Data Processing Agreement (US & Canada)

AppsAnywhere, Inc. Data Processing Addendum (this “Addendum”)

The parties agree that this Addendum will apply where AppsAnywhere, Inc. (“Company”) Processes “Customer Personal Data” in connection with the Product(s) pursuant to the Agreement between the parties which incorporates this Addendum by reference. Any capitalized terms not otherwise defined in this Addendum will have the meaning given such terms in the Agreement.  In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum will control. When Customer renews or purchases a Product or enters into a statement of work for a Professional Service, the then-current DPA terms will apply and will not change during Customer’s subscription for that Product or term for that Professional Service.

1. Definitions.  

a. “Applicable Data Privacy Laws” means the federal, state or local laws, rules and regulations applicable to the Processing of Customer Personal Data pursuant to the Agreement, as such laws, rules and regulations may be amended from time to time.

b. “Customer Personal Data” means Personal Data that Company Processes on behalf of Customerpursuant to the terms of this Addendum and the Agreement.

c. “Personal Data” means information that (a) is defined as “personal data” or “personal information” by Applicable Data Privacy Laws, or (b) can be used to identify (directly or indirectly) any particular individual, whether alone or in combination with other information that Company has access to or in its possession.

d. “Process”, “Processed” or “Processing” means any operation or set of operations performed, whether by manual or automated means, on Personal Data or on sets of Customer Personal Data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Customer Personal Data.

e. “Product(s)” means those Company products described in the Agreement, such as Software, Services or Professional Services.

2. Role of the Parties.

Company will act as Customer’s “Service Provider” or “Contractor,” as such terms are defined under the California Consumer Privacy Act of 2018 (as amended by the California’s Consumer Privacy Rights Act of 2020), codified at Cal. Civ. Code § 1798.100 et seq., and the regulations issued thereunder, in each case, as amended (“CCPA”); or a “Processor” as such term is defined under Applicable Data Protection Law, with respect to such Customer Personal Data. Customer and Company agree that Customer will be deemed to be the “business” as used in the CCPA, and the “Controller” as such term is defined under Applicable Data Protection Law. Companycertifies that it understands the restrictions on its Processing of Customer Personal Data as set forth in this Addendum and will comply with them.  

3. Company’s Obligations.

With respect to Customer Personal Data, Company agrees to the following:

a. If the CCPA is applicable to Customer’s provision of Customer Personal Data: The specific “business purpose(s)”, as “business purpose” is defined under CCPA, of Company’s Processing of Customer Personal Data are in Section 4 below.  Customer is providing Customer Personal Data to Cordance only for the limited and specified purposes listed in Section 4 below.

b. Company will not: (a) “sell” or “share” Customer Personal Data; (b) retain, use, or disclose Customer Personal Data: (i) for any purpose other than those listed in Section 4 below, unless permitted by Applicable Data Privacy Law, (ii) for a commercial or any other purpose other than for the specific purpose of providing, managing, or supporting the Product(s), or as otherwise permitted by Applicable Data Privacy Law, or (iii) outside of the direct business relationship between Company and Customer, unless expressly permitted by Applicable Data Privacy Law; or (c) combine Customer Personal Data that Company receives from or on behalf of Customer with Personal Data that Company receives from or on behalf of another person, or collects from its own interaction with an individual, unless permitted by Applicable Data Privacy Law.

c. Company will comply with all applicable sections of Applicable Data Privacy Law in connection with providing the Product(s), including any and all Processing of Customer Personal Data.

d. Company hereby grants Customer the right to take reasonable and appropriate steps to ensure that Company is using Customer Personal Data in a manner consistent with Customer’s obligations under Applicable Data Privacy Law. Upon the reasonable request of Customer, Company will make available to Customer all information in its possession reasonably necessary to demonstrate Company’s compliance with this Addendum and to support Customer’s compliance obligations under Applicable Data Privacy Law.

e. Company will notify Customer if it determines that it can no longer meet its obligations under Applicable Data Privacy Law.

f. Company will require that each person Processing Customer Personal Data is subject to a duty of confidentiality with respect to Customer Personal Data.

g. Company hereby grants Customer the right, upon notice, to take reasonable and appropriate steps to stop Company’s use of Customer Personal Data in violation of this Addendum, and require Company to assist in the remediate of the violation, if necessary.

h. Customer will notify Company of any consumer requests made pursuant to Applicable Data Privacy Law that Company must comply with and provide the information necessary for Company to comply with the request.  

i. If Company subcontracts with another person in providing the Product(s) to Customer, then Company will notify Customer of the engagement, and shall have a written contract with such subcontractor that includes terms that are no less protective than the terms included herein and that complies with Applicable Data Privacy Law. At Customer’s written request, Company will provide a list of its subcontractors. Company will be responsible for the acts and omissions of its sub-contractors to the same extent that Company would be responsible if Company were performing the Product(s).

j. Company will delete or return all Customer Personal Data to Customer as requested at the end of the provision of Product(s), unless retention of Customer Personal Data is required by Applicable Data Privacy Law or other applicable laws.

k. Company will allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor; alternatively, Company may arrange for a qualified and independent assessor to conduct an assessment of Company’s policies and technical and organizational measures in support of the obligations under Law using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Company will provide a report of such assessment to Customer upon request.

l. Taking into account the cost of implementation, Company will maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing the Personal Data.

4. Instructions for Processing Customer Personal Data.

Customer hereby instructs Company to Process Customer Personal Data as set forth in this Section 4:

a. The nature and purpose of Processing (including the business purpose(s)): to provide the Product(s) described in the Agreement; provided that the use of Customer Personal Data will be reasonably necessary and proportionate to achieve the operational purpose for which CustomerPersonal Data was collected or processed or for another operational purpose that is compatible with the context in which Customer Personal Data was collected.

b. The categories of Data subject to Processing:

• Identification: Names, email addresses (students, staff, employees).

• Technical: IP addresses, device IDs, login credentials.

• Operational: Room assignments, scheduling data, support ticket details.

• Research-specific: Participant IDs or names, protocol compliance data.

• Marketing: Institutional contact details (schools, universities).

• Cookie data: IP address, browser information (AppsAnywhere and similar platforms).

c.​Data Subjects:

• University stakeholders: Students, faculty, administrative staff.

• Client employees: Recruiters, technicians, sales representatives.

• Research participants: Individuals in clinical trials (sometimes pseudonymised).

• Business contacts: Distributors, ERP/CRM users.

d.​The duration of Processing: for the term of the Agreement, subject to its survival terms.

5. Customer’s Obligations.

Customer will:

a. use the Company’s Products in compliance with Data Protection Laws;

b. ensure all instructions given by Customer to Company in respect of the Processing of Personal Data are at all times in accordance with Data Protection Laws;

c. ensure all Personal Data provided to Company has been collected in accordance with Data Protection Laws and that Customer has all authorizations and/or consents necessary to provide such Personal Data to Company;

d. keep the amount of Personal Data provided to Company to the minimum necessary for the provision of the Company Product(s); and

e. when acting as a Processor, be responsible for passing on to the Controller all the information, assistance and notices needed to comply with its obligations as a Controller under Data Protection Laws, as well as the details of the applicable Privacy Data Sheets or Offer Disclosures, given that Customer is the party having a direct relationship with the Controller; and be responsible for passing on to Company all Controller’s requests and instructions related to the Processing of Personal Data under Applicable Data PrivacyLaws

6. Provision of Customer Personal Data.

The Parties expressly acknowledge and agree that neither Customer nor any Affiliate of Customer is providing any Customer Personal Data to Company for monetary or any other valuable consideration.

Last Rev: February 3, 2026