IVM Data Processing Agreement

April 15, 2025

IVM, Inc. Data Processing Agreement (DPA)
Annex to the Data Processing Agreement: Standard Contractual Clauses (SCCs) – Controller to Processor
Annex 1 – Details of Processing of Company Personal Data
Annex 2 – Standard Contractual Clauses (SCCs): Details of the data processing

IVM, Inc. Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) is entered into between:
(i) IVM, Inc. (“Vendor”), acting on its own behalf and as agent for each Vendor Affiliate; and
(ii) You (“Company”), acting on its own behalf and as agent for each Company Affiliate.

In consideration of the mutual obligations herein, the parties agree as follows:

1. Definitions

1.1 In this DPA, the following terms shall have the meanings set out below:

“Applicable Laws” means:
- (a) EU or Jurisdiction laws applicable to any Company Personal Data processed by any Company Group Member under EU Data Protection Laws; and
- (b) any other laws applicable to such data under other Data Protection Laws.
“Company Affiliate” means any entity that controls, is controlled by, or is under common control with the Company.
“Company Group Member” means the Company or any Company Affiliate.
“Company Personal Data” means any Personal Data processed by a Contracted Processor on behalf of a Company Group Member under the Master Service Agreement.
“Contracted Processor” means the Vendor or a Subprocessor.
“Data Protection Laws” means the GDPR and, where applicable, other data protection or privacy laws.
“EEA” means the European Economic Area.
“EU Data Protection Laws” means EU Directive 95/46/EC, the GDPR, and related national implementations or supplements.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Restricted Transfer” means:
- (a) a transfer of Company Personal Data to a Contracted Processor outside the EEA or UK; or
- (b) an onward transfer to another Contracted Processor, where such transfer would be restricted by Data Protection Laws in the absence of Standard Contractual Clauses (SCCs).
“Services” means the services provided by Vendor to Company Group Members under the Master Service Agreement.
“Standard Contractual Clauses” means the clauses set out in Annex 2, amended per this DPA and GDPR requirements.
“Subprocessor” means any third party (excluding Vendor employees) engaged to process Company Personal Data.
“Vendor Affiliate” means any entity controlling, controlled by, or under common control with Vendor.

1.2 Terms like “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Supervisory Authority” shall have the meanings defined in the GDPR.

1.3 The term “include” shall mean “including without limitation.”

2. Authority

Vendor represents that it is authorized to enter into this DPA on behalf of itself and each Vendor Affiliate involved in Processing Company Personal Data.

3. Processing of Company Personal Data

3.1 Vendor and each Vendor Affiliate shall:

(a) Comply with all applicable Data Protection Laws;
(b) Only process Company Personal Data per documented Company instructions, unless otherwise required by law (in which case Vendor shall notify Company unless prohibited by law).

3.2 Company:

(a) Instructs Vendor and its Affiliates (and authorizes them to instruct subprocessors) to process Company Personal Data as necessary for the Services;
(b) Warrants it has authority to issue such instructions for all relevant Company Affiliates.

3.3 Annex 1 sets out required processing details. Company may reasonably update Annex 1 with written notice.

4. Vendor Personnel

Vendor shall ensure personnel with access to Company Personal Data:

Have a need-to-know basis only;
Are bound by confidentiality obligations;
Are properly trained and monitored.

5. Security

5.1 Vendor shall implement appropriate technical and organizational measures per Article 32 of the GDPR, considering the nature, context, and risks of the processing.

5.2 Vendor shall assess and mitigate risks of a Personal Data Breach.

6. Subprocessing

6.1 Company authorizes Vendor to use subprocessors, subject to compliance with this section.

6.2 Vendor may continue using existing subprocessors (e.g., Microsoft Azure), provided obligations under Section 6.4 are met.

6.3 Vendor shall notify Company before appointing any new Subprocessor. Company may object within 10 days. Vendor will not proceed until reasonable concerns are addressed and communicated.

6.4 Vendor shall ensure:

(a) Due diligence is performed;
(b) Subprocessor agreements provide GDPR-compliant terms, especially under Article 28(3);
(c) Where a Restricted Transfer occurs, the Standard Contractual Clauses are included in the agreement.

6.5 Vendor shall ensure each Subprocessor complies with relevant obligations under this DPA.

7. Data Subject Rights

7.1 Vendor shall assist Company in responding to Data Subject rights requests, using appropriate technical and organizational measures.

7.2 Vendor shall:

(a) Promptly notify Company of any such requests received;
(b) Not respond directly without Company instruction unless required by law.

8. Personal Data Breach

8.1 Vendor shall notify Company within 24 hours of becoming aware of a breach affecting Company Personal Data and provide sufficient detail for compliance with notification obligations.

8.2 Vendor shall assist in the investigation, mitigation, and remediation of the breach as reasonably requested.

9. Data Protection Impact Assessment

Vendor shall assist with any DPIAs or consultations with supervisory authorities as required under GDPR Articles 35 or 36, to the extent applicable to Vendor’s processing.

10. Return or Deletion of Personal Data

10.1 Within 10 business days of the Cessation Date, Company may instruct Vendor to:

(a) Return all Company Personal Data via secure transfer; and
(b) Delete all remaining copies. Vendor shall comply within 90 days.

10.2 Vendor may retain data only as required by law, provided it is kept confidential and only processed for legal compliance.

11. Audit Rights

11.1 Vendor shall provide Company with all necessary information to demonstrate compliance with this DPA and allow for audits or inspections by Company or its designated auditor.

11.2 Audit rights under this DPA apply only to the extent such rights are not already granted under the Master Service Agreement.

Annex to the Data Processing Agreement

Standard Contractual Clauses (SCCs) – Controller to Processor

Commission Implementing Decision (EU) 2021/914

SECTION I

Clause 1 – Purpose and scope
These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and 46(2)(c) of the GDPR and, with respect to data transfers from controllers to processors established in third countries, ensure the protection of the transferred personal data.

Clause 2 – Effect and invariability of the Clauses
(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating contact points.

Clause 3 – Third-party beneficiaries
Data subjects may invoke and enforce these Clauses as third-party beneficiaries against the data exporter and/or data importer.

Clause 4 – Interpretation
Any interpretation of the Clauses shall be in accordance with the GDPR.

Clause 5 – Hierarchy
In the event of a conflict between the Clauses and the provisions of related agreements between the Parties, the Clauses shall prevail.

SECTION II – Obligations of the Parties

Clause 6 – Description of the transfer
The details of the transfer, including categories of data subjects, personal data, and processing purposes, are described in Annex I.A.

Clause 8 – Data protection safeguards
The data importer shall process the personal data only on documented instructions from the data exporter, implement appropriate technical and organizational measures (TOMs), and assist the data exporter in fulfilling its GDPR obligations.

Clause 9 – Use of sub-processors
(a) The data importer has the data exporter’s general authorization to engage sub-processors.
(b) The data importer shall inform the data exporter of any intended changes regarding sub-processors.
(c) The only authorized sub-processor at this time is Microsoft Azure, as detailed in Annex II.
(d) The data importer shall ensure a written agreement with the sub-processor with equivalent data protection obligations.

Clause 10 – Data subject rights
The data importer shall assist the data exporter in responding to requests from data subjects.

Clause 11 – Redress
Data subjects may lodge complaints with the data exporter, the data importer, or the competent supervisory authority.

Clause 12 – Liability
Each party shall be liable to the other for any damages caused by its breach of these Clauses.

Clause 13 – Supervision
The supervisory authority with responsibility for ensuring compliance is identified in Annex I.C.

SECTION III – Local Laws and Access

Clause 14 – Local laws and practices
The data importer has provided a warranty that it has no reason to believe that the laws of the third country prevent it from fulfilling its obligations under these Clauses.

Clause 15 – Access by public authorities
The data importer shall notify the data exporter of any legally binding request from public authorities unless prohibited by law and shall minimize any such disclosure.

SECTION IV – Final Provisions

Clause 16 – Non-compliance
If the data importer is in breach, the data exporter may suspend or terminate the transfer.

Clause 17 – Governing law
The Clauses shall be governed by the laws of the EU Member State in which the data exporter is established.

Clause 18 – Choice of forum and jurisdiction
Disputes shall be resolved by the courts of the Member State in which the data exporter is established.

subprocessor.

Annex 1 – Details of Processing of Company Personal Data

This Annex includes the required details per Article 28(3) of the GDPR.

A. Subject Matter and Duration of the Processing

Subject Matter: Provision of the Services under the Master Service Agreement.
Duration: For the duration of the Services and until data is deleted or returned, per Section 10 of the DPA.

B. Nature and Purpose of the Processing

Hosting, storage, retrieval, transmission, backup, and other processing activities necessary to provide, maintain, and secure the Services.
Processing includes automated and manual activities required to support system functionality, technical operations, and customer support.

C. Type of Personal Data Processed

Personal Data submitted by or on behalf of the Company Group Members, including (but not limited to):

Names
Contact information (email, phone numbers, addresses)
Usernames and credentials
Usage and log data
Any other personal data Company submits through use of the Services

Note: Sensitive data is not intentionally collected or processed unless explicitly agreed by the Parties.

D. Categories of Data Subjects

Employees, contractors, customers, users, or end clients of the Company or its Affiliates
Individuals whose data is provided to Vendor via use of the Services

E. Subprocessors and Transfers

Vendor uses Microsoft Azure as its exclusive subprocessor.
Microsoft may access Company Personal Data solely for the purpose of hosting and infrastructure support.
Data may be transferred to and stored in the United States.
Adequate safeguards are in place per Annex 2 (Standard Contractual Clauses).

Annex 2 – Standard Contractual Clauses (SCCs)

This Annex incorporates the EU Commission’s Standard Contractual Clauses (Module 2: Controller to Processor), effective as of 27 June 2021, with the following specifications:

A. List of Parties

Role	Name	Address	Contact Details	Role under GDPR
Data Exporter	Company	As listed in Master Service Agreement	Company contact email	Controller
Data Importer	IVM, Inc.	5155 Technology Way, Indianapolis Indiana 46268	Privacy@ivminc.com	Processor

B. Description of the Transfer

Categories of data subjects: As listed in Annex 1, Section D.
Categories of personal data: As listed in Annex 1, Section C.
Frequency: Continuous, for the duration of the Services.
Nature of processing: As listed in Annex 1, Section B.
Purpose: To provide Services per the Master Service Agreement.
Retention period: Until deletion per DPA Section 10.
Subprocessor: Microsoft Azure (data may be stored/processed in the U.S.).

C. Safeguards and Technical Measures

Vendor implements appropriate technical and organizational security measures in accordance with Article 32 of the GDPR and recognized industry standards. These include, but are not limited to:

SOC 2 Type II certification, demonstrating the effectiveness of controls related to security, availability, and confidentiality of systems.
ISO/IEC 27001 certification, ensuring an independently audited and maintained Information Security Management System (ISMS).
Encryption of personal data in transit and at rest using industry-standard protocols (e.g., TLS 1.2+, AES-256).
Access controls including multi-factor authentication (MFA), role-based access, and the principle of least privilege.
Continuous vulnerability management and regular security patching of infrastructure and applications.
Periodic penetration testing and third-party security assessments.
Security awareness training for personnel with access to personal data.
Comprehensive incident detection and response plans, including 24-hour breach notification and mitigation protocols.
Audit logging and monitoring of access to systems and data.

D. Governing Law and Jurisdiction

Clause 17 (Governing law): The law of the EU Member State where the Company is established. If Company is not established in the EU, then the law of Ireland shall apply.
Clause 18 (Jurisdiction): The courts of the selected governing law jurisdiction.