GDPR

PARKOURSC, INC.

PLATFORM LICENSE AGREEMENT

PERSONAL DATA PROCESSING AND SECURITY

(If Required Under the Agreement)

1. Definitions

1.1. The terms below have the following definitions:

a. “Agreement” means the Platform License Agreement entered into by Customer and Parkoursc, Inc.

“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR;

b. “Customer Personal Data” means any Customer Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Parkoursc to provide the Software;

c. “Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland,  the United Kingdom (including the UK GDPR and the Data Protection Act 2018), Canada, and California, each as applicable, and as may be amended or replaced from time to time;

d. “Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law, as applicable;

e. “International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;

f. “Subprocessor” means a Processor engaged by Parkoursc to Process Customer Personal Data;

g. “Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time;

h. “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).

1.2. Capitalized terms used but not defined herein have the meaning given to them in the Agreement.

2. Scope and applicability

2.1. These terms prevail over any conflicting term of the Agreement but does not otherwise modify the Agreement.

2.2. These terms apply to Processing of Customer Personal Data by Parkoursc to provide the Software.

2.3. The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in the Agreement and in Appendix 1 to this section.

2.4. Customer is a Controller and appoints Parkoursc as a Processor on behalf of Customer. To the extent that Data Protection Law is applicable, Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.

2.5. To the extent that  Data Protection Law is applicable, if Customer is a Processor on behalf of other Controller(s), then Customer: is the single point of contact for Parkoursc; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.

2.6. Customer acknowledges that Parkoursc may Process Personal Data relating to the operation, support, or use of the Software solely to support Customer’s use of the Software, including for  billing, account management, data analysis, benchmarking, technical support, and product development. Parkoursc is the Controller for such Processing and will Process such data in accordance with Data Protection Law.

2.7. Instructions

2.8. Parkoursc will Process Customer Personal Data to provide the Software and in accordance with Customer’s documented instructions.

2.9. Parkoursc’s instructions are documented in this section, the Agreement, and any applicable SOW or Order.

2.10. Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law.

2.11. Unless prohibited by applicable law, Parkoursc will inform Customer if Parkoursc is subject to a legal obligation that requires Parkoursc to Process Customer Personal Data in contravention of Customer’s documented instructions

3. Personnel

3.1. Parkoursc will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.

4. Security and Personal Data Breaches

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parkoursc will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2.

4.2. Parkoursc will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Parkoursc’s notification is delayed, it will be accompanied by reasons for the delay.

5. Subprocessing

5.1. Customer hereby authorizes Parkoursc to engage Subprocessors. A list of Parkoursc’s current Subprocessors is included in Appendix 3.

5.2. Parkoursc will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.

5.3. Parkoursc will inform Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Parkoursc’s notification of the intended change. Customer and Parkoursc will work together in good faith to address Customer’s objection. If Parkoursc chooses to retain the Subprocessor, Parkoursc will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Software and may terminate the relevant parts of the Software within thirty (30) days.

6. Assistance

6.1. Taking into account the nature of the Processing, and the information available to Parkoursc, Only upon Customer request, Parkoursc will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights, and notify Customer upon such requests; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.

6.2. Parkoursc will maintain records of Processing of Customer Personal Data in accordance with Data Protection Law.

6.3. Parkoursc may charge a reasonable fee for assistance under this Section 6. If Parkoursc is at fault, Parkoursc and Customer shall each bear their own costs related to assistance.

7. Audit

7.1. Parkoursc must make available to Customer all information necessary to demonstrate compliance with the obligations of this section and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Customer and performed by an independent auditor as agreed upon by Customer and Parkoursc.

7.2. Parkoursc will inform Customer if Parkoursc believes that Customer’s instruction under Section 7.1 infringes Data Protection Law. Parkoursc may suspend the audit or inspection or withhold requested information until Parkoursc has modified or confirmed the lawfulness of the instructions in writing.

7.3. Parkoursc and Customer each bear their own costs related to an audit.

8. International Data Transfers

8.1. If international data transfers are required under the Agreement, Customer hereby authorizes Parkoursc to perform International Data Transfers to any country deemed adequate by the EU Commission or the United Kingdom; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 8.2.

8.2. By signing these terms or Agreement, Customer and Parkoursc conclude Module 2 (Controller-to-Processor) of the Standard Contractual Clauses, which is hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Parkoursc; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 1 is implemented and the time period therein is set at thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 17 option 1 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I, II and III to the Standard Contractual Clauses are Appendix 1, 2 and 3 to this section respectively.

8.3. By signing these terms or Agreement, Customer and Parkoursc conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers out of the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Parkoursc, their details are set forth in this section and the Agreement ; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 8.2 of this section; (iii) in Table 3, Annexes 1 (A and B), II, and III to the “Approved EU SCCs” are Appendix 1, 2, and 3 to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

8.4. If Parkoursc’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Parkoursc’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Parkoursc will work together in good faith to reasonably resolve such non-compliance.

9. Notifications

9.1. Customer will send all notifications, requests and instructions under this section to Parkoursc’s Chief Financial Officer / Finance and Legal Department via email to sgorton@Parkoursc.io.

10. Termination and return or deletion

10.1. This section is terminated upon the termination of the Agreement.

10.2. Customer may request return of Customer Personal Data up to thirty (60) days after termination of the Agreement. Unless required or permitted by applicable law, Parkoursc will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.

APPENDIX 1

 DESCRIPTION OF THE TRANSFER

(If Required Under the Agreement)

A. LIST OF PARTIES

Data exporter:

• Name: Customer (as defined above)
• Address: See signature page above.
• Contact person’s name, position, and contact details: See signature page above.
• Activities relevant to the data transferred under these Clauses: Customer receives Parkoursc’s services as described in the Agreement and Parkoursc Processes Personal Data on behalf of Customer in that context.
• Signature and date: See signature page above.
• Role (controller/processor): Controller

Data importer:

• Name: Parkoursc (as defined above)
• Address: See signature page above.
• Contact person’s name, position and contact details: See signature page above.
• Activities relevant to the data transferred under these Clauses: Parkoursc provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
• Signature and date: See signature page above.
• Role (controller/processor): Processor on behalf of Customer

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

• If international data transfers are required under the Agreement, Categories of Data Subjects whose Personal Data is transferred:

• Categories of Personal Data transferred:

• Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• The frequency of the International Data Transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.
• Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement. Collect and analyze real-time data about Customer’s assets and employees for purposes such as minimizing waste, anticipating failures, managing distribution, and ensuring compliance
• Purpose(s) of the International Data Transfer and further Processing: The Personal Data will be transferred and further processed for the provision of the services as described in the Agreement.
• The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law. 
• For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this section. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

• The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
• The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.

APPENDIX 2

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Parkoursc will, at a minimum, implement the following types of security measures:

1. Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include:

• Establishing security areas, restriction of access paths;
• Establishing access authorizations for employees and third parties;
• Access control system (ID reader, magnetic card, chip card);
• Key management, card-keys procedures;
• Door locking (electric door openers etc.);
• Security staff, janitors;
• Surveillance facilities, video/CCTV monitor, alarm system; and
• Securing decentralized data processing equipment and personal computers.
  
  

2. Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

• User identification and authentication procedures;
• ID/password security procedures (special characters, minimum length, change of password);
• Automatic blocking (eg. password or timeout);
• Creation of one master record per user, user-master data procedures per data processing environment; and
• Encryption of archived data media.
  
  

3. Data access control

Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include:

• Internal policies and procedures;
• Control authorization schemes;
• Default configuration;
• Differentiated access rights (profiles, roles, transactions and objects);
• Monitoring and logging of accesses;
• Disciplinary action against employees who access Personal Data without authorization;
• Reports of access;
• Access procedure;
• Change procedure;
• Deletion procedure; and
• Encryption.

4. Disclosure control

Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include:

• Encryption/Pseudonymization/tunneling;
• Logging; and
• Transport

5. Entry control

Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

• Logging and reporting systems; and
• Audit trails and documentation.
  
  

6. Control of instructions

Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include:

• Unambiguous wording of the contract;
• Formal commissioning (request form); and
• Criteria for selecting the Processor.
  
  

7. Availability control

Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Personal Data are protected against accidental destruction or loss (physical/logical) include:

• Backup procedures;
• Uninterruptible power supply (UPS);
• Remote storage;
• Anti-virus/firewall systems; and
• Disaster recovery plan, in the event of a physical or technical incident
  
  

8. Separation control

Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include:

• Separation of databases;
• “Internal client” concept / limitation of use;
• Segregation of functions (production/testing); and
• Procedures for storage, amendment, deletion, transmission of data for different purposes.

9. Testing controls

Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:

• Periodical review and test of disaster recovery plan;
• Testing and evaluation of software updates before they are installed;
• Authenticated (with elevated rights) vulnerability scanning; and
• Test bed for specific penetration tests and Red Team attacks.

10. IT governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

• Certification/assurance of processes and products;
• Processes for data minimization;
• Processes for data quality;
• Processes for limited data retention;
• Processes for ensuring accountability; and
• Data subject rights policies.

The measures in this Appendix apply to all transfers described in this section.

APPENDIX 3

LIST OF SUBPROCESSORS

Customer authorizes Parkoursc to engage the following Subprocessors: