This Data Processing Addendum (“DPA”) applies solely to the extent Chroma Processes Customer Personal Data on behalf of Customer to provide the Service to Customer. In the event of a conflict between this DPA and the Terms of Service with respect to the subject matter of the Terms of Service, this DPA will control to the extent of such conflict. In the event of a conflict in the meanings of defined terms in Data Protection Law, the meaning from the Data Protection Law applicable to the relevant jurisdiction of the Data Subject will apply to the extent of such conflict.

1. Definitions

Capitalized terms used but not defined in this DPA will have the meanings given to them in the Terms of Service. In this DPA:

1. “Controller,” “Data Subject,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” have the meaning given to them in Data Protection Law. “Data Subject” includes “Consumer” as that term is defined under U.S. Privacy Laws;
2. “Customer Personal Data” means Personal Data Processed by Chroma as a Processor on behalf of Customer or Third-Party Controller pursuant to the Terms of Service;
3. “Data Protection Law” means U.S. Privacy Laws, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the United Kingdom (“UK”) General Data Protection Regulation, the UK Data Protection Act 2018, and the Swiss Federal Act on Data Protection, to the extent applicable, and as may be amended or replaced from time to time, in each case as applicable to the Processing of Customer Data by Chroma to provide the Service to Customer;
4. “Data Subject Rights” means Data Subjects' rights to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making in accordance with Data Protection Law;
5. “International Data Transfer” means any disclosure of Customer Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;
6. “Personal Data” means Customer Data that constitutes “personal data,” “personal information,” or an equivalent term under applicable Data Protection Law;
7. “Processor” means “Processor,” “Service Provider,” or “Contractor” as those terms are defined in Data Protection Law;
8. “Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws;
9. “Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;
10. “Subprocessor” means a Processor engaged by Chroma to Process Customer Personal Data;
11. “SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as amended or replaced from time to time;
12. “Third-Party Controller” means a Controller for which Customer is a Processor;
13. “UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022); and
14. “U.S. Privacy Laws” means all applicable laws and regulations applicable, including, as applicable, laws and regulations of the United States, including without limitation, the California Consumer Privacy Act of 2018 and its amendments including the California Privacy Rights Act (collectively, the “CCPA”), and Virginia's Consumer Data Protection Act (“ VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Oregon Consumer Privacy Act (“OCPA”), the Texas Data Privacy and Security Act (“TXDPSA”), the Montana Consumer Data Privacy Act (“MTCDPA”), the Iowa Consumer Data Protection Act (“IADPA”), the Delaware Personal Data Privacy Act (“DEPDPA”), the Nebraska Data Privacy Act (“NEDPA”), the New Hampshire Privacy Act (“NHPA”), the New Jersey Data Privacy Act (“NJDPA”), the Tennessee Information Privacy Act (“TIPA”), the Minnesota Consumer Data Privacy Act (“MNCDPA”), and the Maryland Online Data Privacy Act (“MDODPA”), Indiana Consumer Data Protection Act (“INCDPA”), Kentucky Consumer Data Protection Act (“KYCDPA”), and the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”).

2. Scope

1. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.
2. Customer is a Controller and appoints Chroma as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
3. If Customer is a Processor on behalf of a Third-Party Controller, then Customer: (a) is the single point of contact for Chroma; (b) must obtain all necessary authorizations from such Third-Party Controller; and (c) undertakes to issue all instructions and exercise all rights on behalf of such other Third-Party Controller.
4. Customer acknowledges that Chroma may Process Personal Data relating to the operation, support, or use of the Service for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Chroma is the Controller for such Processing.
5. Chroma and Customer shall comply with the obligations of, and provide the level of privacy protection required by, Data Protection Law.

3. Instructions

1. Chroma will Process Customer Personal Data to provide the Service and in accordance with Customer's documented instructions.
2. Customer's instructions are documented in this DPA, the Terms of Service, and any applicable agreement between the parties.
3. Chroma is prohibited from (a) Selling or Sharing Customer Personal Data; (b) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific purpose documented in the Customer instructions; (c) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between Customer and Chroma; and (d) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer, except as expressly permitted under applicable Data Protection Law.
4. Chroma certifies that it understands the Processing restrictions set forth in this DPA and will comply with them.
5. Unless prohibited by applicable law, Chroma will inform Customer if Chroma is subject to a legal obligation that requires Chroma to Process Customer Personal Data in contravention of Customer's documented instructions.

4. Personnel

1. Chroma will take steps to ensure that all personnel authorized by Chroma to Process Customer Personal Data are subject to an obligation of confidentiality.

5. Security and Personal Data Breaches

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Chroma will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
2. Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer's intended Processing and will notify Chroma prior to any intended Processing for which Chroma's security measures may not be appropriate.
3. Chroma will notify Customer within seventy two (72) hours after becoming aware of a Personal Data Breach involving Customer Personal Data. If Chroma's notification is delayed, it will be accompanied by reasons for the delay.

6. Subprocessing

1. Customer hereby authorizes Chroma to engage Subprocessors. A list of Chroma's current Subprocessors is located at trychroma.com/subprocessors (the “Subprocessor List”).
2. Chroma will enter into a written contract with Subprocessors which imposes obligations that are no less restrictive and at least equally protective of Customer Personal Data as this DPA.
3. Chroma will provide Customer with fifteen (15) days prior notice to any intended change to Subprocessors by posting to the Subprocessor List. Customer is responsible for subscribing to and monitoring the Subprocessor List for such notifications. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within fifteen (15) days following Chroma's notification of the intended change. Customer and Chroma will work together in good faith to address Customer's objection. If, despite Customer's objection, Chroma chooses to retain the Subprocessor, either party may immediately discontinue providing or using the relevant parts of the Service, as applicable, and may terminate the relevant parts of the Service within fifteen (15) days.

7. Assistance

1. Taking into account the nature of the Processing, and the information available to Chroma, Chroma will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer's own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
2. Chroma may charge a reasonable fee for assistance under this Section 7 except where prohibited from doing so by Data Protection Laws.
3. Upon receiving notice from Chroma that it is unable to comply with Data Protection Law or this DPA, Customer may direct Chroma to take reasonable and appropriate steps to stop and remediate unauthorized Processing of Customer Personal Data.

8. Audit

1. Upon reasonable request, Chroma must make available to Customer information in Chroma's possession and control necessary to demonstrate Chroma's compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, to the extent mandated by a Supervisory Authority. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data by Chroma and shall be conducted during normal business hours and in a manner that causes minimal disruption.
2. As between Customer and Chroma, Customer will bear all the costs related to an audit pursuant to Section 8.1.

9. International Data Transfers

1. Customer hereby authorizes Chroma to perform International Data Transfers to any country deemed to have an adequate level of data protection by the European Commission or the competent authorities, as appropriate; on the basis of adequate safeguards in accordance with Data Protection Law; or pursuant to the SCCs and the UK Addendum referred to in Section 9.2 and Section 9.3.
2. By signing this DPA, Chroma and Customer conclude Module 2 (controller-to-processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Chroma; the optional docking clause in Clause 7 is implemented; Option 2 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland the courts in Clause 18(b) are the Courts of Dublin, Ireland. Annex I and Annex II to Module 2 and 3 of the SCCs are Annex I and Annex II to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.
3. By signing this DPA, Chroma and Customer conclude the UK Addendum, which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (a) in Table 1, the “Exporter” is Customer and the “Importer” is Chroma, their details are set forth in this DPA, and the Terms of Service; (b) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 9.2 of this DPA; (c) in Table 3, Annexes 1 (A and B) and II to the “Approved EU SCCs” are Annex I and Annex II respectively; and (d) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
4. If Chroma's compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Chroma's control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Chroma will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative standard contractual clauses or UK standard contractual clauses are approved by Supervisory Authorities, Chroma reserves the right to amend this DPA by adding to or replacing, the standard contractual clauses or UK standard contractual clauses that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.

10. Notifications

1. Customer will send all notifications, requests and instructions under this DPA to Chroma via email to privacy@trychroma.com.
2. Chroma will send all notifications under this DPA to the email Customer provided when registering for the Service.

11. Liability

1. Where Chroma has paid compensation, damages or fines, Chroma is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer's part of responsibility for the compensation, damages or fines.

12. Termination and Return or Deletion

1. This DPA is terminated upon the termination of the Terms of Service or other agreement between the parties.
2. Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Terms of Service. Unless required or permitted by applicable law, Chroma will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.

13. Invalidity and Severability

1. If any provision of this DPA is found by any court or administrative body of a competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

Annex I — Description of the Transfer

1. List of Parties

Data exporter:

• Name: Customer (as defined above)
• Role: Controller, or Processor on behalf of Third-Party Controller.
• Activities:Customer receives Chroma's services as described in the Terms of Service and Customer provides Customer Personal Data to Chroma in that context.

Data importer:

• Name: Chroma (as defined above)
• Role: Processor on behalf of Customer or Subprocessor on behalf of Third-Party Controller.
• Activities: Chroma provides its services to Customer as described in the Terms of Service and Processes Customer Personal Data on behalf of Customer in that context.

2. Description of International Data Transfer

• Categories of Customer Personal Data: The data Customer uploads into the Service
• Frequency: On a continuous basis
• Nature of the processing: Customer Personal Data will be processed and transferred as described in the Terms of Service.
• Purpose: Customer Personal Data will be transferred and further processed for the provision of the Service as described in the Terms of Service.
• Retention: Customer Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws.

3. Competent Supervisory Authority

• EEA:The Supervisory Authority of Customer's country of establishment, or where not applicable, of the country where Customer's EU data protection representative is located, or of one of the EEA countries where the Data Subjects are located.
• UK: The UK Information Commissioner.
• Switzerland: The Swiss Federal Data Protection and Information Commissioner.

Annex II — Technical and Organizational Measures

Chroma and Customer will, at a minimum, implement the types of security measures described below.

1. Physical Access Control

Technical and organizational measures designed to prevent unauthorized persons from gaining access to the premises and facilities where Customer Data is Processed, such as:

• Establishing security areas, restriction of access paths
• Establishing access authorizations for employees and third parties
• Access control system (ID reader, magnetic card, chip card)
• Key management, card-keys procedures
• Door locking (electric door openers, etc.)
• Security staff, janitors
• Surveillance facilities, video/CCTV monitor, alarm system
• Securing decentralized data processing equipment and personal computers

2. Virtual Access Control

Technical and organizational measures designed to prevent systems used to Process Customer Data from being used by unauthorized persons, such as:

• User identification and authentication procedures
• ID/password security procedures (special characters, minimum length, change of password)
• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous password attempts
• Encryption of archived data media

3. Data Access Control

Technical and organizational measures designed to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Customer Data in accordance with their access rights, such as:

• Internal policies and procedures
• Control authorization schemes
• Default configuration
• Differentiated access rights (profiles, roles, transactions, and objects)
• Monitoring and logging of access
• Disciplinary action against employees who access Customer Data without authorization
• Reports of access
• Access procedure
• Change procedure
• Deletion procedure
• Encryption

4. Disclosure Control

Technical and organizational measures designed to ensure that Customer Data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage, such as:

• Encryption/pseudonymization/tunneling
• Logging
• Transport security

5. Entry Control

Technical and organizational measures designed to monitor whether Customer Data has been entered, changed, or removed (deleted), and by whom, such as:

• Logging and reporting systems
• Audit trails and documentation

6. Control of Instructions

Technical and organizational measures designed to ensure that Customer Data is Processed solely in accordance with the instructions of the Customer, such as:

• Unambiguous wording of the contract
• Formal commissioning (request form)
• Criteria for selecting the Processor

7. Availability Control

Technical and organizational measures designed to ensure the integrity, availability and resilience of the Processing systems, and that Customer Data is protected against accidental destruction or loss, such as:

• Backup procedures
• Mirroring of hard disks (e.g. RAID technology)
• Uninterruptible power supply (UPS)
• Remote storage
• Antivirus/firewall systems
• Disaster recovery plan, in the event of a physical or technical incident

8. Separation Control

Technical and organizational measures designed to ensure that Customer Data collected for different purposes can be Processed separately, such as:

• Separation of databases
• “Internal client” concept / limitation of use
• Segregation of functions (production/testing)
• Procedures for storage, amendment, deletion, transmission of data for different purposes

9. Testing Controls

Technical and organizational measures to test, assess, and evaluate the effectiveness of the technical and organizational measures implemented, such as:

• Periodic review and testing of disaster recovery plan
• Testing and evaluation of software updates before they are installed
• Authenticated (with elevated rights) vulnerability scanning
• Test bed for specific penetration tests and red team attacks

10. IT Governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with compliance efforts, such as:

• Certification/assurance of processes and products
• Processes for data minimization
• Processes for data quality
• Processes for limited data retention
• Processes for ensuring accountability
• Data subject rights policies

Annex III — List of Subprocessors

Customer authorizes Chroma to engage the Subprocessors listed at trychroma.com/subprocessors.