PRAXI DATA, INC. DATA PROCESSING ADDENDUM

(incorporating Standard Contractual Clauses)

Effective: March 1, 2026

This Data Processing Addendum (“DPA”), including its Schedules and Appendices, forms an integral part of the Agreement and reflects the parties’ agreement with regard to the processing of Personal Data. All capitalized terms used but not defined herein shall have the meaning set forth in the Agreement.

Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Affiliates, if and to the extent Praxi Data processes Personal Data for which such Affiliates qualify as the Controller. For the purposes of this DPA, and except where indicated otherwise, the term "Customer" shall include Customer and its Affiliates. 

In the course of providing the Services to Customer pursuant to the Agreement, Praxi Data may process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. 

HOW THIS DPA APPLIES

This DPA is an addendum to and forms part of the Agreement. The Praxi Data entity that is party to the Agreement is party to this DPA. If a Customer entity has executed an Order Form with Praxi Data or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms and the Praxi Data entity that is party to such Order Form is party to this DPA. This DPA applies in addition to and not in replacement of any comparable or additional rights relating to processing of Customer Data contained in the Agreement.

Recitals

A Praxi Data is the provider of the Services.

B Customer is a customer of Praxi Data and acts as the data controller (or business) of Personal Data processed by Praxi Data, as a data processor (or service provider), in the course of carrying out the Services (“Customer Personal Data”).

C Praxi Data may from time-to-time process Customer Personal Data on behalf of Customer to enable Praxi Data to provide the Services to Customer in accordance with the Agreement (the “Purpose”) and Customer may make Customer Personal Data available to Praxi Data in connection with this Purpose.

D This DPA forms part of the Agreement and reflects the parties’ agreement with regard to the processing of Customer Personal Data.

E The parties intend that the processing activities carried out by Praxi Data on behalf of Customer shall comply with the provisions of this DPA. 

1. DEFINITIONS

Words and expressions used in this DPA but not defined herein or in the Agreement shall have the meanings given to such words and expressions under the GDPR. 

2. DETAILS OF THE PROCESSING OPERATIONS

The subject matter of the processing, including the processing operations carried out by Praxi Data on behalf of Customer and the instructions of Customer to Praxi Data are described in Schedule A, which forms an integral part of this DPA. Praxi Data acts on behalf of and on the instructions of Customer in carrying out the processing operations.

3. OBLIGATIONS OF CUSTOMER

3.1. Customer determines the means and purposes for which Customer Personal Data is being or will be processed and the manner in which it is being or will be processed.

3.2. Customer represents, warrants and agrees that with respect to Customer Personal Data provided to Praxi Data, Customer: 

3.2.1 complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for data controllers;

3.2.2 confirms that the provision of Customer Personal Data to Praxi Data complies with Applicable Data Protection Laws; 

3.2.3 has established a procedure for the exercise of the rights of the individuals whose Customer Personal Data is collected;

3.2.4 only processes data that has been lawfully and validly collected and ensures that such data is relevant and proportionate to the respective uses;

3.2.5 ensures that after assessment of the requirements of Applicable Data Protection Laws, the security and confidentiality measures implemented are suitable for protection of Customer Personal Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; 

3.2.6 will comply with the Standard Contractual Clauses in the case of any transfer of such Customer Personal Data from the European Economic Area, the UK, and/or Switzerland; and

3.2.7 takes reasonable steps to ensure compliance with the provisions of this DPA by its personnel and by any person accessing or using Customer Personal Data on its behalf.

4. OBLIGATIONS OF PRAXI DATA

4.1. Praxi Data carries out the processing of Customer Personal Data on behalf of Customer and will process such data in accordance with its obligations under Applicable Data Protection Laws.

4.2. Further to the provisions of Applicable Data Protection Laws, Praxi Data agrees that it will:

4.2.1. process Customer Personal Data only on behalf of Customer and in compliance with Customer’s instructions (including relating to international data transfers), unless required to otherwise process Customer Personal Data by EU or local law to which Praxi Data is subject; 

4.2.2. if in Praxi Data’s opinion an instruction from Customer infringes Applicable Data Protection Laws, immediately inform Customer;

4.2.3. implement the technical and organizational security measures provided for in Schedule B prior to the commencement of the processing activities for Customer Personal Data to protect such data, maintain such security measures (or security measures that are not less protective) for the duration of this DPA, and provide Customer with reasonable evidence of its privacy and security policies;

4.2.4. take all reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Customer Personal Data comply with this DPA;

4.2.5. comply with confidentiality obligations in respect of Customer Personal Data as detailed in the Agreement and take appropriate steps ensure that its employees, authorized agents and any sub-processors respect the confidentiality of Customer Personal Data, including after the end of their employment, contract or at the end of their assignment;

4.2.6. inform Customer as soon as reasonably practicable of:

4.2.6.1. any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, unless otherwise prohibited by applicable law, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;

4.2.6.2. any personal data breach within the meaning of Applicable Data Protection Laws relating to Customer Personal Data and provide a notification no later than 48 hours upon becoming aware of said breach; 

4.2.6.3. any relevant notice, inquiry or investigation by a supervisory authority relating to Customer Personal Data; and

4.2.6.4. any requests for access to, rectification or blocking of Customer Personal Data received directly from a data subject without responding to that request, unless Customer has authorized a response or such a response is required by law;

 4.2.6.5. its determination that can no longer meet its obligations under this DPA or Applicable Data Protection Laws.

4.2.7. provide reasonable co-operation and assistance to Customer in respect of Customer’s obligations regarding: 

4.2.7.1. rights requests from data subjects, e.g., requests in respect of access to or the rectification, erasure, restriction, blocking or deletion of Customer Personal Data;

4.2.7.2. the investigation of any personal data breach within the meaning of Applicable Data Protection Laws relating to Customer Personal Data and the notification to the supervisory authority and data subjects in respect of such a personal data breach;

4.2.7.3. the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority;

4.2.7.4. the security of Customer Personal Data, including by implementing the technical and organizational security measures provided for in Schedule B;

4.2.8. if Praxi Data is required by law to process Customer Personal Data, take reasonable steps to inform Customer of this requirement in advance of any processing, unless Praxi Data is prohibited from informing Customer on grounds of important public interest; and

4.2.9 will comply with the Standard Contractual Clauses in the case of any transfer of Customer Personal Data from or to the European Economic Area, the UK, and/or Switzerland;

4.2.10 upon reasonable request, make available to Customer information necessary to demonstrate compliance with the obligations in this DPA.

4.2.11 not sell or share Customer Personal Data;

4.2.12 not retain, use, or disclose Customer Personal Data (A) for any purpose or commercial purpose other than the purpose of the main Agreement and this DPA; (B) outside the direct relationship between the Parties; or (C) combine Customer Personal Data with personal data from sources obtained outside the Parties’ relationship;

4.2.13 grant Customer the right (A) to take reasonable and appropriate steps to ensure that Praxi Data process Customer Personal Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws; and (B), upon notice, to take reasonable and appropriate steps to stop and remediate Praxi Data’s unauthorized use of Customer Personal Data, if Customer has a reasonable belief of such use.

4.3. Praxi Data agrees at the request of Customer to submit to an audit to ascertain and/or monitor Praxi Data’s compliance with this DPA which audit shall be carried out no more than once in any 12 month period (unless otherwise required by a supervisory authority) with reasonable notice and during regular business hours and in a manner which is not disruptive to Praxi Data’s business and under a duty of confidentiality, by Customer and/or by a third party appointed by Customer and accepted by Praxi Data. The scope of such an audit will be agreed in advance and shall not involve physical access to the servers on which Praxi Data is hosted. Customer hereby agrees that an audit may only be conducted if (A) reasonably necessary to prove facts which Praxi Data cannot verify by providing Customer with independent evidence, including evidence of its compliance with a third party audit or certification programme, (B) expressly required by applicable law, a court of competent jurisdiction, or a regulatory authority, or (C) requested following a personal data breach of Customer Personal Data experienced by Praxi Data or a breach of this DPA by Praxi Data. 

5. THIRD PARTIES

5.1. Subject to the Agreement, Customer acknowledges and agrees (a) Praxi Data’s Affiliates may be retained as sub-processors; and (b) Praxi Data or its Affiliates may engage third party sub-processors acting on its behalf to assist in satisfying its obligations in accordance with the Agreement (including this DPA) and to delegate all or part of the processing activities to such sub-processors in connection with the provision of the Services. Praxi Data shall enter into contractual arrangements with such sub-processors requiring them to guarantee a substantially similar level of data protection compliance and information security to that provided for herein to the extent applicable to the nature of the services provided by that sub-processor. Praxi Data shall remain fully responsible and liable for the performance of any sub-processor’s obligations in accordance with its contract. For the purposes of this Clause 5, Customer hereby grants general authorization to Praxi Data engaging sub-processors. 

5.2. Praxi Data’s current list of third party sub-processors for the Services is as set out in Schedule C to this DPA. Praxi Data may update its list of sub-processors from time to time. Praxi Data shall provide notice via blog post, notification within the Services or other reasonable means of new sub-processor(s) before authorizing such new sub-processor(s) to process Customer Personal Data in connection with the provision of the applicable Services. 

5.3. Customer may reasonably object to Praxi Data’s use of a new sub-processor (e.g., if making Customer Personal Data available to the sub-processor may violate the GDPR or weaken the protections for such Customer Personal Data) by notifying Praxi Data in writing within ten (10) business days after receipt of Praxi Data’s notice by contacting support@praxidata.com. Such notice shall explain the reasonable grounds for the objection. In the event Customer objects to a new sub-processor, as permitted in the preceding sentence, Praxi Data will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected-to new sub-processor without unreasonably burdening Customer. If Praxi Data is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the applicable Order Form(s) with respect only to those Services which cannot be provided by Praxi Data without the use of the objected-to new sub-processor by providing written notice to Praxi Data. Praxi Data will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

6. POST-TERMINATION OBLIGATIONS

The Parties agree that on the termination of the data processing activities referenced in this DPA, Praxi Data and any sub-processors shall, at the choice of Customer and subject to the limitations described in the Agreement, return all Customer Personal Data and copies of such data to Customer or securely destroy them, unless Applicable Data Protection Laws or other applicable local law prevents it from returning or destroying all or part of Customer Personal Data. In such case, Praxi Data agrees to preserve the confidentiality of Customer Personal Data retained by it and that it will only actively process such Customer Personal Data after such date in order to comply with the laws it is subject to. 

7. STANDARD CONTRACTUAL CLAUSES

7.1 For the purposes of this DPA, the term “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. For the purposes of the Standard Contractual Clauses, the following shall apply: (i) the ‘data exporter’ is the Customer (or, as the case may be, its Affiliates) and the ‘data importer’ is Praxi Data (or, as the case may be, its Affiliates) for Module Two (controller to processor), if applicable, or the ‘data importer’ is the Customer (or, as the case may be, its Affiliates) and the ‘data exporter’ is Praxi Data (or, as the case may be, its Affiliates) for Module Four (processor to controller), if applicable, (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 (General Written Authorisation) applies and the time period for prior notice of Sub-processor changes is as set out in this DPA, (v) in Clause 11, the optional language does not apply, (vi) in Clause 17, Option 1 applies and the Standard Contractual Clauses are governed by Irish law, (vii) in Clause 18(b), disputes will be resolved before the courts of Ireland, (viii) in Annex 1.A and Annex 1.B., the details of the parties and the transfer are set out in the in this DPA and Schedule A, (ix) in Clause 13(a) and Annex 1.C, the Irish Data Protection Commissioner will act as competent supervisory authority, (x) in Annex 2, the description of the technical and organizational security measures are as set out in Schedule B to this DPA, and (xi) in Annex 3, the list of Subprocessors is as set out in Schedule C to this DPA. 

7.2 With respect to any transfer of Customer Personal Data outside of the United Kingdom (“UK”) or of Personal Data subject to UK data protection legislation to a third country (without an adequacy decision or its equivalent), the Parties agree that the UK International Data Transfer Addendum (“IDTA”) to the Standard Contractual Clauses (Version B1.0) issued by the UK Information Commissioner for Parties making Restricted Transfers (as may be amended, updated, or superseded from time to time) shall apply to the Standard Contractual Clauses set forth in subsection 7.1. The Tables in Part 1 of the UK IDTA Tables shall be completed with the information and details set forth in subsection 7.1, and Customer may end the IDTA as stipulated in section 19 of the IDTA. Part 2 of the UK IDTA shall be incorporated herein by reference.

7.3 With respect to any transfer of Customer Personal Data outside of Switzerland or of Personal Data governed by the Switzerland Federal Act on Data Protection (“FADP”) and, when applicable, the revised FADP (“revFADP”), to a third country (without an adequacy decision or its equivalent), the Parties agree that the Standard Contractual Clauses in subsection 7.1 shall apply, subject to the following terms and conditions: (A) the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” shall be interpreted to include the FADP/revFADP; (B) insofar as the transfer of Personal Data is governed exclusively by the FADP/revFADP, the competent supervisory authority is the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland, and insofar as the transfer is governed by the FADP and the GDPR, the criteria of Clause 13(a) for the selection of the competent authority must be observed and the FDPIC will have parallel supervision; (C) the Standard Contractual Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights, or, if the FADP exclusively governs the transfer, the law of Switzerland; (D) any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of an EU Member State or, if the FADP/revFADP exclusively governs the transfer, the courts of Switzerland; (E) the term “Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses; and (F) the Standard Contractual Clauses shall protect the data of legal entities until the entry into force of the revised Switzerland FADP (revFADP).

To the extent U.S. Privacy Laws apply:

7.4 Praxi Data agrees to (a) not provide Customer with monetary or other valuable consideration in exchange for Customer Data from Customer. The parties acknowledge and agree that Customer has not “sold” (as such term is defined by U.S. Privacy Laws) Customer Data to Praxi Data; (b) not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) Personal Data; (c) to the extent that Customer permits or instructs Praxi Data to process Customer Data subject to U.S. Privacy Laws in a de-identified form as part of the Services, Praxi Data shall (i) adopt reasonable measures to prevent such deidentified data from being used to infer information about, or otherwise being linked to, a particular natural person or household; (ii) publicly commit to maintain and use such deidentified data in that form and not attempt to re-identify the information, except as may be permitted by U.S. Privacy Laws; and (iii) before sharing de-identified data with any other party, including Sub-Processors, contractually obligate any such recipients to comply with the requirements of this provision (c)(i)-(iii); and (d) where the Customer Data is subject to the CCPA (i) not retain, use, disclose, or otherwise process Customer Data except as necessary for the business purposes specified in the Agreement, including without limitation as set out in Schedule A of this DPA; (ii) not retain, use, disclose, or otherwise process Customer Data in any manner outside of the direct business relationship between Praxi Data and Customer; (iii) not combine any Customer Data with Personal Data that Praxi Data receives from or on behalf of any other third party or collects from Praxi Data’s own interactions with individuals, provided that Praxi Data I may so combine Customer Data for a purpose permitted under the CCPA if directed to do so by Customer or as otherwise permitted by the CCPA; (iv) notify Customer without undue delay if Praxi Data determines that it can no longer meet its obligations under the CCPA; and (v) if Customer reasonably believes that Praxi Data’s Processing of Customer Data is not consistent with the requirements of the CCPA and upon Customer’s reasonable notification of the same to Praxi Data, the Parties will work together in good faith to remedy the issue, or, if after working together Customer reasonably determines that the issue cannot be remedied, Praxi Data will stop Processing the affected Customer Data upon written instruction from Customer.

7. 5 Customer agrees to not take any action that would (a) render the provision of Customer Data to Praxi Data a “sale” under U.S. Privacy Laws or a “share” under the CCPA (or equivalent concepts under U.S. Privacy Laws); or (ii) render Praxi Data not a “service provider” under the CCPA or “processor” under U.S. Privacy Laws.

8. GOVERNING LAW AND JURISDICTION

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

 9. ORDER OF PRECEDENCE

To the extent that there is a conflict between the Agreement or this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall control. To the extent that there is a conflict between the Agreement and this DPA, this DPA shall control.

Schedule A

Details of the Processing Activities

Data subjects

The Customer Personal Data processed relates to the following categories of data subjects:

• employees, consultants, contractors and agents of Customer, its Affiliates and / or Vendors; 

• individuals mentioned in invoices (such as timekeepers) or other documents uploaded to the Software Service or other individuals who interact with Customer or its Users; and/or

• third parties with which Customer conducts business.

Categories of data

The categories of personal data processed are:

• names, business contact information (e.g., phone numbers, addresses and email addresses);

• unique identifiers such as passwords;

• device / IP data such as IP address or device ID and IP-address based location information;

• billing and payment information, including in particular the content of invoices; and

• professional information (e.g., employer name, job titles and positions; business activities). 

Special categories of data

The personal data processed may include the following special categories of data, to the extent that such data is uploaded by or on behalf of Customer:

• racial or ethnic origin; 

• political opinions; 

• religious or philosophical beliefs; 

• trade-union membership; 

• genetic or biometric data;

• health; and

• sex life.

Processing operations

The personal data processed may be subject to the following processing activities:

• invoice review and analysis;

• storage and other processing necessary to provide, maintain and improve the Services provided to Customer;

• to provide customer and technical support to Customer; and

• disclosures in accordance with the Agreement, as compelled by law.

Duration of Processing

Processing shall continue during the term of the Agreement and for so long thereafter as is legally required or permitted.

Frequency of Processing

Continuous.

Schedule B

Technical and Organisational Security Measures

In accordance with Clause 4 of the DPA, Praxi Data will adopt and maintain appropriate (including organisational and technical) security measures in dealing with Customer Personal Data in order to protect against unauthorised or accidental access, loss, alteration, disclosure or destruction of such data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

In determining the technical and organizational security measures required by Clause 4 of the DPA, Praxi Data will take account of the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 

Praxi Data will implement and maintain the following specific security measures, as applicable:

• ISO 270001:2013, SOC1 Type II and SOC2 Type II accreditation and certification;

• Regular third party security reviews, audits and penetration testing;

• Dedicated internal compliance function responsible for maintaining and improving its security programs;

• Data stored on secure servers, with dedicated data centres in the US, Australia and EU;

• Dedicated and regular training to employees regarding information security and privacy;

• Data minimisation, pseudonymisation and encryption of personal data, where necessary and appropriate; and

• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Schedule C

Current list of Sub Processors