DATA PROCESSING AGREEMENT

Subject Matter of Processing

CommHero processes Customer Personal Data to provide the incident communication services as described in the Agreement, including managing incident templates, storing audience contact information, facilitating multi-channel communications, and maintaining audit logs of incident activities.

Duration of Processing

CommHero will process Customer Personal Data for the duration of the Agreement and the applicable retention period as specified in our Privacy Policy, unless otherwise instructed by Customer or required by law.

Nature and Purpose of Processing

CommHero processes Customer Personal Data for the following purposes:

• Providing the incident communication platform and related services
• Storing and managing incident communication templates with variable fields
• Managing audience lists and contact information for incident notifications
• Facilitating delivery of incident communications through integrated channels (Gmail, Office 365, Slack, Microsoft Teams)
• Maintaining audit logs and communication history
• Providing customer support and technical assistance
• Ensuring security and preventing fraud or abuse
• Complying with legal obligations

Types of Personal Data

Customer Personal Data may include:

• Contact information (names, email addresses, phone numbers, job titles)
• User account information (usernames, profile information)
• Communication content (incident messages, template content)
• Integration credentials (OAuth tokens for connected services)
• Usage data (access logs, feature usage, timestamps)
• IP addresses and device information
• Any other data uploaded or transmitted by Customer through the Services

Categories of Data Subjects

Data Subjects may include:

• Customer's employees, contractors, and authorized users
• Recipients of incident communications (executives, technical staff, customers, partners, vendors)
• Individuals listed in audience contact lists
• Any other individuals whose Personal Data is processed through the Services

Processing Instructions

CommHero will process Customer Personal Data only in accordance with Customer's documented instructions unless required to do so by Applicable Law. Customer's instructions are documented in this DPA and the Agreement. Customer may issue additional written instructions that are consistent with the terms of this DPA and the Agreement. If CommHero believes any instruction violates Data Protection Laws, CommHero will promptly inform Customer.

Compliance with Instructions

CommHero will process Customer Personal Data only in accordance with Customer's documented instructions as set forth in this DPA and the Agreement, unless Processing is required by Applicable Law to which CommHero is subject, in which case CommHero will inform Customer of that legal requirement before Processing (unless prohibited by law from doing so).

Confidentiality

CommHero ensures that all personnel authorized to process Customer Personal Data are subject to binding confidentiality obligations or appropriate statutory obligations of confidentiality. Access to Customer Personal Data is restricted to personnel who require such access to perform their duties under the Agreement.

Security Training

CommHero provides appropriate training to personnel who have access to Customer Personal Data regarding data protection principles, security practices, and their obligations under this DPA.

Data Protection Impact Assessments

Upon Customer's reasonable request, CommHero will provide Customer with information reasonably necessary to demonstrate compliance with this DPA and to allow for and contribute to audits and inspections, including data protection impact assessments where required by Data Protection Laws.

Lawfulness of Processing

CommHero will immediately inform Customer if, in CommHero's opinion, an instruction from Customer infringes Data Protection Laws or other applicable data protection provisions.

Records of Processing Activities

CommHero maintains records of its processing activities as required by Data Protection Laws, including the categories of processing carried out on behalf of Customer, the categories of Personal Data processed, and the technical and organizational security measures implemented.

Technical Measures

• Encryption: Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using industry-standard encryption algorithms.
• Access Controls: Role-based access control (RBAC) ensures that access to Customer Personal Data is limited to authorized personnel on a need-to-know basis.
• Authentication: Multi-factor authentication is available for user accounts. Service-to-service authentication uses secure credential management.
• Network Security: Firewalls and network segmentation protect systems processing Customer Personal Data from unauthorized access.
• Vulnerability Management: Regular security assessments and vulnerability scanning are conducted to identify and address security risks.
• Logging and Monitoring: Activity logs are maintained and monitored for suspicious activities and security incidents.
• Secure Development: Secure coding practices are followed, and security reviews are conducted during the development lifecycle.

Organizational Measures

• Security Policies: Written information security policies and procedures govern the processing of Personal Data.
• Employee Training: Personnel receive security awareness training and are bound by confidentiality obligations.
• Incident Response: Documented incident response procedures are in place to detect, respond to, and recover from Security Incidents.
• Business Continuity: Backup and disaster recovery procedures ensure data resilience and availability. Infrastructure backups are maintained and can be restored in case of system failures.
• Vendor Management: Subprocessors are evaluated for security practices and are contractually bound to maintain appropriate security measures.
• Physical Security: Customer Personal Data is hosted in professionally managed data centers with physical access controls, environmental controls, and 24/7 monitoring.

Infrastructure Security

CommHero utilizes enterprise-grade cloud infrastructure providers that maintain industry-leading security certifications and compliance programs. All infrastructure components are hosted in secure data centers located in the United States (East region) with redundancy and backup capabilities.

Security Certifications

CommHero is working towards obtaining industry-standard security certifications, including SOC 2 Type II. Upon request, we can provide information about our security practices and planned certification timeline.

Authorization to Use Subprocessors

Customer authorizes CommHero to engage Subprocessors to process Customer Personal Data on Customer's behalf. CommHero will enter into a written agreement with each Subprocessor imposing data protection obligations substantially similar to those in this DPA.

Current Subprocessors

CommHero currently engages the following Subprocessors to process Customer Personal Data:

Customer Communication Platforms

The Services integrate with third-party communication platforms that Customer connects to their CommHero account. These platforms are not Subprocessors under this DPA because Customer controls their own accounts and credentials:

• Gmail / Google Workspace
• Microsoft Office 365
• Slack
• Microsoft Teams
• Future integrations: WhatsApp, SMS providers, mobile push notification services

Customer is responsible for its relationship with these providers and compliance with their terms of service and privacy policies.

Changes to Subprocessors

CommHero may add or replace Subprocessors from time to time. CommHero will provide at least 30 days advance notice to Customer of any new Subprocessor via email or through the Services. Customer may object to a new Subprocessor on reasonable data protection grounds by notifying CommHero in writing within 30 days of receiving notice.

If Customer objects and CommHero cannot accommodate the objection or provide an alternative solution, Customer may terminate the affected Services by providing written notice to CommHero within 30 days of CommHero's response to the objection.

Subprocessor Obligations

CommHero remains liable for the acts and omissions of its Subprocessors to the same extent as if CommHero had performed the services directly.

Assistance with Data Subject Requests

Taking into account the nature of the processing, CommHero will assist Customer by implementing appropriate technical and organizational measures to enable Customer to fulfill Data Subject requests under Data Protection Laws, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.

Types of Data Subject Rights

CommHero will assist Customer in responding to the following Data Subject requests:

• Right of Access: Provide Data Subjects with access to their Personal Data
• Right to Rectification: Correct inaccurate or incomplete Personal Data
• Right to Erasure: Delete Personal Data when no longer necessary or upon valid request
• Right to Restriction: Restrict processing in certain circumstances
• Right to Data Portability: Provide Personal Data in a structured, machine-readable format
• Right to Object: Object to certain types of processing
• Rights Related to Automated Decision-Making: Rights related to automated processing and profiling

Request Process

If CommHero receives a Data Subject request directly, CommHero will promptly notify Customer and will not respond to the request except as instructed by Customer or as required by law. Customer is responsible for responding to Data Subject requests, and CommHero will provide reasonable assistance as necessary.

Tools and Capabilities

To facilitate Data Subject rights, the Services provide:

• User account management capabilities for Authorized Users to update their information
• Data export functionality to retrieve Customer Personal Data
• Deletion capabilities for removing Personal Data from the Services
• API access for programmatic data management (available on certain plans)

Reasonable Assistance

For requests that cannot be fulfilled through self-service tools, Customer may contact support@commhero.io. CommHero will provide reasonable assistance within 30 days of receiving a valid request from Customer, taking into account the nature, scope, and complexity of the request.

Fees for Assistance

CommHero's assistance with Data Subject requests is included in the Services at no additional charge for reasonable requests. If Customer requires extensive assistance beyond what is reasonable, CommHero may charge a fee based on the time and resources required, to be agreed in advance.

Notification Obligation

CommHero will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Customer Personal Data. Notification will be made to the email address associated with Customer's account or to security@commhero.io if Customer has designated it as the security contact.

Notification Contents

To the extent reasonably possible and legally permitted, the notification will include:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected
• The likely consequences of the Security Incident
• A description of the measures taken or proposed to address the Security Incident and mitigate its possible adverse effects
• Contact information for CommHero's incident response team
• Any other information that CommHero reasonably believes to be relevant

Investigation and Remediation

Following a Security Incident, CommHero will:

• Investigate the Security Incident and take reasonable steps to identify the cause
• Take appropriate measures to contain, remediate, and prevent recurrence of the Security Incident
• Provide Customer with reasonable assistance in investigating and responding to the Security Incident
• Provide updates to Customer as the investigation progresses
• Cooperate with Customer and applicable authorities in any investigation

Customer Obligations

Customer is responsible for complying with applicable incident notification requirements under Data Protection Laws, including notifying supervisory authorities and Data Subjects where required. CommHero will provide reasonable assistance to Customer in meeting these obligations.

Non-Security Incidents

This notification obligation does not apply to unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

Audit Rights

CommHero will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer.

Information Provided

To demonstrate compliance, CommHero may provide:

• Summaries of relevant security policies and procedures
• Information about technical and organizational security measures
• Third-party security audit reports or certifications (when available)
• Responses to reasonable written questions about data protection practices

On-Site Audits

If the information provided above is insufficient and Customer reasonably requires an on-site audit, Customer may conduct an audit or inspection of CommHero's data processing activities, subject to the following conditions:

• Customer must provide at least 30 days advance written notice
• Audits may occur no more than once per year unless required by a supervisory authority or in response to a Security Incident
• Audits must be conducted during business hours and with minimal disruption to CommHero's operations
• Customer must use a qualified independent third-party auditor approved by CommHero (approval not to be unreasonably withheld)
• The auditor must execute a confidentiality agreement acceptable to CommHero
• Customer is responsible for all costs associated with the audit
• Audit scope must be reasonable and focused on verifying compliance with this DPA

Security Certifications

As CommHero obtains third-party security certifications (such as SOC 2 Type II), these reports may be provided to Customer upon request under appropriate confidentiality terms as an alternative to on-site audits.

Limitations

CommHero may restrict audit activities to the extent necessary to protect CommHero's confidential information, security, or the data of other customers. CommHero is not required to provide access to facilities, systems, or information that are not directly relevant to the processing of Customer Personal Data.

Data Location

Customer Personal Data is primarily stored and processed in data centers located in the United States (East region). CommHero may transfer Customer Personal Data to other countries where CommHero, its affiliates, or Subprocessors maintain facilities, subject to the safeguards described in this section.

Standard Contractual Clauses

For transfers of Personal Data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, the parties agree to comply with the Standard Contractual Clauses approved by the European Commission for the transfer of personal data to processors established in third countries.

The Standard Contractual Clauses are incorporated into this DPA by reference and can be found at the following locations:

• EU Standard Contractual Clauses (Module 2: Controller to Processor): EU Decision 2021/914
• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs: Available from the UK Information Commissioner's Office
• Swiss Federal Data Protection Act requirements: Applicable provisions incorporated as required

Supplementary Measures

In addition to the Standard Contractual Clauses, CommHero implements supplementary technical and organizational measures to ensure adequate protection for international transfers:

• Encryption of data in transit and at rest
• Strict access controls and authentication requirements
• Contractual restrictions on government data requests
• Regular security assessments and monitoring
• Transparency regarding data access requests

Government Access Requests

CommHero has not received any government or law enforcement requests for access to Customer Personal Data to date. If CommHero receives such a request, CommHero will:

• Attempt to redirect the requesting party to seek data directly from Customer
• Promptly notify Customer of the request, unless legally prohibited from doing so
• Challenge overbroad or unlawful requests where appropriate
• Provide minimum necessary data in response to valid legal requests

Data Residency Options

CommHero is developing data residency options for customers requiring data storage in specific geographic regions. Please contact sales@commhero.io to discuss availability and requirements for data residency solutions.

Data Export

Customer may export Customer Personal Data at any time during the term of the Agreement using the data export functionality provided in the Services. Exported data will be provided in commonly used, machine-readable formats such as JSON, CSV, or as otherwise documented.

Post-Termination Data Retrieval

Upon termination or expiration of the Agreement, Customer will have 30 days to export Customer Personal Data from the Services. CommHero will maintain Customer Personal Data in a retrievable format during this 30-day period at no additional charge.

Data Deletion

Following the 30-day post-termination period, or upon Customer's earlier written request, CommHero will delete or render unrecoverable all Customer Personal Data (including existing copies) from CommHero's systems, except as required by Applicable Law or as necessary to comply with legal holds or preservation requirements.

Deletion will be completed within 30 days of the end of the retrieval period or receipt of Customer's deletion request.

Retention Periods by Plan

During the term of the Agreement, Customer Personal Data is retained according to the following schedule based on subscription tier:

• Free tier: 30 days of incident communication logs
• Team tier: 1 year of audit logs and communication history
• Business tier: 2 years of data retention
• Enterprise tier: Custom retention periods as agreed in Order Form

Backup Data

Customer Personal Data may remain in CommHero's backup systems for up to 90 days following deletion. Backup data is securely overwritten during the normal backup rotation cycle and is not accessible for production use.

Legal Requirements

CommHero may retain Customer Personal Data to the extent required by Applicable Law (such as tax, accounting, or other legal retention obligations) or to the extent necessary to defend or bring legal claims. Any data retained for legal purposes will be isolated, protected, and retained only for the legally required period.

Certification of Deletion

Upon written request, CommHero will provide Customer with written certification that Customer Personal Data has been deleted in accordance with this DPA, except for data retained as permitted under this section.

Subprocessor Deletion

CommHero will ensure that all Subprocessors delete or return Customer Personal Data in accordance with the same obligations set forth in this section.

Liability Cap

The total liability of each party arising out of or related to this DPA, whether in contract, tort, or otherwise, will be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Applicable Law.

Subprocessor Liability

CommHero will be liable for the acts and omissions of its Subprocessors to the same extent CommHero would be liable if performing the services of each Subprocessor directly under the terms of this DPA.

GDPR Liability Provisions

Each party's liability under this DPA is subject to the liability provisions in GDPR Articles 82 and 83 where applicable, including provisions regarding the allocation of liability between controllers and processors.

Indemnification

To the extent permitted by Applicable Law, Customer will indemnify, defend, and hold harmless CommHero from and against all claims, costs, losses, damages, liabilities, judgments, and expenses (including reasonable attorneys' fees) arising out of or relating to any claim brought by a Data Subject or supervisory authority concerning Customer's processing instructions or Customer's violation of Data Protection Laws.

Term

This DPA will commence on the date Customer first accesses the Services and will remain in effect until the termination or expiration of the Agreement, or until all Customer Personal Data has been deleted or returned in accordance with this DPA, whichever occurs later.

Termination

This DPA will automatically terminate upon termination or expiration of the Agreement. Either party may terminate this DPA if the other party materially breaches this DPA and fails to remedy the breach within 30 days of written notice.

Effect of Termination

Upon termination of this DPA, the data return and deletion provisions in Section 11 will apply. All other provisions of this DPA that by their nature should survive termination will survive, including confidentiality obligations, liability limitations, and dispute resolution provisions.

Amendments

CommHero may update this DPA from time to time to reflect changes in Data Protection Laws, business practices, or Service capabilities. Material changes will be communicated to Customer at least 30 days before the changes take effect. Customer's continued use of the Services after the effective date constitutes acceptance of the updated DPA.

Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA will control with respect to the processing of Customer Personal Data. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will control.

Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect. The parties will replace the invalid or unenforceable provision with a valid and enforceable provision that achieves the original intent to the greatest extent possible.

Governing Law

This DPA will be governed by the laws specified in the Agreement, except where Data Protection Laws require otherwise (such as for the Standard Contractual Clauses).

Questions About This DPA

For questions, concerns, or requests related to this DPA or data processing practices, please contact:

Data Protection Officer

For GDPR-specific inquiries or to exercise Data Subject rights, contact our Data Protection Team at dpo@commhero.io.

Execution

This DPA is automatically incorporated into and forms part of the Agreement between Customer and CommHero. No separate signature is required unless specifically requested by Customer.

For customers requiring a separately executed DPA (such as for enterprise procurement requirements), please contact legal@commhero.io to request an executed copy.