This Napkyn, Inc. (“Napkyn”) Data Protection Addendum ("DPA") is incorporated into the Master Services Agreement (“MSA”) entered into by and between Napkyn and your company (hereafter, “Customer”) and becomes binding upon the parties upon the effective date of the MSA (the “Effective Date”). Napkyn and Customer may be referred to herein individually as “Party” and collectively as the “Parties.” The scope of services to be provided in accordance with the MSA (the “Services”) does not include the provision of Personal Data or Personal Information, as defined within the Data Protection Laws, from Customer to Napkyn. Customer agrees that it will not transmit, by email or any other method, such information to Napkyn. Napkyn expressly disclaims any and all liability for the security or privacy of any such data and reserves the right to destroy such data upon receipt. This DPA applies to Napkyn to the extent that Napkyn, in the course of providing the Services, has access to Personal Data or Personal Information residing within Customer’s systems or networks, or processes such data on Customer’s behalf.

1. This DPA sets forth the Parties' rights and obligations under applicable Data Protection Laws regarding Customer Personal Data, as defined below, that may be processed by the Parties, or one of them, under the Master Services Agreement. This DPA shall not be construed as creating rights or obligations beyond those required by applicable Data Protection Laws.
2. Capitalized terms not defined herein shall have the meaning ascribed to them within the applicable Data Protection Laws.
1. “Data Protection Laws” shall mean those data security and privacy laws and regulations which now apply, or may apply in the future, including but not limited to the European Union's General Data Protection Regulation ("GDPR"); the California Consumer Privacy Act, as amended and including any regulations promulgated thereunder (“CCPA”); and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar Provincial laws.
2. “Customer Personal Data” shall mean any information relating to an identified or identifiable natural person, including Personal Data or Personal Information, as applicable, that has not been anonymized, aggregated or de-identified, that is maintained within Customer’s systems or networks, and to which Napkyn may have access or which Napkyn may process in the course of its performance of the Services.
3. The Parties agree that with respect to the processing of Customer Personal Data for the provision of Services, as applicable under the Data Protection Laws, (a) Customer is the Business and Napkyn is the Service Provider; (b) Customer is the Controller and Napkyn is the Processor; and (c) Napkyn shall process all Customer Personal Data in accordance with applicable Data Protection Laws. Customer hereby represents and warrants that any and all Customer Personal Data made available or provided to Napkyn by Customer for the performance of Services shall be lawfully obtained from Data Subjects, Consumers or other sources, as the case may be, such that Napkyn’s processing activities as contemplated in this DPA shall be lawful. Napkyn shall inform Customer if it believes the processing to be unlawful under applicable Data Protection Laws.
4. To the extent that Napkyn processes any Customer Personal Data, Napkyn will only process such data to the extent necessary to provide Customer with Services in accordance with Customer’s written instructions.
5. The subject matter, duration, nature, types and purpose(s) of the processing of Customer Personal Data, as well as the categories of Data Subjects, shall be identified in Customer’s written instructions. 
6. Napkyn shall not retain, use, sell or disclose Customer Personal Data for any purpose other than providing the Services or related Business Purposes or as otherwise required by applicable laws. Napkyn also agrees not to further collect or use Customer Personal Data except as necessary to perform the Services or for Business Purposes as permitted by law. Napkyn certifies that it understands these restrictions and will comply with them.
7. Customer authorizes Napkyn to appoint Subprocessors to engage in processing activities related to Customer Personal Data. Napkyn shall identify to Customer any such Subprocessors. Napkyn shall advise Customer of any material change involving such Subprocessors. Napkyn will ensure that its Subprocessors agree to adhere to terms that are at least as protective as this Agreement and shall remain responsible to Customer for all acts and omissions of any Subprocessor processing Customer Personal Data.
8. Napkyn personnel and/or Subprocessors authorized to process Customer Personal Data must be bound by a contractual or statutory obligation of confidentiality. Napkyn will utilize appropriate physical, technical, and organizational measures, such as those identified in Schedule 1, to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
9. Napkyn will: (a) notify Customer, without undue delay, in the event of any data breach involving Customer Personal Data processed by Napkyn or a Subprocessor ("Security Breach"); (b) take prompt steps to address the cause of the Security Breach and to secure the data environment; (c) to the extent that a Security Breach is the result of gross negligence or wilful misconduct by Napkyn, take steps to mitigate the Security Breach and mitigate harm to consumers concerned; and (d) to the extent required by applicable laws, provide reasonable cooperation with Customer’s efforts to ensure compliance with Data Protection Laws.
10. Napkyn will provide Customer with reasonable cooperation and assistance in relation to compliance with Customer’s obligations under the Data Protection Laws pertaining to Data Subject or Consumer requests, security, breach notifications, any impact assessments required under the Data Protection Laws and consultations with supervisory authorities or regulators.
11. With regard to Customer Personal Data received or processed in connection with the performance of Services, Napkyn will delete and, if so requested by Customer, return to Customer all Customer Personal Data within ninety (90) days of the end of the provision of Services and delete existing copies unless applicable law requires or permits otherwise.
12. Customer Personal Data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, such transfers shall be conducted in compliance with applicable Data Protection Laws.
13. Napkyn shall make available to Customer, upon reasonable request, all information reasonably necessary to demonstrate compliance with this DPA.
14. Napkyn reserves the right to amend this DPA as needed for the purpose of compliance with any amendments to existing Data Privacy Laws and any applicable privacy laws that may come into effect after the execution of this DPA (collectively, “New Privacy Laws”). Napkyn shall provide Customer with 30 days’ prior written notice before the effective date of any amendments to this DPA, except where a shorter time period is required by New Privacy Laws.  
15. This DPA is made a part of and incorporated by reference into the MSA. In the event of inconsistencies between the provisions of this DPA and MSA, the provisions of this DPA shall prevail. Should any provision or condition of this DPA be held or declared invalid, unlawful, or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid.

SCHEDULE 1

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Only those personnel with a need to know Customer Personal Data are authorized to access such information. The particular information accessible by authorized personnel is further restricted based on the employment role of the authorized user. Access is further protected and secured through the utilization of complex password requirements, multi-factor authentication where appropriate, and unique personnel ID numbers. It is a requirement that passwords be changed regularly. Inactive accounts are expired and disabled, as are the accounts of employees upon termination of employment. Logging and scanning tools continually process and identify security vulnerabilities on the system server and systems throughout the network. Automated alerts and remediation processes are in place for potential or detected vulnerabilities. It is required that authorized personnel participate in cyber security training, which is tested through the employment of regular simulated phishing exercises.