Data Processing Addendum
This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
1.        Definitions

1.1              In this DPA:

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(a)¬†¬†¬†¬†¬†¬†¬†¬†¬†‚ÄúController‚ÄĚ, ‚ÄúData Subject‚ÄĚ, ‚ÄúProcessing‚ÄĚ, ‚ÄúProcessor‚ÄĚ, ‚ÄúService Provider‚ÄĚ, and‚ÄúSupervisory Authority‚ÄĚ have the meaning given to them in Data Protection Law;

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(b)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúData Protection Law‚ÄĚ means the General Data Protection Regulation (EU) 2016/679("GDPR") and all other Data Protection Laws of the European Union, the European EconomicArea (‚ÄúEEA‚ÄĚ), and their respective Member States, Switzerland and the United Kingdom (‚ÄúUK‚ÄĚ);(ii) the California Consumer Privacy Act as amended by the California Privacy Rights Act(California Civil Code ¬ß 1798.100) (‚ÄúCCPA‚ÄĚ); and (iii) all laws implementing or supplementing the foregoing and any other applicable data protection or privacy laws;

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(c)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúData Subject Rights‚ÄĚ means all rights granted to Data Subjects by Data Protection Law, such as the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making;

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(d)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúRestricted Data Transfer‚ÄĚ means any international transfer of Personal Data that would be prohibited under Data Protection Law in the EEA or UK without implementation of additional safeguards such as Standard Contractual Clauses.

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(e)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†‚ÄúPersonnel‚ÄĚ means any natural person acting under the authority of Thena;
‚Äć
¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(f)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúPersonal Data‚ÄĚ means any information that constitutes ‚Äúpersonal data‚ÄĚ or ‚Äúpersonal information‚ÄĚ within the meaning of applicable Data Protection Law that Thena may access in performing the services under the Agreement.

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(g)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúPersonal Data Breach‚ÄĚ means actual or reasonable degree of certainty of unauthorized destruction, loss, control, alteration, disclosure of, or access to, Personal Data for which Thena is responsible. Personal Data Breaches do not include unsuccessful access attempts or attacks that do not compromise the confidentiality, integrity, or availability of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
‚Äć
¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(h)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúSensitive Data‚ÄĚ means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data ProtectionLaw or other laws to which the Controller is subject;

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(i)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúStandard Contractual Clauses‚ÄĚ means the clauses annexed to the EU CommissionImplementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of theEuropean Parliament and of the Council as amended or replaced from time to time; and
‚Äć
¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(j)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúData Subject Rights‚ÄĚ means all rights granted to Data Subjects by Data Protection Law, such as the right to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making

¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†(k)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ‚ÄúUK Addendum‚ÄĚ means the International Data Transfer Addendum to the EU CommissionStandard Contractual Clauses, issued by the UK Information Commissioner for parties making restricted transfers, available at
https://view.officeapps.live.com/op/view.aspx?src=https% 3A%2F% 2Fico.org.uk% 2Fmedia% 2Ffor-organisations% 2Fdocuments% 2F4019535% 2Faddendum- international- data- transfer. docx&wd Origin= BROWSELINK.

1.2            Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2.        Roles

2.1              Thena shall process Personal Data only as a processor acting on behalf of Customer and, with respect to CCPA and other applicable U.S. state privacy laws, as a service provider, in each case, regardless of whether Customer acts as a controller or as a data processor on behalf of a third-party controller with respect to Personal Data.

3.        Scope

3.1              This DPA applies to Processing of Personal Data by Thena in the context of the Agreement.

3.2              The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.

4.        Instructions

4.1              Thena will only Process Personal Data to provide the services to the Customer

4.2 ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†It is the parties‚Äô intent that Thena is a service provider, and Thena certifies that it will not (a) ‚Äúsell‚ÄĚ or‚Äúshare‚ÄĚ (as defined in the CCPA) the Personal Data; (b) (b) retain, use, or disclose the Personal Data to any person other than as necessary to provide the services or outside of the direct business relationship between the parties, unless required by applicable laws; or (c) combine the PersonalData that Thena receives from or on behalf of Customer with personal data that Reveal AI collects or receives from another person .

4.3              Customer’s instructions are documented in Annex I, the Agreement, and any applicable statement of work.

4.4              Customer may issue additional instructions to Thena as it deems necessary to comply with DataProtection Law. Such instructions must be provided to Thena in writing and acknowledged in writing by Thena as constituting instructions for purposes of this DPA, and Thena may charge a reasonable fee to comply with any such additional instructions.

4.5              The parties acknowledge and agree that the disclosure of Personal Data by the Customer to Thena does not form part of any monetary or other valuable consideration exchanged between the parties.

5.        Customer Responsibilities

5.1              Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer shall (i) have provided, and will continue to provide all notices and have obtained, and will continue to obtain, all consents, permissions and rights necessary under applicableData Protection Law for Thena to lawfully process Personal Data for the purposes contemplated by the Agreement (including this DPA); (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) have complied with all DataProtection Law applicable to the collection of Personal Data and the transfer of such Personal Data to Thena and its Subprocessors; and (iv) ensure its processing instructions comply with applicable laws(including applicable Data Protection Law).

6.        Subprocessing

6.1 ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†Customer authorizes Thena to engage the Subprocessors included in the list of Subprocessors provided to Customer and set out in Annex III (‚ÄúSubprocessor List‚ÄĚ); and Subprocessors engaged in accordance with Section 6.2.

6.2              Thena must inform Customer at least thirty (30) days prior to any intended change of Subprocessor, thereby giving Customer the opportunity to object to such change and Customer may object only on reasonable grounds relating to a potential or actual violation of Data Protection Law. If Customer does not make a reasonable objection to the proposed engagement within 30 days of Thena providing notice to Customer under this Section 6.2 Customer is deemed to have authorized the engagement of such Subprocessor. Where Customer raises a reasonable objection to the proposed engagement of a Subprocessor, Thena may, at its discretion, make reasonable efforts to remedy the situation giving rise to the reasonable objection or propose an alternative Subprocessor to conductPage 2 of 10the relevant Processing. In the event Thena is unable to remedy the situation and no alternative Subprocessor is proposed, then Thena will be entitled to terminate the Agreement without penalty or liability effective immediately on written notice to the Customer and the Customer shall pay Thena any fees due for the services performed prior to termination.

6.3              Thena must obtain sufficient guarantees from all Subprocessors that they will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law and this DPA.

6.4              Thena will enter into a written agreement with all Subprocessors which imposes substantially similar obligations on the Subprocessors as this DPA imposes on Thena.

6.5              To the extent required by law, Thena will provide a copy of Thena’s agreements with Subprocessors to Customer upon request. Thena may redact commercially sensitive information before providing such agreements to Customer.

7.        Restricted Data Transfers

7.1 ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†To the extent required by Data Protection Law in the EEA, by signing this DPA Customer and Thena conclude module 2 (Controller-to-Processor) of the Standard Contractual Clauses, which are hereby incorporated by reference and completed as follows: the ‚Äúdata exporter‚ÄĚ is Customer; the ‚Äúdata importer‚ÄĚ is Thena; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 1 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11 (a) is struck; Clause 13, (a) paragraph 2 is implemented; Clause 17 option 1 is implemented and the governing law is the law of the Republic of Ireland; the court in Clause 18(b)are the Courts of the Republic of Ireland; Annex 1, 2 and 3 to module 2 of the Standard ContractualClauses are Annex I, II and III to this DPA respectively

7.2             To the extent required by Data Protection Law in the UK, by signing this DPA Customer and Thena agree to be bound by the UK Addendum. Part 1, table 1 of the UK Addendum will be deemed to be completed like its equivalent provisions in the Standard Contractual Clauses (module 2) in Annex I,Section 1. For the purpose of Part 1, Table 2 of the UK Addendum, the Approved EU SCCs are theStandard Contractual Clauses (module 2) incorporated by reference into this DPA pursuant toSection 7.1 of this DPA. For the purpose of Part 1, Table 3, Annex 1, 2 and 3 to the StandardContractual Clauses (module 2) are Annex I, II and III to this DPA respectively. For the purpose ofPart 1, Table 4, the party that may end the UK Addendum in accordance with Section 19 of the UKAddendum is the importer. For the purposes of any transfers covered by the Data Protection Law in the UK, the Standard Contractual Clauses (module 2) will be deemed to be amended as set out inPart 2 of the UK Addendum.

8.        Personnel

8.1             Thena must ensure that all Personnel authorized to Process Personal Data agree to appropriate confidentiality arrangements.

8.2             Thena will regularly train Personnel regarding the protection of Personal Data.

9.        Security and Personal Data Breaches

9.1              Thena must implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing, including the measures listed in Annex II.

9.2              Thena must inform the Customer without undue delay after becoming aware of a Personal DataBreach. Thena must, either in the initial notice or in subsequent notices as soon as the information becomes available, inform Customer of the nature of the Personal Data Breach, the categories and number of Data Subjects, the categories and amount of Personal Data, the likely consequences ofthe Personal Data Breach, and the measures taken or proposed to be taken to address the PersonalData Breach and mitigate possible adverse effects. If Thena’s notice or subsequent notices are delayed, they must be accompanied by reasons for the delay.

9.3              Thena’s notification of or response to a Personal Data Breach under Section 9.2 will not be construed as an acknowledgement by Thena of any fault or liability with respect to the Personal DataBreach.

9.4              In the event of a Personal Data Breach, Customer is solely responsible for complying with all laws relating to investigation of such Personal Data Breaches and notification of affected individuals, regulators and other parties.

9.5              To the extent required by law, Thena will provide a copy of Thena’s agreements with Subprocessors to Customer upon request. Thena may redact commercially sensitive information before providing such agreements to Customer.

10.        Assistance

10.1             Thena must assist Customer, including by implementing appropriate technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law, including:

                    (a)         “complying with Data Subjects’ requests to exercise Data Subject Rights;
‚Äć
                     (b)           replying to inquiries or complaints from Data Subjects;
‚Äć
                   (c)           replying to investigations and inquiries from Supervisory Authorities;
‚Äć
                   (d)           conducting data protection impact assessments, and prior consultations with SupervisoryAuthorities; and
‚Äć
                   (e)           Notifying Personal Data Breaches.

10.2             Unless prohibited by Data Protection Law, Thena must inform Customer without undue delay if Thena:

                    (a)         receives a request, complaint or other inquiry regarding the Processing of Personal Data from aData Subject or Supervisory Authority;
‚Äć
                    (b)          receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
‚Äć
                  (c)          is subject to a legal obligation that requires Thena to Process Personal Data in contravention of Customer’s instructions; or
‚Äć
                  (d)           is otherwise unable to comply with Data Protection Law or this DPA.

10.3            Unless prohibited by Data Protection Law, Thena must obtain Customer’s written authorization before responding to, or complying with any requests, orders, or legal obligations referred to inSection 10.2.

11.       Accountability

11.1             Thena must maintain records of all Processing of Personal Data, including at a minimum the categories of information required under Data Protection Law, and must provide a copy of such records to Customer upon request.

11.2            Thena must inform Customer without undue delay if Thena believes that an instruction of Customer violates Data Protection Law, in which case Thena may suspend the Processing until Customer has modified or confirmed the lawfulness of the instructions in writing. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Thena’s unauthorized use ofPersonal Data.

12.       Audit

12.1             Upon Customer’s written request and no more than once in a calendar year, Thena will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations of Data Protection Law and this DPA and allow for and contribute to audits, including inspections, conducted by a Supervisory Authority, Customer or another auditor mandated byCustomer.

12.2            If Customer’s requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months ofPage 4 of 10Customer’s audit request and Thena confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

12.3            Any Customer-requested audits are at Customer’s expense. Customer shall reimburse Thena for anytime expended by Thena or its Subprocessors in connection with any Customer-requested audits or inspections at Thena’s then-current professional services rates, which shall be made available toCustomer upon request.

12.4            If Customer’s requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Page 4 of 10 Customer’s audit request and Thena confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

13.       Liability

13.1             The total combined liability of either party and its Affiliates towards the other party and its Affiliates, whether in contract, tort or any other theory of liability, under or in connection with Agreement and this DPA combined, will be limited to limitations on liability or other liability caps agreed to by the parties in the Agreement.

14.       Confidentiality

14.1             Thena must keep all Personal Data and all information relating to the Processing thereof, in strict confidence.

15.       Analytics

15.1             Customer acknowledges and agrees that Thena may create and derive from Processing related to the services anonymized and/or aggregated data that does not identify Customer or any natural person, and use, publicize or share with third parties such data to improve Thena’s products and services and for its other legitimate business purposes.

16.       Notifications

16.1             Thena must make all notifications required under this DPA as agreed to in the Agreement or the then-established daily point of contact with the Customer.

17.       Term and Duration of Processing

17.1             The Processing will last no longer than the term of the Agreement.

17.2             Upon termination of the Processing, Thena will, as soon as reasonably practicable, return or securely delete and destroy all Personal Data in Thena’s possession or control, except as otherwise required by law or set out in the Agreement. Upon request from Customer, Thena will certify such secure deletion in writing within thirty (30) days of Customer’s request.

17.3             This DPA is terminated upon Thena’s deletion of all remaining copies of Personal Data in accordance with Section 17.2.

18.       Modification of this DPA

18.1             This DPA may only be modified by a written amendment signed by both Customer and Thena

19.       Invalidity and Severability

19.1             If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

ANNEX I
A. LIST OF PARTIES

Customer is the controller and the data exporter and Thena is the processor and the data importer.

B. DESCRIPTION OF TRANSFER
Subject Matter

Thena’s provision of the Saas-based customer communication platform services to Customer.

Duration of the Processing

Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.

Nature and Purposeof the Processing

Thena will process Customer Personal Data for the purposes of providing the services to Customer in accordance with the DPA.

Frequency of the Processing

As and when the services are accessed.

Categories of Data

Data relating to individuals provided to Thena in connection with the services, by (or at the direction of) Customer, including email address, name, user ID, and profile picture.

Sensitive Data Processed

The services are not intended to Process special categories of data.

Data Subjects

Customers’ end users

ANNEX II
SECURITY CONTROLS
Thena has implemented and maintains the information security controls listed below to protect personaldata during storage, processing, and transmission.
Security Control Category
Description
Information Security Program

In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.

Our information security framework includes periodic audits, assessments, and employee privacy and security training.

Risk Assessment

We undergo annual independent third-party SOC 2 Type II audits that include a risk assessment of the threats to the privacy, confidentiality, security, integrity and availability of personal data, the likelihood that these threats occur, and measures to mitigate these risks.We conduct penetration testing of the network and our application to evaluate the security of our production environment

Data Collection, Retention and Disposal

We only collect the personal data we need to accomplish our business purposes, including names, business email addresses, links to Slack profile pictures, and Slack user metadata. We do not store users’ conversation data on our systems.

When a customer uninstalls our solution, we securely dispose ofthe personal data in our possession by deleting the customer’sdata from our systems.

Personnel Background Checks

We conduct background checks on all of our employees using Checkr.

Personnel Training and Education

We regularly train all our employees on our information security program, the importance of the security, confidentiality, and privacy of personal data, and the risks to our company and its customers associated with security incidents.

Access Controls

We only permit access to personal data, sensitive information systems, and our premises to authorized employees based on their role and with prior approval.
‚Äć
Terminated employees are prevented from accessing personal data and lose access to all devices and applications upon termination.

Secure User Authentication

In accordance with our SOC 2 Type II compliance program, we maintain policies, procedures, and practices documenting our technological, administrative, and procedural safeguards relating to the privacy, security, integrity, and availability of personal data.

Our information security framework includes periodic audits,assessments, and employee privacy and security training.

Encryption

All communication between customer systems and our platform takes place using high levels of encryption (TLS 1.2/HPPS).
‚Äć
All stored data, session cookies, and backups are encrypted at rest. Our databases are also encrypted using custom keys for additional security.

We use industry-standard encryption and a monitoring agent to protect the data stored on company laptops.

Network Security

We store all personal data on private networks that require VPN to access, and we conduct biannual penetration testing to evaluate the security of the network.

Malicious Code Detection

We have implemented Snyk to detect and remedy malicious or unsecure code designed to perform an unauthorized function on, or permit unauthorized access to, any information system.
‚Äć
We remediate any malicious or unsecure code promptly upon identification.

Vulnerability and Patch
Management

We conduct biannual vulnerability assessments to detect vulnerabilities on the network, and we have implemented processes to remediate any detected vulnerabilities.

Application Security

We maintain application security and software development controls, including private networks, custom key encryption, and biannual penetration testing, to detect and prevent the introduction of security vulnerabilities.

Change Controls

Prior to implementing code changes, our employees follow a documented change management process to assess the potential security and product impact of such changes.
‚Äć
We document all changes to our information systems as part of merger requests.

Off-Premise Information Security

We monitor and document the movement of records or media using Vanta, an automated security and compliance platform.
‚Äć
We have implemented strict password protection on all personal devices that access our systems.

Physical Security

We maintain restrictions on physical access to our offices and information systems through the implementation of strict access controls that are recorded in a digital registry

ANNEX III
LIST OF SUB-PROCESSORS
Vendor Name
Address
Contact Person
Description
Server Location
Amazon Web Services (AWS)
410 Terry Avenue North Seattle, WA98109
N/A
Thena is hosted on AWS Cloud servers
United States
HubSpot
25 First Street, 2nd Floor Cambridge, MA02141
N/A
Sales tool used for customer relationship management
United States
Paragon
California
N/A
Embedded in-app integration
United States
MongoDB Atlas
MongoDB, Inc.,1633 Broadway,38th Floor NewYork, NY 10019
N/A
Database for storing application metadata
United States
Heroku (Server Hosting)
Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, California, 94105
Attn: VP,Worldwide Sales Operations, with a copy to Attn: General Counsel.
Servers for processing
United States
Slack
California
N/A
Communication platform for teams and customers
United States
Zoom
California
N/A
Communication platform for teams and customers
United States
Linear
California
N/A
Product ticketing platform
United States
Segment
California
N/A
Data Platform
United States
Amplitude
California
N/A
Product Analytics
United States
Retool
California
N/A
Data Platform
United States

Start managing your customers faster and easier from Slack.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.