Data Processing Addendum

On2Air (an Openside Studios, LLC product) Data Processing Addendum Last Updated: May 31, 2022 This Data Processing Addendum (“Addendum”) forms part of the Terms of Service, Developer Platform Agreement or other written agreement entered into between Openside Studios, LLC (“On2Air”) and you that incorporates this Addendum by reference (the “Agreement”), and governs the Processing of Personal Information by On2Air in providing its task automation service (the “Service”) pursuant to the Agreement. If you would like to complete a countersigned copy of this Addendum for your records, the following are the instructions for completing such a copy:

1. This Addendum consists of two parts: the main body of the Addendum, and Schedule 1.
2. This Addendum has been pre-signed on behalf of On2Air.
3. To complete a countersigned copy of this Addendum, you must: • Complete the information in the signature box and sign this Addendum below. • Send the completed and signed Addendum to On2Air by email to support@on2air.com. 1 Definitions 1.1 “Adequacy Decision” means: a. for data processed subject to the GDPR: the EEA, or a country or territory that is the subject of an adequacy decision by the Commission under Article 45(1) of the GDPR; and b. for data processed subject to the UK GDPR: the UK or a country or territory that is the subject of the adequacy regulations under Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. 1.2 “Controller to Processor SCCs” means the Module Two (transfer controller to processor) of the European Commission Implementing Decision (EU) 2021/914 which can be found here: https://zapier.com/help/account/data-management/standard-contractual-clauses-at-zapier#step-1, as updated and/ or replaced from time to time. 1.3 “Data Subject” means any individual about whom Personal Information may be Processed under this Addendum. 1.4 “Data Protection Legislation” means any law governing the use, access to, deletion of, or Processing of Personal Information, including, but not limited to, the GDPR and UK GDPR (as defined below), together with any national implementing laws in any Member State of the European Union or the United Kingdom or, to the extent applicable, in any other country, and the California Consumer Privacy Act, in each case as amended, repealed, consolidated or replaced from time to time. 1.5 “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. 1.6 “Personal Information” means personal data or personal information (as defined under the Data Protection Legislation) that are subject to the Data Protection Legislation and that you authorize Zapier to collect and process on your behalf in connection with Zapier’s provision of the Service under the Agreement. 1.7 “Process” or “Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. 1.8 “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the controller (as such term is defined under the GDPR). 1.9 “Processor to Processor SCCs” means the Module Three (transfer processor to processor) of the European Commission Implementing Decision (EU) 2021/914 which can be found here: https://zapier.com/help/account/data-management/standard-contractual-clauses-at-zapier#step-2, as updated and/ or replaced from time to time. 1.10 “Security Incident” means a breach of security of the Service or Zapier’s systems used to Process Personal Information leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information. 1.11 “Sensitive Information” means Personal Information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation. 1.12 “Service Provider” means an entity that receives Personal Information and is prohibited from retaining, using, selling, or disclosing such information other than in connection with providing the Service pursuant to the Agreement. 1.13 “UK SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries pursuant to European Commission Decision 2010/87/EU of 5 February 2010 which can be found here: https://zapier.com/help/account/datamanagement/standard-contractual-clauses-at-zapier#step-3, as updated and/or replaced from time to time. 1.14 “UK GDPR” means the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act. 2 Details of the Processing 2.1 Categories of Data Subjects. As set out in Schedule 1. 2.2 Types of Personal Information. As set out in Schedule 1. 2.3 Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Information by Zapier is the provision of the Services to you that involves the Processing of Personal Information. Personal Information will be subject to those Processing activities which Zapier needs to perform in order to provide the Services pursuant to the Agreement. 2.4 Purpose of the Processing. Personal Information will be Processed by Zapier for purposes of providing the Services set out into the Agreement. 2.5 Duration of the Processing. Personal Information will be Processed for the duration of the Agreement, subject to Section 12 of this Addendum. 3 Limitations on Use. Zapier will Process Personal Information solely as a Processor or Service Provider on your behalf and in accordance with the Agreement, this Addendum and any other documented instructions from you (whether in written or electronic form), or as otherwise required by applicable law. Notwithstanding anything to the contrary in the Agreement, Zapier shall not (1) retain or use Personal Information other than as provided for in the Agreement or as needed to perform the Service, or (2) sell or otherwise disclose such Personal Information except as needed to render the Service. Zapier is hereby instructed to Process Personal Information to the extent necessary to enable Zapier to provide the Service in accordance with the Agreement. In case Zapier cannot process Personal Information in accordance with your instructions due to a legal requirement under any applicable law to which Zapier is subject, Zapier shall (i) promptly notify you in writing (including by e-mail) of such legal requirement before carrying out the relevant Processing, to the extent permitted by the applicable law, and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Information) until such time as you provide Zapier with new instructions. You will be responsible for providing or making Personal Information available to Zapier in compliance with the Data Protection Legislation, including providing any necessary notices to, and obtaining any necessary consents from, Data Subjects whose Personal Information is provided by you to Zapier for Processing pursuant to this Addendum. You acknowledge that the Service is not intended or designed for the Processing of Sensitive Information, and you agree not to provide any Sensitive Information through the Service. The parties agree that you provide Personal Information to Zapier as a condition precedent to Zapier’s performance of the Service and that Personal Information is not exchanged for monetary or other valuable consideration. You acknowledge that Zapier is an independent controller when carrying out any activities not related solely to Zapier’s Processing of Personal Information added by you to the Service (such as Zapier’s management of its online forum, analytics, customer accounts and marketing programme). 4 Security. Zapier shall implement, and maintain throughout the term of the Addendum at all times in accordance with then current good industry practice, appropriate technical and organizational measures to protect Personal Information in accordance with Article 32 of the GDPR. On request, Zapier shall provide you with a written description of the security measures being taken. The Service provides reasonable technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist you in securing Personal Information Processed by Zapier. Zapier will also assist you with conducting any legally required data protection impact assessments (including subsequent consultation with a supervisory authority), if so required by the Data Protection Legislation, taking into account the nature of Processing and the information available to Zapier. Zapier may charge a reasonable fee for any such assistance, as permitted by applicable law. 5 Confidentiality. Zapier will ensure that its personnel authorized to process Personal Information are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. 6 Data Subject Requests. You are responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information Processed by Zapier under this Addendum. Zapier will notify you promptly and in any event within fifteen (15) business days’ of receipt, unless prohibited by applicable law, if Zapier receives any such requests or complaints. The Service include technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist customers, insofar as this is possible, in fulfilling their obligations to respond to such requests or complaints. 7 Regulatory Investigations. At your request, Zapier will assist you in the event of an investigation by a competent regulator, including a data protection regulator or similar authority, if and to the extent that such investigation relates to the Processing of Personal Information by Zapier on your behalf in accordance with this Addendum. Zapier may charge a reasonable fee for such requested assistance except where such investigation arises from a breach by Zapier of the Agreement or this Addendum, to the extent permitted by applicable law. 8 Security Incident. In the event that Zapier becomes aware of a Security Incident, Zapier will notify you promptly and in any event no later than forty-eight (48) hours after Zapier discovers the Security Incident. In the event of such a Security Incident, Zapier shall provide you with a detailed description of the Security Incident and the Personal Information concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or supervisory authority. Zapier will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident. At your request, Zapier will provide reasonable assistance and cooperation with respect to any notifications that you are legally required to send to affected Data Subjects and regulators. Zapier may charge a reasonable fee for such requested assistance. 9 Sub-Processors. You agree that Zapier may disclose Personal Information to its subcontractors for purposes of providing the Service (“Sub-Processors”), provided that Zapier (i) shall enter into an agreement with its Sub-Processors which comply with Data Protection Legislation, including requiring the Sub-Processors to only process Personal Information to the extent required to perform the obligations sub-contracted to them, and (ii) shall remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processors. Zapier’s current list of SubProcessors is located on Zapier’s Sub-Processor webpage at https://zapier.com/help/account/data-management/data-privacy-at-zapier#step-5. Zapier will inform you of any intended changes concerning the addition or replacement of Sub-Processors by updating its Sub-Processor webpage, which you acknowledge is your responsibility to check regularly. You may object to such changes on reasonable grounds of data protection within ten (10) business days after being notified of the engagement of the Sub-Processor. If you object to a new Sub-Processor, as permitted in the preceding sentence, Zapier will use reasonable efforts to make available to you a change in the Service or recommend a commercially reasonable change to your configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-Processor. If Zapier is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate the component of the Service which cannot be provided by Zapier without the use of the objected-to new Sub-Processor by providing written notice to the other party. Zapier will refund you any prepaid fees covering the remainder of the term of your subscription following the effective date of termination with respect to such terminated component of the Service, without imposing a penalty for such termination on you. 10 Data Transfers. In connection with the performance of the Agreement, you authorize Zapier to transfer Personal Information internationally, and in particular to locations outside of the United Kingdom and European Economic Area, such as the United States. If Personal Information is Processed in a country which has not received an Adequacy Decision you and Zapier hereby enter into: a) the Controller to Processor SCCs if the restricted transfer is subject to the GDPR and Zapier is acting as your Processor; b) the Processor to Processor SCCs if the restricted transfer is subject to the GDPR and Zapier is acting as your sub-processor; or c) the UK SCCs if the restricted transfer is subject to the UK GDPR and Zapier is acting as your Processor or sub-processor. 11 Information. Zapier shall make available to you all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Zapier shall immediately inform you if, in its opinion, an instruction infringes the Data Protection Legislation. 12 Return or Disposal. Promptly following termination of your User Account for any reason, Zapier will destroy the Personal Information it was Processing on your behalf pursuant to Zapier’s provision of the Service. The parties’ authorized signatories have duly executed this Addendum: Zapier: You: By: Name: Your Legal Name: Name of Signatory: Title of Signatory (if applicable): Date: REFERENCE COPY – DO NOT EXECUTE To initiate an electronically signed copy, visit: https://zapier.com/help/account/datamanagement/data-privacy-at-zapier#step-3 Schedule 1 LIST OF PARTIES Data exporter(s): Name You Address As detailed in the communications between us from time to time. Contact person’s name, position and contact details As detailed in the communications between us from time to time. Activities relevant to the data transferred under these Clauses Receipt of the Services Role (controller/processor) Controller or Processor Data importer(s): DESCRIPTION OF TRANSFER Categories of data subjects whose personal data is transferred Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Information relating to the following categories of data subjects: Data exporter’s employees, contractors, representatives, agents, and other individuals whom data exporter permits to use the Service, as well as Personal Information relating to the data exporter’s customers, partners, users and vendors. Categories of personal data transferred Data exporter may submit Personal Information to the Service, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following Personal Information: First and Last Name, Billing Address, Credit Card Information, IP Address, API Key, Access Token, User Identifiers, Password, Integration Configuration, API Logs, Cookies Name Zapier Address As listed above. Contact person’s name, position and contact details Suk Kim, General Counsel privacy@zapier.com Activities relevant to the data transferred under these Clauses Provision of the Services Role (controller/processor) Processor Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. None and the data exporter is prohibited from using the Service to process any such data under the terms of the Agreement. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous basis Nature of the processing The performance of the Service pursuant to the Agreement. Purpose(s) of the data transfer and further processing The performance of the Service pursuant to the Agreement. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period For the duration of the Agreement. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing Located on Zapier’s Sub-Processor webpage at https://zapier.com/help/account/datamanagement/data-privacy-at-zapier#step-5. TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Zapier will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Information uploaded to the Service, as described in this Schedule. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the DPA. A. SECURITY GOVERNANCE Zapier maintains an information security program (including the adoption and enforcement of internal policies and procedures) designed to: (a) help our customers secure their data processed using Zapier’s online product against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Zapier online product, and (c) minimise security risks, including through risk assessment and regular testing. Zapier’s head of security coordinates and is primarily responsible for the company’s information security program. The team covers the following core functions: • Application security (secure development, security feature design, the Security Champions program, and secure development training) • Infrastructure security (data centers, cloud security, and strong authentication) • Monitoring and incident response (cloud native and custom) • Vulnerability management (vulnerability scanning and resolution) • Compliance and technical privacy • Security awareness (onboarding training and awareness campaigns) B. ACCESS CONTROL i) Preventing Unauthorized Product Access Third party data hosting and processing: We host our Service with third party cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors. Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. Their physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications. Authentication: Customers who interact with the products via the user interface are required to authenticate before they are able to access their non-public data. We support two-factor authentication and highly recommend that each customer enable two-factor authentication on their Zapier account. Zapier also supports Single-Sign On for Team and Company accounts. Authorization: User Content (data originated by customers that a customer transmits through Zapier online service) is stored in multi-tenant storage systems which are only accessible to Customers via application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set. Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through OAuth authorization. Authorization credentials are stored encrypted. ii) Preventing Unauthorized Product Use We implement industry standard access controls and detection capabilities for the internal networks that support our products. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules. Static code analysis: Automated security reviews of code stored in our source code repositories, performed through static code analysis, checking for coding best practices and identifiable software vulnerabilities. Penetration testing: We maintain relationships with industry recognized penetration testing service providers for annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. Red teaming: Zapier performs annual offensive security exercises that target our internal corporate and production infrastructure and applications. The event is conducted in the form of a Red Team where highly qualified offensive operators are collaborating with our Security Operations Center. The exercise concludes with a remediation and validation phase where findings are addressed and the fixes validated. Bug bounty: A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a bug bounty program in an effort to widen the available opportunities to engage with the security community and improve the product defenses against sophisticated attacks. iii) Limitations of Privilege & Authorization Requirements Product access: A subset of our personnel have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of personnel is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents, and implement data security. Personnel Security: Zapier personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Zapier conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local law and regulations. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Zapier’s confidentiality and security policies. Personnel are provided with security training. C. ENCRYPTION TECHNOLOGIES In-transit: We make HTTPS encryption (also referred to as SSL or TLS) available on all of our login interfaces and for free on every customer site hosted on the Zapier products. Our HTTPS implementation uses industry standard algorithms and certificates. At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest. D. INPUT CONTROLS Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate personnel of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents. Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, and/or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and customer damage or unauthorized disclosure. Notifications will be in accordance with the terms of the Agreement. E. DATA DELETION AND PORTABILITY Zapier enables customers to delete their account and delete or export their account data in a manner consistent with the functionality of the Zapier product. Instructions and related details are provided within the applicable functionality within the Zapier product. F. AVAILABILITY CONTROLS Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime. Redundancy: The infrastructure providers use designs to eliminate single points of failure and minimize the impact of anticipated environmental risks. Zapier’s product is designed to allow the company to perform certain types of preventative and corrective maintenance without interruption. Business Continuity: Zapier has designed and regularly plans and tests its business continuity planning/disaster recovery programs. LIST OF SUB-PROCESSORS Zapier’s current list of Sub-Processors is located on Zapier’s Sub-Processor webpage at https://zapier.com/help/account/data-management/data-privacy-at-zapier#step-5.