so that it fulfills the intention to provide appropriate safeguards as required by Article 16 of the Swiss FDPA, and will not be interpreted in a way that conflicts with rights and obligations provided for in the Swiss FDPA.

2. Hierarchy

In the event of a conflict or inconsistency between this Addendum and the provisions of the SCCs or other related agreements between the parties, the provisions which provide the most protection to Data Subjects will prevail.

3. Amendments to the SCCs for Swiss Transfers

To the extent that any Processing of Customer Personal Data is exclusively subject to the Swiss FDPA, the SCCs as incorporated in Section 14.3 of this DPA are amended as follows:

• References to “GDPR” are replaced by “Swiss FDPA” and references to specific Articles of the GDPR are replaced with the equivalent Article or Section of the Swiss FDPA
• References to Regulation (EU) 2018/1725 are removed
• References to the “European Union,” “Union,” “EU,” and “EU Member State” are replaced with “Switzerland”
• Clause 13(a) and Part C of Annex I are not used; the competent supervisory authority is the FDPIC insofar as the transfers are governed by the Swiss FDPA
• Clause 17 is replaced to state: “These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by the Swiss FDPA.”
• Clause 18 is replaced to state disputes will be resolved by the courts of Switzerland, with Data Subjects able to bring proceedings before the courts of Switzerland in which they have their habitual residence

The Swiss FDPA extends data protection rights to legal entities as well as natural persons. Accordingly, the protections under this DPA and the SCCs as amended by this Addendum shall apply to Personal Data of legal entities to the extent required by the Swiss FDPA.

4. Dual Application

To the extent that any Processing of Customer Personal Data is subject to both the Swiss FDPA and the GDPR, this DPA will apply: (a) as set forth in Section 14.3 with respect to transfers subject to the GDPR; and (b) as amended by Section 3 of this Swiss Addendum with respect to transfers subject to the Swiss FDPA.

5. Notifications

Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under the Swiss FDPA.