DATA PROCESSING ADDENDUM

Effective – May 15, 2024

This Data Processing Addendum including its Schedules, Appendix, and Annexes (the “DPA”) is attached to and forms part of the Appcast General Terms and Conditions governing the provision of services (the “Agreement”) between the Customer specified under the applicable Insertion Order and/or the Agreement (“Customer”) and Appcast, Inc. (“Appcast”). Customer and Appcast shall be collectively known as the “Parties” and each individually known as a “Party.” In the event of any express conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict. The terms in this DPA shall have the meanings set forth in this DPA, however, capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1.Definitions

1.1 For the purposes of this DPA, the following expressions bear the following meanings unless the contextotherwise requires:

“Applicable Laws” means all applicable laws, rules, regulations, directives, and governmentalrequirements currently in effect, or as they become effective, relating in any way to the privacy,confidentiality, or security of the Processing of Customer Personal Data (as defined below), includingbut not limited to the General Data Protection Regulation 2016/679 (the “GDPR”); the e-PrivacyDirective 2002/58/EC; the e-Privacy Regulation 2017/003 (once implemented); the Data ProtectionAct 2018 (the “UK GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the CaliforniaConsumer Privacy Act (“CCPA”), together with any amending or replacement legislation, includingthe California Privacy Rights Act of 2020 and any regulations promulgated thereunder; and anyequivalent or similar laws, rules, regulations, directives, and governmental requirements in applicablejurisdictions, and any laws implementing, replacing or supplementing any of them, as amended,consolidated, extended, or replaced from time to time.

“Controller” means the entity that determines the purposes and means of the Processing of PersonalData.

Customer Personal Data” means any Personal Data Processed by Appcast or Appcast’s Sub-Processor, on behalf of Customer, pursuant to the express terms the Agreement, applicable statementof work, or any other authorization or documentation. For clarity, Customer Personal Data excludesany data or information that is not subject to any restrictions on use or disclosure, including AggregateData.

“Data Privacy Framework” means the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), the UK Extension to the EU-U.S. DPF (the “UK-U.S. Data Bridge”), and any equivalent or similar laws, rules, regulations, directives, and governmentalrequirements in applicable jurisdictions for the transfer of Personal Data to the U.S., and any lawsimplementing, replacing or supplementing any of them, as amended, consolidated, or replaced fromtime to time.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“EU Standard Contractual Clauses” means the Standard Contractual Clauses incorporated byreference in Schedule I and forming part of this DPA pursuant to the Annex of CommissionImplementing Decision (EU) 2021/914 of 4 June 2021.

Personal Data” means information relating to an identified or identifiable natural person that isprotected by Applicable Laws, including such information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household. Under certain Applicable Laws, Personal Data may also be referred to a “Personal Information.”

Personnel” means Appcast’s employees, agents, and contractors. For the avoidance of doubt, Personnel shall not refer to Appcast’s Sub-Processors.

Process” means to perform any operation or set of operations on Customer Personal Data, whether or not by automatic means, including but not limited to, collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.

“Processor” means the entity that Processes Personal Data on behalf and at the instruction of the Controller.

Security Incident” means a breach of Appcast’s security which leads to the accidental or unlawful loss, destruction, disclosure of, or access to Customer Personal Data.

Services” means the services provided by Appcast to Customer, as further described in the Agreement and/or Insertion Order or other authorization or documentation.

Sub-Processor” means any subcontractor or vendor engaged by Appcast which Processes Customer Personal Data.

“Supervisory Authority” means an independent public authority which has jurisdiction over the Processing of Customer Personal Data.

2.Roles of the Parties and Processing

2.1 The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller or Business and, except in circumstances where Section 11.2 applies, Appcast is the Processor or Service Provider. Appcast will use Sub-Processors pursuant to the requirements set forth in Section 8 below.

2.2 The subject matter, nature, purpose, and duration of the Processing, as well as the types of data Processed and the Data Subjects, are set forth in Annex I to the EU Standard Contractual Clauses.

2.3 The Parties acknowledge and agree that neither Party has reason to believe that the other Party is unable to comply with the provisions of this DPA or otherwise that such Party is in violation of any Applicable Laws. For clarity, Appcast is not responsible for compliance with any Applicable Laws applicable to Customer or Customer’s industry that are not otherwise generally applicable to Appcast.

3.Appcast Obligations

3.1 Appcast shall Process Customer Personal Data only in accordance with instructions from Customer as contemplated in the Agreement, and upon other documented reasonable instructions provided by Customer, so long as such instructions are consistent with the Agreement and with Applicable Laws.

3.2 Appcast will promptly notify Customer if it believes that Customer’s instructions for Processing violate any Applicable Law. If this provision is invoked, Appcast is not liable to Customer under the Agreement for failure to perform until Customer provides Appcast with lawful instructions.

3.3 Appcast shall ensure that its Personnel who Process any Customer Personal Data are subject to appropriate legal confidentiality obligations.

3.4 Appcast shall implement the technical and organizational security measures appropriate to protect Customer Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of Processing as set forth in Section 9 herein and Annex II to the EU Standard Contractual Clauses. Appcast shall regularly monitor compliance with these measures.

3.5 Appcast shall notify Customer in writing without undue delay after becoming aware of a Security Incident, provide reporting about the nature of the Security Incident as it becomes available, and make reasonable efforts to identify the cause of such Security Incident and to assist, to the extent necessary and possible, with any remediation efforts. Customer shall reimburse Appcast for all costs and expenses to meet the obligations herein for any Security Incident caused by Customer.

3.6 Appcast shall, upon Customer’s request and at Customer’s option, delete or return (and certify such deletion or return in writing) all Customer Personal Data Processed pursuant to this DPA to Customer, unless Applicable Law requires storage of the Customer Personal Data, in which case Appcast shall continue to comply with the obligations under this DPA.

4.Customer Obligations

4.1 Customer shall in its use of the Services Process Customer Personal Data in accordance with the requirements of Applicable Laws, including any applicable requirement to provide notice to the Data Subjects of the use of Appcast as a Processor.

4.2 Customer is solely responsible for: i) complying with all transparency and lawfulness requirements under Applicable Laws for the collection and use of the Customer Personal Data, including obtaining necessary consents and authorizations, ii) ensuring Customer has the right to transfer, or provide access to, the Customer Personal Data to Appcast for Processing in accordance with the terms of the Agreement and this DPA, iii) honoring any opt-out rights and/or opt-out signals when required under Applicable Laws; and iv) ensuring that Customer’s instructions to Appcast regarding the Processing of Customer Personal Data comply with Applicable Laws.

4.3 Customer shall notify Appcast if it is unable to comply with the requirements herein.

5.Data Subjects

5.1 If a valid Data Subject rights request (“Data Subject Request”) specifically and exclusively related to Customer Personal Data is made directly to Appcast under Applicable Law, Appcast will promptly notify Customer of its receipt of such Data Subject Request and will advise the Data Subject to submit their request directly to Customer. Except as otherwise required by law, Customer will be solely responsible for responding substantively to any such Data Subject Requests or other communications involving Customer Personal Data. Notwithstanding the foregoing, Customer agrees that Appcast may provide Data Subjects with pertinent information about Customer including, without limitation, Customer’s identity; however, Customer shall be solely responsible for responding thereafter to any such Data Subject Requests.

5.2 Taking into account the nature of the Processing and the Customer Personal Data, Appcast shall assist Customer by implementing appropriate technical and organizational measures, insofar as possible, to assist Customer in responding to Data Subject rights requests under Applicable Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Appcast’s provision of such assistance.

6.International Transfers

6.1 To the extent Appcast transfers Customer Personal Data under this DPA from the European Union, the European Economic Area and/or their member states to countries which do not ensure an adequate level of data protection within the meaning of the Applicable Laws of the foregoing territories, Parties agree to the transfer of Customer Personal Data in accordance with the EU Standard Contractual Clauses incorporated by reference hereto in Schedule I, or in accordance with GDPR articles 44 to 49, or in accordance with any effective and applicable Data Privacy Framework.

6.2 To the extent Appcast transfers Customer Personal Data under this DPA from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of the Applicable Law of the foregoing territory, Parties agree to the transfer of Customer Personal Data in accordance with the EU Standard Contractual Clauses, as amended by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, and incorporated by reference hereto in Schedule I, or in accordance with any effective applicable Data Privacy Framework.

6.3 To the extent Appcast transfers Customer Personal Data under this DPA from Switzerland to countries which do not ensure an adequate level of data protection within the meaning of the Applicable Law of the foregoing territory, Parties agree to the transfer of Customer Personal Data in accordance with the EU Standard Contractual Clauses, as amended by the Swiss Addendum to the EU Standard Contractual Clauses, and incorporated by reference hereto in Schedule I, or in accordance with any effective and applicable Data Privacy Framework.

6.4 In the event of any inconsistency or conflict between this DPA and the transfer mechanisms set forth in this Section 6, the EU Standard Contractual Clauses shall prevail as applicable and to the extent of such conflict.

7.Data Impact Assessments and Consultations

7.1 Upon Customer’s request and to the extent required of Appcast under Applicable Laws, Appcast shall provide Customer, at Customer’s reasonable expense, with the information and cooperation reasonably necessary for Customer to carry out a Data Protection Assessment related to Customer’s use of the Services, to the extent that Customer does not otherwise have access to the relevant information and that such information is reasonably available to Appcast. Appcast shall reasonably assist the Customer in the cooperation or prior consultation with the Supervisory Authority related to the obligations herein.

8.Sub-Processing

8.1 Customer acknowledges and agrees that Appcast may use Sub-Processors in connection with the provision of the Services. Appcast has entered into a contract with each Sub-Processor that includes data protection obligations no less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-Processor.

8.2 Appcast shall, to the extent required by applicable law, maintain an up-to-date list of Sub-Processors as detailed in Annex III.

8.3 Appcast shall inform Customer in writing of any intended changes concerning the addition or replacement of the Sub-Processors prior to the appointment of such Sub-Processor to process Customer Personal Data. Customer may object to any such proposed addition or replacement, provided that if Customer does not provide notice of such objection within thirty (30) business days of receipt of such notice then the Sub-Processor will be deemed accepted. If Customer reasonably objects, then the Parties will work in good faith to achieve a reasonable resolution. If none can be reached, then Appcast will, at its option i) not use the new Sub-Processor to Process Customer Personal Data, ii) suspend or terminate the Agreement without liability to either Party, excepting herefrom any fees due and owing up to the day of termination, or iii) permit Customer to suspend or terminate the Agreement without liability to either Party, excepting from any fees due and owing up to the day of termination.

8.4 In the event a Sub-Processor fails to fulfill its obligations, Appcast shall, to the extent required under Applicable Law, remain fully liable to Customer for the performance of that Sub-Processor’s obligations.

9.Security

Appcast has implemented and will maintain technical and organizational safeguards to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, disclosure, or access and to maintain the security, confidentiality, and integrity of Customer Personal Data as set forth below:

9.1 Maintaining a written information security program, including formal written policies for data protection and processing, all of which are reviewed and updated at least annually.

9.2 Assigning responsibility for information security and data protection and devoting adequate personnel resources to these efforts.

9.3 Requiring Personnel and Sub-Processors with access to the Customer Personal Data to enter into written confidentiality agreements.

9.4 Conducting training to make its Personnel with access to Customer Personal Data aware of information security risks and to enhance compliance with Appcast’s information security policies and data protection standards.

9.5 Maintaining data recovery measures and business continuity, disaster recovery and incident response plans.

9.6 Performing third party penetration testing annually.

9.7 Monitoring of systems and networks for suspicious activity.

9.8 Destroying data utilizing methods that render Customer Personal Data unreadable and unrecoverable; providing written certification of such data destruction in writing, if requested.

10.Audit

10.1 To the extent required under Applicable Law, and upon written request by the Customer and subject to the confidentiality obligations in the Agreement, Appcast shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA, and allow for audits, including inspections. Customer may conduct an audit or inspection not more than once in a calendar year, except any additional audits or inspections Customer is required to carry out by a Supervisory Authority and/or Applicable Law. If Customer elects to perform an audit or inspection of the procedures relevant to the protection of Customer Personal Data, Customer shall provide Appcast with thirty (30) days written notice and the Parties shall mutually agree on the scope, timing, and duration of the audit. Further, Customer shall reimburse Appcast a reasonable fee determined by Appcast and taking into account the time and resources expended by Appcast in complying with such request.

11.CCPA

11.1 Service Provider Terms. Where applicable, for the purposes of the CCPA, in relation to all Customer Personal Data disclosed or made available by Customer to Appcast pursuant to the Agreement which constitutes personal information as that term is defined under the CCPA, Customer is the business and, except in the event that Section 11.2 herein applies, Appcast shall act as a service provider for Customer, pursuant to which:

11.1.1 The Parties agree that all such Customer Personal Data is disclosed to Appcast in order for Appcast to provide talent acquisition and recruitment marketing Services and its use or sharing by Customer with Appcast is necessary to perform such purposes.

11.1.2 Appcast shall not sell, share, or otherwise disclose any Customer Personal Data to a third party in exchange for monetary or other valuable consideration.

11.1.3 Appcast shall not combine Customer Personal Data with Personal Data it receives from, or on behalf of, another person or persons, or that it processes as a Business, except as directed by Customer or expressly permitted by the CCPA.

11.1.4 Appcast shall not retain, use, or disclose any Customer Personal Data that it collected pursuant to the Agreement (i) for any business or commercial purpose other than for the business purpose(s) specified under the Agreement or as otherwise permitted by the CCPA; or (ii) outside the direct business relationship between Appcast and Customer, unless expressly permitted by the CCPA. Appcast shall be permitted to retain, use, or disclose Customer Personal Data for any other purpose permitted by the CCPA or implementing regulations for service providers.

11.1.5 Appcast shall notify Customer in the event it makes a determination that it can no longer meet its obligations under Applicable Laws. Upon such notification, the Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data and either Party may terminate the Agreement without liability to either Party, with the exception of any fees due and owing up to the date of termination.

11.2 Third Party Terms. For clarity, and notwithstanding anything to the contrary herein, it is understood that Appcast and/or Customer may, at times, be deemed to be a “Third Party” as defined under CCPA §1798.140(w).This Section 11.2 applies only when Customer Personal Information made availableunder the Agreement is (a) subject to the CCPA; and (b) Shared or Sold, as defined under the CCPA,including for cross-context behavioral advertising, either by Appcast to Customer, or by Customer toAppcast, in which case only those limitations and requirements that are specifically applicable to ThirdParties under CCPA shall apply. Specifically, a Party shall instead be required to comply with thefollowing obligations:

11.2.1 The receiving Party’s use of the Customer Personal Data is limited to those uses related to Appcast’s provision of talent acquisition and recruitment marketing Services, as identified in the Agreement, and its use or sharing by Customer as needed to perform such purposes;

11.2.2 The receiving Party shall comply with the same level of privacy protection as required of a business pursuant to the CCPA with respect to the Customer Personal Data;

11.2.3 The receiving Party grants the disclosing Party the right to take reasonable and appropriate steps to ensure that the receiving Party uses the Customer Personal Data in a manner consistent with this Agreement and Applicable Laws;

11.2.4 The receiving Party grants the disclosing Party the right, upon notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of Customer Personal Data made available to the receiving Party; and

11.2.5 The receiving Party shall notify the disclosing Party in the event it makes a determination that it can no longer meet its obligations under Applicable Laws with respect to the Customer Personal Data sold or shared. Upon such notification, either Party may terminate the Agreement without liability to either Party, with the exception of any fees due and owing to Appcast up to the date of termination.

11.3 The terms “business,” “business purpose,” “consumer,” “contractor,” “cross-context behavioral advertising,” “person,” “personal information,” “sell,” “service provider,” “share,” and “third party” shall have, for the purposes of Section 11, the meanings given to them in the CCPA.

12.Change in Applicable Laws

In the event of any change to or new Applicable Laws that mandate that Appcast or Customer execute contractual terms for the processing of Personal Data provided by a Party pursuant to this Agreement that are not already set forth in this Agreement, then Appcast shall inform Customer in writing (including, without limitation, by email) of such mandatory legal requirements, and such obligations shall be deemed incorporated into this Agreement and binding upon the parties as if set forth in this Agreement. In the event any state or federal law, rule, regulation, or enforcement action results in material changes to the Parties’ consumer data privacy obligations in the performance of this Agreement, the parties will work together in good faith to amend this Agreement to satisfy any resulting requirement.

SCHEDULE I

TRANSFER MECHANISMS

Application of Standard Contractual Clauses Incorporated by Reference

Where Customer Personal Data governed by the GDPR, UK GDPR, and/or FADP is transferred to a country that does not provide an adequate level of protection for personal data, and no other legal transfer mechanism applies to the transfer of Customer Personal Data, the Parties agree the following, as applicable:

EU Standard Contractual Clauses

In relation to Customer Personal Data that is protected by the GDPR, the EU Standard Contractual Clauses MODULE 2 Controller to Processor shall apply. The applicable Module is incorporated by reference and is completed as follows:

1)Clause 7, the optional docking clause does apply.

2)Clause 9(a), Option 2 will apply using the timeframes and processes set forth in Section 8 of this DPA.

3)Clause 11(a), the optional language will not apply.

4)Clause 17, Option 1 will apply: These Clauses shall be governed by the law of one of the EU MemberStates, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be thelaw of Ireland.

5)Clause 18(b): the Parties agree that those shall be the courts of Ireland; and

6)The Appendix of the EU Standard Contractual Clauses including Annexes I, II and III of the EU StandardContractual Clauses are attached below.

UK Addendum to the EU Standard Contractual Clauses as applicable

The Information Commissioner considers the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, VERSION B1.0, in force 21 March 2022 (the “UK Addendum”) provides appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR and, with respect to data transfers from controllers to processors and/or processors to processors. The required information in the UK Addendum is incorporated by reference and forms an integral part of this DPA. In relation to Customer Personal Data that is protected by the UK GDPR, the EU Standard Contractual Clauses will apply in accordance with paragraphs (1), (2), and (3), above, is incorporated herein, and shall be completed as follows:

1)The start date in Table 1 of the UK Addendum shall be the date that the Parties have executed this DPAand/or the Agreement. The selection of modules and optional clauses shall be as described in thisSchedule I, subject to any revisions or amendments required by the UK Addendum. All other informationrequired by Tables 1-3 is set forth in Annexes I, II, and III. For the purposes of Table 4, the parties agreethat the Importer may end the UK Addendum as set out in Section 19 of the UK Addendum.

2)Any references in the EU Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU)2016/679” shall be interpreted as references to the UK GDPR, references to “EU”, “Union” and “MemberState law” shall be interpreted as references to English law, and references to the “competent supervisoryauthority” and “competent courts” shall be interpreted as references to the relevant data protectionauthority and courts in England.

Swiss Addendum to the EU Standard Contractual Clauses Standard as applicable

In relation to Customer Personal Data that is protected by the FADP, the EU Standard Contractual Clauses will apply with the following modifications:

1)The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EUStandard Contractual Clauses shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.

2)The terms of the EU Standard Contractual Clauses shall be interpreted to protect the data of legal entitiesuntil the effective date of the Revised FADP.

3)Clause 13 of the EU Standard Contractual Clauses is modified to provide that the Federal Data Protectionand Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governedby the FADP and the appropriate EU supervisory authority shall have authority over data transfers governedby the GDPR. Subject to the foregoing, all other requirements of Section 13 shall be observed.

4)The term “EU Member State” as utilized in the EU Standard Contractual Clauses shall not be interpretedin such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place ofhabitual residence in accordance with Clause 18(c) of the EU Standard Contractual Clauses.

Alternative Data Transfer Mechanism

If an Alternative Data Transfer Mechanism applies to the transfer of Customer Personal Data, the Alternative Data Transfer Mechanism shall apply instead of any data transfer mechanism mentioned in this DPA only to the extent that it complies with Applicable Laws and extends to territories in which personal data is processed. An “Alternative Data Transfer Mechanism” means a mechanism, other than the EU Standard Contractual Clauses, that enables the lawful transfer of Customer Personal Data to a third country in accordance with Applicable Laws.

APPENDIX I

ANNEX I

A. LIST OF PARTIES

1. Data exporter(s): 

The data exporter’s name, address, contact person’s name, position and contact details: As listed in the Agreement

Activities relevant to the data transferred under these Clauses: As listed in the Agreement Role (controller/processor): Controller

2. Data importer(s):

Name: Appcast, Inc.
Address: 10 Water Street, Lebanon, NH 03766 USA
Contact person’s name, position and contact details: Associate Corporate Counsel, dpo@appcast.io

Activities relevant to the data transferred under these Clauses: As listed in the Agreement Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

End users including the data exporter’s employees, subcontractors, and agents; website visitors; job applicants.

Categories of personal data transferred

The personal data transferred may concern the following categories of data: personal identification and contact data (name, physical address, email address, and other identifying information); professional identification and contact data (job title, business email address, business phone number); personal data that may be contained in resumés or curricula vitae; system log data; and online identifiers.

Sensitive data transferred (if applicable)

No transfer of special categories of data is anticipated, except where provided by Customer for particular use cases. In the event Customer intends to transfer any special categories of data to Appcast that may be deemed sensitive data or sensitive information under Applicable Law, Customer shall provide written to notice to Appcast of the nature of such data, and such written notice shall, upon Appcast’s written approval of such transfer, be incorporated by reference into this Subpart B of Annex I.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The personal data will be transferred on a continuous basis as necessary for the data importer to provide services to the data exporter.

Nature of the processing

Appcast will process personal data as necessary to provide the services pursuant to the Agreement, as further specified in the Agreement, and as further instructed by the data exporter in its use of the services.

Purpose(s) of the data transfer and further processing

Appcast will process personal data as necessary to provide the services pursuant to the Agreement, as further specified in the Agreement, and as further instructed by the data exporter in its use of the services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Subject to the deletion and return provisions as set forth in the Agreement, Appcast will process personal data for the duration of the Agreement, unless otherwise agreed upon in writing.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

To the extent applicable, sub-processors shall process personal data for the same subject matter, nature, and duration as the processor except as otherwise required under applicable laws.

C.COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

Supervisory Authority of the EU Member State as identified in Clause 13 of the EU Standard Contractual Clauses based on the Data Exporter’s place of establishment respective to the EU or, where not established in the EEA, where its EU representative has been appointed pursuant to Article 27(1) of the GDPR.

ANNEX II – TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Certifications

Data Privacy Framework Program Certification

Appcast has self-certified and complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce and that it adheres to the DPF Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

Technical and Organizational Measures

Appcast has implemented technical and organizational controls to ensure an appropriate level of personal data protection, including the following measures:

  • Information security policies: Written policies and procedures, reviewed and updated at least annually, regarding information security, incident response, and data privacy.
  • Asset management: Appcast has identified its information assets; assigned appropriate responsibilities for ensuring protection of those assets, taking into account the nature of the data and its level of sensitivity; set retention schedules; and implemented measures to prevent the unauthorized disclosure, modification, removal, or destruction of data.
  • Access control: Appcast limits access to information based on role and uses security monitoring to ensure authorized user access and prevent unauthorized access to systems and information.
  • Information security controls: Appcast has implemented and maintains a mandatory password policy, enforced at the system-level; firewalls; patch management; annual penetration testing conducted by a third party.
  • Information security incident management: Appcast has clearly defined roles and responsibilities and written guidelines to reduce the impact of security incidents to the confidentiality, integrity, and availability of Appcast’s technology resources, services, and information; data is regularly backed up to ensure availability.
  • Human resources: Appcast employees have references and professional and educational background verified prior to employment. Further, all employees are required to sign confidentiality agreements and acceptable use policies, and all employees are trained to ensure they understand their roles and responsibilities. Employees may only access Appcast systems and information from Appcast-issued devices, which are encrypted and protected by mobile device management software that allows for remote wiping and activation locking.
  • Sub-processors: Appcast’s sub-processors are contractually obligated to implement technical and organisational measures and, where appropriate, to provide assistance to Appcast so that Appcast may assist the data exporter in fulfilling its data protection obligations.

SUPPLEMENTARY MEASURES

Appcast uses the following measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data:

  • Appcast encrypts data in transit and at rest.
  • Appcast does not have backdoors or similar programming to allow public authorities to access its personal data.
  • Appcast will notify the data exporter if Appcast is not or is no longer able to comply with the legal obligations and/or contractual commitments related to international transfers and as a result with the required standard of “essentially equivalent level of data protection.”
  • Appcast monitors legislative developments related to the protection of data in cross-border transfer. Appcast also regularly reviews its own policies to assess the appropriateness and effectiveness of supplementary measures and to identify and implement additional or alternative solutions when appropriate.

ANNEX III

LIST OF SUB-PROCESSORS

The Controller has provided general authorisation for the use of Sub-Processors, a list of which is to be made available to the Parties to this Agreement on request.

The list of Sub-Processors contains the following details in relation to each Sub-Processor:

Name:

Address:

Description of processing