Exhibit C: SCLogic Data Processing Addendum (“DPA”) U.S. Clients

Definitions

Controller: The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Subscriber: The individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.

Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Data Protection Laws: The data protection or privacy laws of any country or state regarding the Processing of Personal Data.

Data Subject: An identified or identifiable natural person.

Personal Data: Any information relating to an identifiable or identifiable natural person (‘data subject’).

Processing: Any operation or set of operations performed on personal data, whether or not by automated means. This can include collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

Processor: A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller.

Sub Processor: Any processor engaged by the main processor for carrying out specific processing activities on behalf of the controller.

Supervisory Authority: An independent, competent public authority established or recognized under Data Protection Laws.

Introduction

Purpose of the DPA

This Data Processing Addendum (“DPA”) is an integral part of the agreement between SCLogic, LLC (“SCLogic”) and Subscriber that governs the Subscriber’s usage and access to SCLogic’s Services (“Agreement”). Any capitalized terms not explicitly defined in this DPA shall have the meaning given in the Agreement.

Roles of parties involved

Subscriber and SCLogic agree that Subscriber is a Controller and SCLogic is a Processor. Each party is solely responsible for its compliance with applicable Data Protection Laws and fulfilling any related obligations to third parties, Data Subjects, and Supervisory Authorities.

Subscriber as the Controller

• Subscriber is exclusively responsible for the accuracy of Personal Data and the legality of the methods they use to obtain, disclose, and process Personal Data.
• Subscriber’s instructions for processing Personal Data will adhere to Data Protection Laws and will be appropriately authorized, ensuring all necessary rights, permissions, and consents have been obtained.

SCLogic as the Processor

• SCLogic will process Personal Data only as instructed by Subscriber in writing or as initiated by authorized users via an SCLogic online service.
• SCLogic will process Personal Data only as necessary to provide the Services and prevent or address technical problems with an SCLogic online service.
• SCLogic will process Personal Data as required by applicable law. SCLogic agrees to immediately inform Subscriber if SCLogic believes that any instruction to process Personal Data violates or would violate Data Protection Laws.

Scope and Purpose of Processing

Description of the data being processed

The data processed on behalf of the Subscriber is internal directory-type data to enable routing and delivery of items and services to the correct recipient(s). At minimum, the processed data elements may include name, department, delivery address, telephone number, and email address (for email notifications). The types of Personal Data and categories of Data Subject about whom the Personal Data relates are determined and controlled solely by the Subscriber. The processing of sensitive data elements is not necessary for the successful operation of SCLogic services.

The purpose and duration of the data processing

Processing of Personal Data by SCLogic is reasonably required to facilitate or support the provision of Services as described under the Agreement and this DPA. This Data Processing is integral to the provision of SCLogic’s services and will continue as long as the Agreement between Subscriber and SCLogic is in effect. SCLogic undertakes not to use Personal Data for any purposes other than those specified in the Agreement.

Data retention and deletion procedures

Upon the termination of the Agreement, SCLogic commits to either securely delete or return the Subscriber’s data, as per the Subscriber’s specified choice. It’s important to note that the Subscriber’s data will be preserved for a duration not exceeding 90 days following the cessation of the Agreement.

Obligations of the Processor

Compliance with all applicable laws

The Processor shall comply with all applicable data protection laws, regulations, and guidelines that govern the processing of Personal Data. This includes, but is not limited to, the General Data Protection Regulation (GDPR) in the European Union and any relevant national or regional data protection laws.

Procedures for reporting data breaches

In the event of a Data Breach, the Processor shall promptly notify the Controller without undue delay. The notification shall include all relevant details of the breach, including the nature of the incident, the types of personal data involved, the likely consequences, and any measures taken or proposed to address the breach. The Processor shall cooperate with the Controller and assist in fulfilling any obligations to notify the relevant supervisory authority or affected individuals, as required by applicable laws.

Assistance to the Controller in fulfilling individual rights requests

The Processor shall provide reasonable assistance to the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws. This may include, but is not limited to, assisting the Controller in fulfilling requests for access, rectification, erasure, restriction of processing, data portability, or objections to processing.

Data security incident response procedures

SCLogic shall maintain documented incident response procedures to respond to data security incidents effectively and promptly. These procedures will include the identification and assessment of incidents, containment and mitigation measures, notification to the relevant parties, investigation and remediation of the incident, and any necessary actions to prevent similar incidents in the future. SCLogic shall regularly test and review these procedures to ensure their effectiveness and make any necessary improvements.

Sub Processors

SCLogic may engage Sub Processors to process personal data on the Controller’s behalf. Sub Processors may be engaged to assist with hosting, infrastructure, service, or support.

Conditions for engaging Sub Processors

SCLogic will carry out appropriate due diligence on each Sub Processor. A written agreement shall be established with each Sub
Processor which includes provisions for processing personal data that are at least as protective as those set forth in this DPA.

SCLogic’s Sub Processors

SCLogic maintains a current list of Sub Processors in the SCLogic Trust Center: https://trust.sclogic.com/. This Sub Processor list may be updated from time to time in accordance with this DPA. The Controller authorizes SCLogic to use any identified Sub Processors subject to the terms and conditions of this DPA.

Technical and Organizational Security Measures

Implementation of appropriate security measures

The Processor shall implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures shall be designed to ensure a level of security appropriate to the risks presented by the processing and the nature of the Personal Data.
SCLogic maintains a current list of technical and organizational security measures in the SCLogic Trust Center: https://trust.sclogic.com/

Audit Rights

Audit and Reporting

SCLogic shall conduct annual audits to verify the adequacy of its security measures and controls (“Audit”). The Audit shall be carried out by independent third-party security professionals selected by SCLogic and at SCLogic’s expense.

SCLogic annual audits shall include testing the security measures and controls of the online Services, in accordance with AICPA SOC 2 standards or other equivalent standards. The results of the Audit shall generate at least a SOC 2 report or its substantive equivalent. Additionally, penetration testing of the online Services shall be conducted, resulting in the generation of a penetration test report executive summary.

The reports generated from the Audit shall be provided to the Subscriber upon written request, subject to the confidentiality obligations of the Agreement or a mutually agreed non-disclosure agreement. Each report will specifically discuss the online Services that were commercially available at the time the report was issued. Any subsequently released Services that are covered by a report will be included in the next annual iteration of that report.

Subscriber Audit

Upon the Subscriber’s written request, SCLogic shall provide reasonable assistance to the Subscriber with respect to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of SCLogic’s Processing activities and the information available to SCLogic. If the Subscriber requires additional information for compliance with Data Protection Laws beyond the aforementioned reports, and is unable to access such information independently, the Subscriber may request an Audit, subject to the following conditions:

• Subscriber shall be responsible for any expenses incurred by or related to the Subscriber-requested Audit.
• The Subscriber shall provide SCLogic with reasonable advance notice, including the identity of the auditor and the anticipated date and scope of the Audit.
• SCLogic shall approve the auditor by providing notice to the Subscriber. Such approval shall not be unreasonably withheld.
• The Subscriber and the auditor shall take measures to prevent any damage, injury, or disruption to SCLogic’s premises, equipment, or business during the course of the Audit.
• The Subscriber shall initiate only one Audit in any calendar year, unless otherwise required by a Supervisory Authority.

Data Transfers

The parties acknowledge and agree that the Processing of Subscriber Personal Data by SCLogic may involve an international transfer of Subscriber Personal Data to SCLogic. Subscriber acknowledges that SCLogic’s primary processing activities are conducted in the United States.

SCLogic is committed to providing the necessary safeguards for these transfers in compliance with Data Protection Laws. This includes adhering to Standard Contractual Clauses approved by relevant authorities and implementing robust technical and organizational security measures. These measures are designed to safeguard Subscriber Personal Data against unauthorized access or breaches, ensuring ongoing confidentiality, integrity, and resilience of the data processing systems.

Further details regarding these security measures can be accessed from the SCLogic Trust Center: https://trust.sclogic.com/

This data transfer provision, including all implemented measures, will be periodically reviewed to ensure continued compliance with evolving Data Protection Laws.

Data Subjects’ Rights

Procedure to handle data subjects’ requests

SCLogic will provide Subscriber access to Subscriber Personal Data via the online Services to allow Subscriber to respond to Data Subject requests.

Validated Data Subject requests for data deletion should be sent to [email protected] for prompt resolution.

Cooperation between controller and processor in fulfilling these rights

SCLogic will notify the Subscriber without undue delay, and in any event within 10 business days, following receipt and verification of any request received directly from a Data Subject relating to Personal Data controlled by the Subscriber. SCLogic may only respond directly to a Data Subject:

1. To verify that such request relates to Subscriber
2. With written consent of Subscriber
3. As required by applicable law

Except as provided herein, SCLogic has no intention of responding to or fulfilling any Data Subject requests.

At Subscriber’s written request and to the extent Subscriber is unable to access Subscriber Personal Data on its own, SCLogic will provide reasonable assistance to Subscriber in accessing Subscriber Personal Data for Subscriber to respond to such Data Subject requests. To the extent legally permitted, Subscriber will be responsible for any expenses attributable to SCLogic’s assistance efforts outside the normal course of business.

Breach Notification

SCLogic will notify the Controller in writing without undue delay, and within 72 hours of becoming aware of a Data Breach.

SCLogic will investigate and, as necessary, mitigate or remediate a Data Breach in accordance with SCLogic’s security incident response policies, procedures, and plans.

Subject to SCLogic’s legal obligations, SCLogic will provide the Controller with relevant Data Breach information that is in SCLogic’s possession resulting from its response measures. This information may encompass details regarding the incident’s nature, any known specific information disclosed, and pertinent mitigation or remediation efforts. The purpose of providing this Breach Information is to assist the Controller in fulfilling its obligations under Data Protection Laws following a Data Breach.

SCLogic Technical and Organizational Security Measures

Role-Based Access Management (Principle of Least Privilege)

Event Monitoring and Alerting

Azure Security Information and Event Monitoring (SIEM)

• Web Apps Monitoring
• Azure SQL Performance Event Monitoring
• Network Response Monitoring

Cloudflare™ Security Network

• Advanced Reverse Proxy helps reduce the public footprint of SCLogic Web App Sites
• Cloudflare network security layer helps reduce the risk of DDOS and SQL Injection attacks on
  protected SCLogic Web Apps
• Fast DNS updates for seamless Web App migrations

SCLogic Network Protection

SCLogic Organizational Security

• Mandatory Employee Security Education & Awareness Training
• 24/7 Monitoring and Incident Response
• Vendor Risk Management
• Internal Audits performed in conjunction with Third-party MSSP
• Risk Assessments performed in conjunction with Third-party MSSP
• SOC 2 Report Available

SCLogic Network Protection

• Firewalls
• Intrusion Detection Software (IDS)
• File Integrity Monitoring (FIM)
• Centrally Managed Antivirus/Antimalware
• Centrally Managed Patching
• Enforced Multi-factor Authentication (MFA)
  • All Employees and Privileged Accounts
• VLANs

SCLogic Customer Data Protection

• Logical Tenant Separation
• Encryption In-Transit (TLS 1.2, TLS 1.3)
• Encryption At-Rest (AES-256)

SCLogic Security Testing

• Internal Vulnerability Scanning: Every 4 hours
• External Security Testing: Weekly
  • Penetration Testing
  • Vulnerability Scanning
• Static Application Security Testing: Every 2 hours

Monitoring

Azure Access Security

Microsoft Azure Portal Authentication and Password Policies

• Account requirements for accessing SCLogic’s Azure hosted services include:
• Two-factor authentication using best-in-class authentication apps.
• Application of Conditional Access Policies
• User passwords must meet Microsoft’s Strong Password requirements.

Data Backup, Retention, Retrieval, & Disposal

Resources for Recovery

Backups and Stored Configurations

• Full database backups are performed weekly, differential backups occur every 12-24 hours, and transaction log backups every 5 to 10 minutes.
• Monthly full database backups are available for recovery scenarios beyond Point-in-Time restore limits.
• Stored copies of all customer Web App configurations are available for situations where Web Apps backups are not immediately accessible.

Database Transaction Logging & Backups

• The Azure Point-in-Time restore service (using transaction logging) provides the ability to quickly restore a customer’s database to production-ready status.
• For scenarios involving database recovery older than 30 days, every customer database is backed up monthly to Azure Storage.

Preconfigured Servers, Geo-Redundant Backups and CloudFlare

• App Service Plans in separate geographic datacenters serve as ready-to-go containers for migrating Intra Web Apps in data center failure scenarios.
• Preconfigured SQL Servers in multiple geographic regions speed the process of restoring customer databases.
• Cloudflare Security Network allows SCLogic to re-direct our customer’s Hosted Intra URLs to new Web App servers in less than 2 minutes.

SCLogic CRMS

• SCLogic’s CRMS contains client information including security hosting contact information, Azure URLs, and Intra configuration details, allowing for quick retrieval of information and timely updates for issues relating to Intra hosting.

Training and Preparation

• Annual Disaster Recovery Tests
• Data Backup monitoring and restoration testing
• Team members who support and maintain SCLogic’s Azure environment are trained in their roles in accessing and utilizing the Microsoft Azure Portal and the established processes and responsibilities in recovery scenarios.
• Software Support team members are experienced in restoring our customer’s hosted Intra application service, as well as their databases, at any datacenter hosting our servers.

GDPR & the UK GDPR

Where any client (here referred to as “controller”) data processed by SCLogic is the personal information of either an EU resident or residents OR of a UK resident or residents and subject accordingly to respectively either the GDPR OR the UK GDPR, then the following shall apply:

• SCLogic uses the Standard Contractual Clauses (also known as the Model Clauses) as a basis for transfer of data for its services.
• SCLogic will only act on the controller’s documented instructions unless required by relevant law to act without such instructions.
• SCLogic will ensure that people processing the data are subject to a duty of confidentiality.
• SCLogic will take appropriate measures to ensure the security of processing.
• SCLogic will only engage a sub-processor with the controller’s prior authorization and under a written contract.
• SCLogic will take appropriate measures to help the controller respond to requests for individuals to exercise their rights.
• Taking into account the nature of the processing and the information available, SCLogic will assist the controller in meeting respectively as relevant its GDPR or UK GDPR obligations in relation to the security of processing, the notification of personal data breaches, and data protection impact assessments.
• SCLogic will delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and SCLogic will also delete existing personal information/data unless the law requires its storage; and
• SCLogic will submit to audits and inspections as legally required. SCLogic will also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.